If you listen to industry discussion of service-oriented architecture (SOA), you are likely to get the impression that SOA is best thought of as a technical approach for application integration. The reality is that SOA is much more.
Stories by Randy Heffner
You might think that technology supports your business, but you're wrong: Technology has become your business. The 21st century reality is that you don't have a business without technology; it has become as integral to the way your business operates as are people, finances, suppliers, business partners, and all the rest. That means it's too risky to build your business and only then look to put supporting digital technology underneath. Instead, business and technology must be designed and built together, as a unified whole - there are simply too many design tradeoffs between the physical and digital aspects of your business to risk doing it any other way. The new mindset is that "your business is embodied in your technology", and this calls for a new approach to business technology architecture and strategy.
Amidst the overwhelming buzz of cloud computing, IT decision-makers must sort the reality from the hype to determine where cloud might provide business value for their organizations. Cloud is an important development in the landscape of computing options-to the point that most organizations will one day use cloud or cloud-like offerings-but there's no guarantee that cloud is right for your organization right now. For example, many of the most-talked-about usage scenarios for infrastructure-as-a-service (IaaS) entail specialized situations that few enterprises can relate to. On the other hand, there is real value, and your business may be able to achieve substantial benefit from cloud computing.
The worst CIO misunderstanding about service-oriented architecture (SOA) is thinking of it as only another technical initiative for software reuse.
Although SOA's reuse potential is real and good, its business impact goes much further: In Forrester surveys, 38 percent of Global 2000 SOA users say they are using it for strategic business transformation. SOA's true source of power is in its business design models, not its technology - and this means that SOA provides a broad foundation for a much larger shift in business technology (BT) architecture that goes far beyond SOA itself. By correctly understanding SOA, CIOs can lead their organizations on a solid and well-managed path toward a strategic technology future and greater business value.
Among the ways to keep a service-oriented architecture (SOA) initiative on track, forming a centre of excellence (COE) is a frequently named option.
Indeed, a recent Forrester survey shows that having an SOA COE correlates with higher satisfaction with SOA. It is more interesting, however, to note that the most-valuable functions that SOA COEs perform, as judged by Forrester survey respondents, have to do with leadership and governance for SOA, not training on detailed technology skills. As architects plan for SOA and guide their organisation in its adoption, they should think of the SOA COE first as a governance body and only second as a training body.
Although full SOA security maturity is yet to come, 30 percent of organisations now use SOA for external integration with customers and partners. For standard web services using SOAP, WS-Security has achieved critical mass as a foundational standard. On the other hand, advanced SOA security - involving federation among partners, nonrepudiation, and propagation of user identities across multiple layers of service implementations - is in its early days. To navigate the path from what's practical today to the future of advanced SOA security, establish an iterative design process for evolving your SOA security architecture that considers your current and future security requirements, emerging industry specifications, overlaps in product functionality for SOA security, and possibilities for custom security integration.
As a baseline for designing SOA security, the simplest way to secure SOA requests and responses is to place them within a virtual private network (VPN). The most common method for external SOA security is two-way Secure Sockets Layer (SSL), which: 1) allows each of the communicating partners to authenticate the other, and 2) sets a high bar for security: Hackers cannot even connect to an SOA-based service unless they steal a certificate and key from a service consumer. Although VPNs are relatively easy to establish, VPN-based SOA security is coarse-grained and offers no ability to support advanced functions such as: propagation of user identity across multiple layers of service implementations; coordination and federation among multiple security domains; and strict nonrepudiation. Also ongoing management of certificates can be an administrative burden.