Delegated Governance

A must have for real life SOA

The Problem

Now that we have established that Aspect-based Governance is a must-have for an enterprise-grade SOA governance solution, let us look at how contracts and policies can and should be enforced at run-time. By now everyone agrees that building the enforcement functionality directly into service implementations is not a very good idea. Doing so burdens the developers and results in tight coupling between the enforcement mechanisms and the business functionality. Even more importantly it limits the enforcement to the services that have been developed on-site and after the decision to enforce a particular governance aspect has been made. So most run-time governance vendors took the obvious route of embedding the enforcement mechanisms into their enforcement agents. Products based on this architecture are easy to implement, understand and optimize. However they all share one important drawback: IT governance was not invented for SOA, it existed log before. And companies have built and acquired a wealth of governance solutions to address the specific aspects of it. Here are just a few of the examples of what I call point or legacy governance solutions:

  • Sun’s Access Manager and CA’s SiteMinder and a host of WS Security appliances for security;
  • IBM’s Tivoli and CA’s Unicenter for monitoring and management;
  • Sun’s Identity Manager, Tripwire Enterprise and Consul InSight for audit;
  • Mercurial for version control and change management;
  • A multitude of metering and billing packages, etc.

Thus any time a SOA governance vendor decides to embed a particular aspect enforcement and/or monitoring mechanism into their gateway or other run-time enforcement engine, they effectively force their clients to adopt a parallel mechanism for governing that aspect in services to the one they already use elsewhere in throughout their IT. This leads to many inefficiencies including:

  • Training operations personnel to use two systems instead of one;
  • Defining and maintaining policies in two different formats and places;
  • Monitoring two sets of alerts, logs or feeds, etc.

And since companies rarely adopt SOA in one shot but typically evolve towards it for years, the cost of this duplication can grow over time to quite significant levels.

At the same time because the market is so diverse and there are at least two of everything, one can never assume that all clients will have a particular (or any) point governance solution for even most common aspects, so no governance platform should solely rely on delegation of enforcement functions, but rather offer a gamut of options, as described below.

The Solution

Delegation in SGF

As it is probably obvious from the title of this post, I believe that Delegated Governance is the only viable answer to the challenge that was presented earlier. By this I mean not simply integration with a few popular legacy governance packages, but the ability to delegate enforcement and monitoring of any SOA governance aspect either entirely or in par to any solution (packaged, customized or home-grown) that is being used for this purpose in non-SOA parts of the IT and has suitable integration points or APIs. Coupled with aspect-based governance architecture it gives the adopters almost unlimited flexibility, including the freedom to:

  1. Delegate enforcement of the same aspect to more the one package;
  2. Combine native and delegated enforcement;
  3. And, most importantly, change their mind about any of this later!

In addition to native (non-delegated) enforcement, an enterprise-grade SOA governance platform should supports the following types of delegation:

  • Complete delegation – when a legacy governance solution implements the entire set of the required governance functionality and exposes it through an API at the right level of granularity its endpoint can simply be registered as an Aspect Enforcement Method for the corresponding aspect. For example SecureSpan Gateway from Layer 7 when configured in the echo mode can be registered as a Security Aspect Enforcement Method.
  • Partial delegation – when a legacy governance solution implements only a subset of the required governance functionality, a simple aspect enforcement method would implement only the missing functionality and delegate to the existing governance solution the parts that it supports. For example many SOA Security products that evolved from Web Site/Portal security solutions lack many key functions such as non-repudiation, but still can be used for authentication and authorization of the requests.
  • Orchestrated delegation – when a legacy governance solution implements the required governance functionality but does not expose it through an easily accessible API or the exposed API has a wrong level of granularity, a simple aspect enforcement method would serve as an adapter between the SOA governance platform and the existing governance solution invoking its functionality through a sequence of low-level API calls. This way governance would still happen inside the legacy solution, eliminating the need for duplication of principle and policy information. For example some SOA Security solutions can not look inside the SOA message and perform all facets of security processing, but provide APIs for verifying credentials, validating security tokens and performing authorization decisions.

Please note that the fact that a run-time governance product integrates with a particular legacy governance solution, such as a security package, doesn’t mean that it is capable to delegate the corresponding aspect to it. For example we have recently looked at a Web Service security product, which amongst other features claimed integration with Sun Access Manager. However a detailed analysis revealed that this integration was used to secure web access and did not allow to leverage any of the SOA Security capabilities of the latter. Also notice that integration has to be done by the platform vendor at development time and can only cover few of the most popular legacy governance solutions while delegation is done on demand at the client site and can cover industry- and geography-specific targets as well as home-grown solutions.

Please bookmark with social media, your votes are noticed and appreciated:

Posted on: Nov 05, 2007

Posted by: Alex Maclinovsky

Category: Governance

Permanent link to this entry

Comments:

So is this real stuff or just another vendor FUD?
Where can I get my hands on it?

Posted by tghfbt on November 12, 2007 at 03:34 PM CST #

The answer to the first question is yes. Everything that I have been talking about in this blog has been implemented, tested, documented and released as Sun SOA Goverance Solution (see http://www.sun.com/products/soa/soa_governance.pdf also known as SGF). Version 1.0 was released over 2 years ago and the latest version 2.7 has been released this July.

The answer to the second question is "it depends". SGF is available now as a "services product" so you can contact your Sun account manager and ask for information, pricing, demonstrations etc. If you were asking about when it will be opensourced - unfortunately I do not know at this time.

Posted by Alex Maclinovsky on November 12, 2007 at 09:14 PM CST #

What is the license for Governance Information Model?
GPL, CDDL, BSD?

Posted by tghfbt on November 13, 2007 at 01:53 AM CST #

I am no expert on licenses. I just found an excellent resource that compares the three and explains the differences: http://blogs.sun.com/chandan/entry/copyrights_licenses_and_cddl_illustrated
Having looked through that article it seems that CDDL is the most appropriate. One further restriction or clarification that I would like to make is about standardization: I have not seen submission to standards bodies covered by any of the licenses (unless it is somehow implied). I plan at some point to submit it to a standards body (don't know which one yet). If you feel like doing so yourself, please do not do this without first contacting me and/or Sun. If you are seriously considering building a commercial product based on the model or anything else that you find on this blog, I suggest that you run it by your and Sun's legal departments just in case. And under no circumstances should you sue me personally - for anything, ever! :)

Disclaimer: I am no lawyer.

Posted by Alex Maclinovsky on November 13, 2007 at 10:43 AM CST #

In Java land everything is JSR.

Posted by tghfbt on November 13, 2007 at 04:15 PM CST #

Yes, but only if you want to remain confined strictly to Java land. Which is perfectly good in case of JDBC, could be considered valid for something like JBI and is completely unacceptable for any SOA-related technology that wants to succeed. OASIS seems to be most appropriate body.

Posted by Alex Maclinovsky on November 14, 2007 at 01:02 PM CST #

So does Sun SOA Governance Solution comes with C++/Python/.Net/Ruby/PHP runtime engines?
Or it is J2EE only.

Posted by tghfbt on November 14, 2007 at 06:40 PM CST #

It is not that important in which language it has been implemented (for us Java language was a matter of preference as well as common sense - would have been strange for Sun to build a product on .NET!). It is designed to govern services implemented in any technology/platfom (we are now talking to a partner about building C/C++ bingings, another has been working on .NET). The engine itself can also be ported into any platform with decent web services stack and the Governance Information Model would remain exactly the same.

Posted by Alex Maclinovsky on November 14, 2007 at 09:29 PM CST #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by Alex Maclinovsky