SOA: No Governance Needed. Or Is It? August 18, 2009 By Bob Larrivee Director and Industry Advisor at AIIM

SOA (Service Oriented Architecture), generally recognized as being an alternative to EAI (Enterprise Application Integration), offers greater flexibility than the more traditional methods of interwoven integration to link various applications. SOA, using relatively simple interfaces incorporates standards like SOAP (Simple Object Access Protocol) and XML (eXtensible Markup Language), to deliver standard messaging formats and increased reuse of information assets at lower integration costs. Figure one presents a complete and simplified graphic depicting the concept of how SOA might work.

While this may appear to be simple, we must remember that the simplicity shown does not represent the effort required to make older business applications systems fit into the new architecture. In order for this to be accomplished effectively, one will likely have to retrofit existing applications, build new layers of middleware, and create new management practices and security defense mechanisms. Yes, there are standards to leverage but this still requires someone to map out the core requirements, identify the underlying architecture and infrastructures, and develop the integration links and interfaces.

When a service oriented architecture approach is developed, applications can be enabled in sequence such that the business starts to see a return on investment sooner than with an EAI approach. Many early adopters decided the best approach to using SOA is to take a phased approach migrating applications one project at a time looking for quick wins that will provide measurable returns on investment with reusable services that help accelerate the transition to SOA and lower development costs.

As such, one might conclude that SOA is the glue or middle layer that ties back office applications to the user community in a simple yet robust manner. So why then is Governance a concern?

Putting Governance in Context
Governance, or more specifically Information Governance in its simplest terms, it a combination of policy, process, people, standards and review or auditing that is put into place to ensure that corporate information assets are maintained in adherence to regulatory requirements and protected from unauthorized access and distribution and protect the interests of not only the stakeholders but the shareholders as well.

So if we combine the two, one might conclude that SOA Governance could then be defined as the guidelines by which we would use SOA to produce the expected results of delivering information from back office applications to the end user community. This being the case, it could then also become a subset of IT Governance as IT Governance then deals with the rules, policies and procedures governing other areas of IT including infrastructure, design, security, and architectures. While this is all well and good, we still do not have the answer to why this is important.

What if?
Imagine for a moment that life in the land of Now is running smoothly and you have made the decision to add SOA as the method by which all things will pass. Let's imagine further that there is no Governance over the use of SOA. No provision for security. No provision for access controls. No provision for monitoring activity. Now let's imagine you are brought into litigation based on allegations that corporate assets have been accessed by sources outside of the corporate structure and used not only as insider information for monetary gain but sold to the competition as part of a suspected espionage initiative. Are you in a defensible position? Can you prove the integrity of the system, security and information assets as a whole without a proper Governance framework in place?

Remember that in terms of defensible posture in litigation, on must prove not only the authenticity of the information or records but the processes, procedures and infrastructure by which all things are managed. In fact, recent amendments to the Federal Rules of Civil Procedure have been interpreted and are now being tested to include not only records and information stored within standard storage media like hard drives, CD and DVD, and questioning the security of that data regarding access authorization and control. While SOA is a viable solution to stitching information together that is accessible through a simple interface, it also presents challenges like security breaches that could increase your level of risk if there is no Governance in place to ensure consistent, coherent and auditable practices are in place.

From the Beginning
In days of yore, we spoke of reengineering the workplace to improve business processes and workflow. The catch was most processes and workflows were never engineered to begin with so the term reengineering was not applicable, yet we made every effort to map those processes created through serendipitous need, and modify them into something that is actually defined, replicable and can be monitored. The point being, it took thought and effort to create process models that were more efficient, auditable, documented and defensible.

The same holds true for SOA in that it needs forethought and planning in order to maximize the benefit and ensure adherence to the Governance in place. This includes areas like choice of platform, standards use from both the industry and corporately defined, and security to name a few. As with all projects, SOA Governance must align with corporate objective and the vision of where the corporation should be in the future. As such, one must not only look at today's environment but into the future in anticipation of changes to the business climate and technology advancement. Did you ever imagine even 5 years ago, that you would be able to fully access information, regardless of format, through your cell phone? Today's devices allow you to access and view web applications, word processing documents, spreadsheets and much more than was imaginable at that point in time. SOA is a driver for this which means the delivery channels will shift and your SOA implementation and Governance must be flexible enough to adapt.

Conclusion
SOA Governance is very much needed and vital to the protection of your corporate information assets. A comprehensive SOA Governance will not only help provide defensibility against unauthorized access, it will also provide additional strength to your overall information management policies and aid in maintaining the authenticity and integrity of your corporate information assets.

The SOA Governance should address and establish concise policies and procedures in relation to architectural design, platform use, security measures and monitoring to ensure controls are in place and corrective actions can be taken if needed. SOA Governance will not be a simple task but the rewards of minimized risk and benefit gained can be significant.