After several gruelling years of implementing life-cycle controls over their web services environments, these IT pros now worry they may have to radically revamp those efforts to keep pace with rogue adoption of outsourced cloud services.
SOA governance, also known as service governance, refers to practices and tools for enforcing consistent development, security, performance and other policies across the life-cycle of key functions, regardless of whether they are hosted internally or provided by outsourcers.
Effective SOA governance is extremely important. It enables organisations to continuously plan, design, validate, publish, provision, monitor, modify, secure and optimise their distributed environments. And it ensures that services deployed in enterprise application environments — be they built on clouds, mainframes or any other platform — comply with regulatory, policy, operational and other baseline requirements.
In one sense, cloud computing could end up being the best thing to happen to SOA governance. That's because the existence of cloud computing makes governance all the more critical.
In theory, clouds can deliver almost every IT capability — from applications down to middleware, application platforms, and even storage, processing and other hardware resources — as on-demand subscription offerings.
But how does an IT executive provide sound management in a cloud computing world?
"The cloud revitalises interest in governance because you are extending trust to services across premise and presumably corporate boundaries," says Miko Matsumura, vice president and deputy CTO at Software AG. "Not only is that significant from a governance perspective, but the complexity of mashing up cloud services with on premise applications, integrations and infrastructure requires a framework for maintaining overall integrity."
In other words, clouds complicate the SOA governance picture. Without proper governance, anyone could deploy a new cloud service any time they wish, and anyone could invoke and orchestrate that service into ever more convoluted messaging patterns.
In a governance-free environment, coordinated cloud service planning and optimisation becomes frustratingly difficult. In addition, rogue cloud services could spring up and pass themselves off as legitimate nodes, thereby wreaking havoc on the delicate trust that underlies production SOA.
Simply put, cloud services can circumvent even the best-laid service governance practices. By enabling rapid no-touch outsourcing of many or all IT functions, cloud services make it very difficult for enterprise IT to enforce policies governing service composition, integration, security, management, and other key functions.
Many of the components that organisations have deployed in support of web services — such as service registries and service-level management agents and consoles — are partly or entirely lacking from many public or private cloud environments.
From the viewpoint of SOA professionals, cloud environments are potential breeding grounds for undocumented, unsupported, and non-standard application services. Imagine the chaos if users start accessing externally provided cloud services without first gaining IT's approval.
In addition, outsourced cloud services may not conform to any of the web services standards — such as Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), Web Services Description Language (WSDL), and Universal Description Discovery and Integration (UDDI) — upon which IT has built the enterprise's internal SOA.
Like creeping kudzu, rogue public-cloud-based services can become firmly ensnared in your IT environment and resist all subsequent efforts to extricate them. Once those uninvited guests are firmly ensconced in an organisation's operations, enterprise IT may find itself severely hamstrung in its attempts to monitor them or rein them into conformance with standard practices for service designing, maintaining, monitoring, securing and versioning.
In addition to these legitimate governance concerns, lack of familiarity with cloud computing is another worrisome factor. That may eventually dissipate as cloud computing moves into the mainstream, but that may not occur for a while.
"As cloud computing and SOA continue to converge, the need for a governance strategy, and good governance technology, will become more important." says David Linthicum, founder of the Linthicum Group, a SOA and cloud consultancy. "However, most of my clients are still kicking the tires around cloud computing, including creating strategy, and doing small projects to validate the infrastructure change. This will change quickly as we move towards the end of 2009, when more business processes, applications, and information will reside on remote clouds, and thus the need for governance increases."
To the extent that enterprises are adopting cloud services, it is via a selective outsourcing of specific applications and infrastructure. One of the principal cloud/SOA governance decisions is in determining which services to source from which public clouds, so as to avoid unnecessary duplication with internal application environments.
"The larger business decisions really are around which services should or shouldn't be sourced in a certain way, and what level of comfort and risk aversion are acceptable," says Dana Gardner, principal analyst at Interarbor Solutions. "One risk would be that people start jumping into cloud and external-service consumption piecemeal, without it being governed or managed centrally, or with some level of oversight in a holistic sense.''
IT execs should expect to see SOA governance tools enter the cloud market in droves over the next several years, addressing a pent-up demand among enterprise IT professionals. "As IT strategists look over the horizon to what they some day would like to do with cloud computing, be it internal, external or hybrid, they can begin to set themselves up for success on that front now," Gardner says. "Moving toward SOA best practices and implementing strong governance across IT services and resources is an excellent place to gain advantage over today's IT, while preparing for newer models and efficiencies."
For all the hype surrounding cloud services, it's difficult to find case studies of effective SOA governance in this brave new environment. Nevertheless, most public cloud service providers offer governance tools for managing applications, virtual machines, integration logic and service levels deployed in their specific environments. And a growing range of vendors — including RightScale, Kaavo, and Hyperic — are providing tools for provisioning and managing services across various public and private cloud environments. However, as befits the immature state of cloud computing, none of the established SOA governance tool vendors supports management of cloud-based applications, transactions, messaging or service levels.
Furthermore, even as cloud services become more mainstream, and even if they were built from the ground up with SOA governance in mind, they would still be very challenging to manage. This difficulty stems from some hallmarks of this new paradigm: outsourcing service providers, proprietary public clouds, virtualised resource pools and mashup-style service creation.
Comprehensive SOA governance depends on having all application, platform and network domains under common policy-based administration — a rare occurrence in enterprise networks of any complexity — or on having instituted federation among autonomous domains.
Managing SOA federations within an enterprise or B2B supply chain can be dauntingly complex. But managing SOA federations that link internal application domains with those provided by one or more outsourcers — including public cloud service providers such as Amazon, Google, Microsoft, and Salesforce.com — depends on negotiation skills worthy of a Nobel Peace Prize.
"Public cloud providers are gingerly approaching the notion of federation," says Rich Wolski, professor in the Computer Science Department at the University of California, Santa Barbara (UCSB) and director of Eucalyptus, an open-source cloud-computing software project. "There's not much federation yet between public clouds, but we're starting to see some discussion of cross-cloud federation for the provisioning of resources."
Wolski stresses that as the cloud computing market works through the myriad federation issues, service providers and their enterprise customers will need to establish multi-layered agreements that span identity management, service-level management, storage management and other key concerns.
Right now, there is little to no policy federation between enterprise SOA environments and public cloud services. Those enterprises that choose to rely on public cloud services are running a considerable risk, according to Christopher Crowhurst, vice president for architecture and business systems infrastructure at Thomson Reuters.
"You're vulnerable to the provider's performance when you run your infrastructure and applications in someone else's cloud," Crowhurst says. "In those circumstances, there is little onus on the public cloud provider to coordinate their scheduled downtime with subscribers. And it's risky business to build applications that depend on services provided by the public cloud when there is no prior agreement on stability or availability of their API." Even if the public-cloud APIs remain, Crowhurst says, "the behaviour of those interfaces may change without notice."
Crowhurst advises enterprise IT professionals to negotiate governance features into their contracts with public cloud service providers. At minimum, he says, these contracts should include clauses under which public cloud providers must inform customers of downtime, service changes, rollouts, version deprecations and API modifications.
One key SOA tenet is that a distributed application environment should be platform-agnostic, and so should its governance infrastructure. Under pure SOA, the external API should be agnostic to the underlying platforms.
However, enterprise forays into cloud computing often violate that principle by relying on monolithic public-cloud services, most of which implement proprietary APIs, development tools, virtualisation layers and governance features — though many cloud services also incorporate open SOA and Web 2.0 standards to varying degrees. Interoperability among proprietary public clouds is often non-existent, and tools for governing services across diverse public and private clouds are just now coming to market.
To enable design-time cross-cloud service portability, public cloud providers should implement open industry standards for packaging of virtualised services," says Billy Marshall, founder and chief strategy officer of virtualisation tool vendor rPath. "If we can define service compliance with an open virtualisation format," says Marshall, "then we'll be able to define service governance that is independent of the host."
One specification that addresses this need is the Open Virtualisation Format (OVF), a Distributed Management Task Force (DMTF) draft, which defines an extensible format for the packaging and distribution of software to be run in virtual machines (VM), such as those at the heart of public and private clouds. Though it is a key specification for portability of VMs across clouds, OVF, still in Version 1.0, does not provide the full context on VM "images" that would be necessary to support sophisticated life-cycle governance of these key artifacts, says Brett Adam, vice president of engineering at rPath.
Most SOA governance environments only skim the surface of enterprise IT environments: managing only that subset of services operating in the application layer, and only those web services built on XML, SOAP, WSDL and other core SOA specifications. By contrast, many public cloud services provide a deeper stack of on-demand services, spanning the application, software platform, integration middleware, and even hardware layers. Indeed, virtualised, grid-oriented "hardware as a service" resource pools are a popular cloud offering, providing ample processing and storage capacity.
By proliferating services far deeper down into the stack, beyond the capabilities of today's SOA governance tools, cloud environments are making unified planning, design, provisioning, monitoring and control of all services next to impossible.
One key area where cloud governance differs from traditional SOA is in its focus on life-cycle governance of VMs. To facilitate automated provisioning of deep application and integration stacks on VMs, cloud management environments should offer prepackaged "server templates," says Michael Crandell, founder and CEO of cloud management platform vendor RightScale.
These templates embed prepackaged policy definitions that govern important life-cycle service VM governance functions, including deployment, setup, booting, monitoring, control, optimisation and scaling of VMs on one or more public or private clouds. Cloud governance even encompasses the periodic need to "decommission and throw away" old VM instances, and launch new ones in their place, Crandell says.
Traditional SOA-style development is top-down. It requires considerable upfront architectural design, factoring functional primitives into platform-independent, loosely coupled service contracts that are exposed to developers through open web services standards.
By contrast, cloud services encourage a grassroots style — often known as Web 2.0, Web Oriented Architecture or Representational State Transfer (REST) — of service provisioning, development and management. Anyone with a credit card can sign up for and start accessing cloud services, which may be totally redundant with applications that their companies have deployed internally.
By the same token, anyone with a browser can mash up available cloud service components into applications that may deviate significantly from corporate-standard design patterns — and probably lack the stringent security expected from enterprise-grade services. In the REST paradigm, UDDI, WSDL, SOAP and other WS-* standards are conspicuous in their absence. So it's no surprise that the phrase "mashup governance" gives some SOA professionals anxiety fits and causes others to double over with laughter.
Nevertheless, cloud services can benefit from the many lessons learned by enterprise SOA governance implementers, says Tim Hall, director of SOA products for HP Software and Solutions. "Most important, you need a service catalogue that maintains metadata about services and enables you to control development and construction of services and publish visibility and availability of services to consumers."
Clearly, SOA governance is maturing as a discipline, while cloud computing — the new galaxy in which services will burst forth — is anything but. Unfortunately, the cloud arena may continue to evolve so fast over the next several years that it will be difficult for consensus service-governance practices to coalesce.