Navigating SOA Through Distributed Governance

Untitled Document

Editor's Note: Be sure to sign up for our upcoming SOA in Action Virtual Conference where we'll cover this topic in greater detail. Sign up right here.

You wouldn't drive a car without insurance nor would you skydive without assurance that your parachute will open. So why is it that governance is still considered an afterthought in many IT shops when it can dramatically mitigate the business risks resulting from policy violations?

There are several reasons, or excuses, as to why governance sometimes takes a back seat in the overall IT strategy.  It's usually due to a combination of culture and software development processes that view governance as the step to take when things go awry or as a time consuming and unnecessary extra layer that results in product delays.

This is not to say that governance as a whole is not viewed by many as a critical part of the software development lifecycle. In many instances, architects and developers think about governance as something that should be applied only to the development of specific applications of services and not the entire infrastructure.

And let's face it, there's a growing contingency of "once bitten, twice shy" architects and developers who have learned the hard way that partial governance is as effective as half an umbrella in a rainstorm.

However, when you think about the way that the infrastructure is evolving -- supporting service oriented architectures, cloud computing and mainframe modernization -- you quickly realize that code that was originally intended to support one aspect of the infrastructure is being reused by different teams throughout the company.

This leads to a proliferation of applications and services that go beyond their original silos. On the plus side, this is a time saver because the best practices are being shared. On the minus side, of course, is the risk that the reused services contain errors. This is likely due to the fact that as the applications and services continue to be tweaked to address specific business needs, they become vulnerable to more coding errors.

Without visibility into the entire infrastructure, you run the risk of distributing what initially seem like minor errors. Yet these small bugs can grow into bigger business issues.

Consider the recent programming error that led to a 23 quadrillion dollar credit card charge for a package of cigarettes. While quickly corrected, it calls into question the level of visibility into and the cohesiveness of the entire infrastructure.

With this in mind, it's interesting to note that that cost of fixing software code after it's been deployed can be 50-200 times higher than if the issues were addressed as the code was being written.

Along these lines, given the amount of resources that companies have invested in creating a fully integrated architecture, you have to wonder why the conversations about breaking down silos are still topical. Again, the culture may contribute to the lack of integration throughout the enterprise though in large part it reflects the larger issue regarding the way that software is developed and deployed.

It stands to reason that if the services and applications are going to be distributed throughout the infrastructure, so should governance. To mitigate risks and extinguish the misperception that governance adds work, it makes sense to introduce it as part of the development process as opposed to a checks and balances mechanism to be deployed when the application is in final review stages.

Through distributed governance, enterprises can put into place the policies and best practices that should be followed as the software continues to evolve and serve different parts of the organization whether it's an SOA, cloud or any major IT architecture.

About the Author

John Favazza is vice president of research and development at WebLayers. Prior to WebLayers, Favazza held senior management positions spanning engineering, research and development for leading enterprise software vendors focused on SOA, web services security, and management and threat prevention products.

More by John Favazza