In Depth: What You Need To Know About SOA Management Suites
If you're serious about your service-oriented architecture--and you'd better be--you must get your services under control. An SOA management suite can give you the power to enforce operational policies. Here's how.
Managing a SOA isn't for the faint of heart. Services crop up like mushrooms and comprise multiple touch points (operations) that may require different policies based on the person or application using the service. Forget conventional methods of managing and monitoring Web resources--they can't offer visibility into the operation being executed within a service. Most are capable only of recording and monitoring URIs, and log-culling products simply cannot provide a transactional view of service use for your service-oriented architecture.
You need an application that can monitor services at the operation level, perform authentication and authorization, apply security policies that safeguard the privacy of data, conform to regulations such as HIPAA and Sarbanes-Oxley, and ensure availability of services using SLA management and enforcement. Oh, and it must also integrate into your existing architecture.
Traditional APM (application performance monitoring) models in the form of agents residing on enterprise service platforms, such as BEA Systems' WebLogic or IBM's WebSphere, don't fit the bill because they haven't evolved along with SOA. APM agents are focused on URIs and don't speak XML or SOAP, both must-haves to collect metrics and apply policies accurately based on XML-specific standards and best practices, such as encryption, data transformation and monitoring at the operation level. They're also not proficient at enforcing policies that may modify requests and/or responses, nor can they perform authentication and authorization. Give 'em the boot.
Play Reveille for Me
If you're squirming because we just described your SOA management strategy, wake up and smell the mess hall coffee. Web services are not only not conventional Web-based resources, they aren't even always Web-based. Many Web services, especially those exposed by middleware, such as ESB (enterprise service bus) suites, are accessed using messaging protocols like JMS (Java Messaging Service) and not through HTTP, making life difficult for some SOA management products--and leaving many IT pros shaking their heads at the erroneous use of "Web services" to describe services within a SOA. JMS (Java Messaging Service) advocates are particularly irritated at the misnomer and plan to launch a counterstrike to rename all SOAP transports "messaging services." You heard it here first.
If you're serious about SOA, you need the right weaponry to keep services under control. But in our reader poll for this article, only 33 percent of respondents said a management product was in their future; 26 percent said they were undecided.
Let us help: If your SOA strategy doesn't include a SOA management product and you expect to implement more than 25 services, rethink your strategy. If you need to enforce service-level agreements on those services, rethink your strategy. And if your organization requires last-mile security for services, you really need to rethink your strategy; APM products simply can't provide the fine-grained security and SLA enforcement required for SOA deployments. And you must make the leap sooner rather than later. Putting management products into a service after the fact adds complexity and increases the time to complete a deployment.
Although you can employ code-based security and some facets of management within a service, managing code when faced with multiple access scenarios that address the differing needs of various types of uses can actually degrade performance. Worse, it destroys the ability to quickly adapt to changing business needs, such as welcoming new partners, applications or users. SOA management suites address these needs neatly by placing the onus on external systems that are readily modified, simply by changing or creating policies that can be applied in hours rather than weeks.
The market is ready; SOA management products have been evolving and consolidating for several years. We brought two SLA management suites, Actional's Looking Glass and SOA Software's Service Manager, into our NWC Inc. business applications lab in Green Bay, Wis. (see "NWC Reports: SOA Management" below, for highlights and go to www.nwcreports.com for our complete analysis). We dug beyond the bells and whistles of real-time monitoring and eye-candy reports, and found that both are ready for prime time. The interoperability issues, poor standards compliance and immature implementations of SLA enforcement and notification mechanisms we saw two years ago have been resolved. The field also has narrowed considerably, with the remaining players in this space evolving through consolidation with security players (Actional-Westbridge), partnerships (DataPower-CA), and acquisitions (SOA Software-Flamenco Networks/Blue Titan Software). In this case, a smaller field really is better.
There's still room for improvement, of course. Most products remain light on enterprise-class alert and notification mechanisms, choosing instead to integrate with corporate-standard network and systems management products, such as CA Unicenter, HP OpenView and IBM Tivoli. For smaller organizations, the alert and notification systems of SOA management products are likely good enough. Policy management needs work across the board, but it's not so poorly implemented as to be a show-stopper. In fact, SOA Software's Service Manager does an excellent job of distributed policy management, and the version control in Actional's SOAPStation is an excellent example of the maturity in this arena.
What we aren't seeing yet is consistency in depth and breadth of feature sets. Service Manager's version control isn't as mature as that of Actional and Reactivity, but Actional's policy management isn't as centralized as SOA Software's implementation. However, products are stable, and their core functions--managing and monitoring services--are ready for battle.
The cost of a SOA management suite--an average of $120,000 for our NWC Inc. scenario--and the complexity of implementation mean the decision to purchase one of these puppies must be a collaborative one between IT and business users. That's the case for readers responding to our poll for this package: 57 percent say Web services technology purchases are initiated jointly.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.