SOA Governance FAQ

After more than decade implementing SOA, I’ve come to the conclusion that one of the reasons that prevent organisations from realising the benefits of SOA is the lack of some sort of governance in their SOA implementations. I have also come to the sad conclusion that even though this is well known fact, many (end customers and SIs alike) still lack understanding of what SOA Governance is and why is it needed. Having said that, I created this post not only for my own reference, but also share this knowledge for those wishing to improve their understanding on this amazing topic.

Hopefully this FAQ provides some concise answers to many of these questions.

R. In simplistic terms, SOA Governance is the alignment of processes, people and tools needed to ensure that a SOA implementation is successful. SOA Governance primary objective is to maximise the benefits that SOA can bring to the business and IT. One thing to bear in mind is that SOA Governance does not exist on its own; it is in fact an extension of IT governance and EA governance.

For technical communities, SOA Governance is usually seen as a discipline that defines the processes, the roles and responsibilities and the tools needed to successfully implement a sound SOA solution.

For the business community and also less technical people, SOA Governance means a discipline focused at ensuring that business benefits and also ROI is realised by adopting SOA.

2.     What SOA Governance isn’t?

R. SOA Governance as a discipline is often confused with other important disciplines and concepts of software engineering. This is mainly because the term governance as such as quite broad and covers several aspects of software engineering.

·          Standards: such as naming conventions, patterns, reference architectures, standards, amongst other, cannot be considered to be Governance.  Although these are important assets, if not enforce through a process they are often forgotten and out-dated.
·         Configuration Management, Version Control or Continuous Integration: Although these are very important disciplines within software engineering and contribute greatly towards adopting governance, without supporting processes, policy enforcements and the right tools, these disciplines can become an overhead and easily run out of control.
·         A Tool: Tools without structured process around it add little value and will likely end up not being used for its original purpose.
·         Review Gates: Having a panel (i.e. Design Authorities) responsible for approval or rejection of deliverables is an important aspect of Governance however without some sort of automation, robust traceability, policy enforcement, and control these can be time consuming, inaccurate and ultimately unmanageable.

3.      Why is SOA Governance needed?

R. Without some level of SOA governance chance of success when implementing SOA are minimum. This is because unlike other software architectural styles, SOA requires a good level of definition and analysis up-front before embarking into a SOA implementation. Costly lessons learnt have proved that.

Having said that, the following table lists the key problems that in my opinion could be solved by implementing SOA Governance.

Consequence to the Business
Lack of visibility over existing assets and its performance
Minimum asset reuse and duplication introducing extra costs (both in CAPEX and OPEX). Without a level of analytics it is not possible to determine ROI.
Tactical Projects over of Strategic Solutions
Projects have their own agendas which deliver short term benefits to the project but that add no long or mid term Enterprise value.
Poor decision making and Lack of accountability
No sense of ownership makes decision making, policy enforcement and accountability an impossible task.
Low quality of Assets which become difficult to maintain and change.
Higher complexity and cost of change introduces Risks to the Business preventing new and innovative solutions to be introduced.
Poor estimation techniques and inaccurate planning
Projects cost more than estimated mainly because of “unknowns”... (i.e. Rework, extra activities and deliverables, dependencies, complexity, and others)

4.      What are the objectives of SOA Governance?

R. The objectives of SOA Governance are should always be aimed at delivering tangible benefits to the business. By tangible it is meant that these benefits can be measured quantitatively and qualitatively and therefore there is no ambiguity and the positive results that SOA brings to the business.

·         Aligning the SOA strategy to the business objectives
·         Delivering a Framework  suited for Business Agility and Change
·         Aligning SOA to Enterprise Architecture
·         Providing visibility over existing Assets, its use and operational performance
·         Improving the quality of assets by enforcing policy and standards
·         Increasing the ROI by asset re-use
·         Reducing the cost of change and support
·         Reducing the risk of failure
·         Improving agility and promoting innovation

5.      What are the key components of SOA Governance?

R. At a conceptual level SOA governance consist of the following components:

·         A SOA Strategy: Define SOA objectives which are consistent with what the business vision and strategy is and aims at delivering business benefits
·         A SOA Governance Model: Defines the, governance processes, governance tools, governance roles and responsibilities, governance artefacts needed to implement governance.
·         SOA Design Time artefacts: All of the SOA governance related assets required to support the design-time aspects of governance (i.e. requirement elaboration, analysis, design and build). For example reference architectures, development standards and policies, programming standards and policies, tools such as repositories and/or agile management tools.
·         SOA Run Time artefacts: All of the SOA governance related assets required to support the runtime aspects of governance (i.e. test, deploy, monitor, maintain, improve, and retire). For example, deployment frameworks, testing automation frameworks and continuous integration, monitoring tools, runtime policy enforcement tools.

At a logical and physical level, we are talking about all of the assets such as processes, documents, tools and policies that have to be delivered as part of a SOA Governance implementation.

6.      What are the top challenges that prevent successful SOA Governance implementation?

R. From my experience the top 3 are:

·         Lack of pragmatism when implementing SOA Governance. SOA Governance can be define as complex as one wants. SOA is so broad and it covers so many aspects that if one do not apply the right level of pragmatism it is quite easy to lose sight of the ball and end up building a Ferrari when what was really needed was a BMW or worst a Ford.
·         Dealing with people and other organisational challenges. Because SOA spams and affects almost every aspect of the organisation and their systems, it becomes incredibly difficult having to deal with people from different departments, with different views and different priorities. This means that one might end up in the middle of a political nightmare just by trying to do the right thing….
·         Lack of governance in other areas of the organisation. For example, lack of IT governance or EA governance. Because SOA governance is an extension of these two, if these other types of governance are missing, it becomes incredibly difficult to sell the benefits that SOA Governance has to bring and therefore preventing securing any funding. Without senior sponsorship SOA governance adoption becomes almost impossible.

7.      What are the most common mistakes organizations make when implementing SOA Governance?

There are many common mistakes made when implementing SOA Governance however it is generally accepted that the most common ones are:

·         Misunderstanding of what SOA governance is and therefore lack of investment in the tools, processes and people needed to successfully implement it.

For example, many think that SOA Governance is just about writing a bunch of document standards (which get updated once a year) and expecting people and vendors to follow it.

Or for example implementing a tool but not defining the right process around it such as the tool in facts delivers value to the overall process.

·         Another typical mistake is implementing Governance purely at technical level without engaging the business. This means that the objectives of implementing SOA Governance are not focused at delivering business benefits. This means that investment made can’t ultimately be justified and thus converted to a benefits realised by the business.

·         Getting the wrong people to implement SOA Governance. So let’s say that the IT and EA department both have successfully implemented governance and they want to define and implement SOA Governance to ensure that the SOA implementation and its projects are successful. For this they hire a SOA Architect. However this SOA architect is a blue sky thinker understands the concepts and theory but has not practical experience in real live implementing SOA. The outcome will probably be an overkill solution that’s not pragmatic, delivers more complexity than was needed, no one understands it and ultimately the implementation has no buy-in from the key communities such as the developer’s communities.

8.      What Oracle tools do I need to successfully implement SOA Governance?

R.  The components that build up the Oracle SOA Governance Solution infrastructure are depicted in the following diagram:
·         Oracle Enterprise Repository (OER): Oracle Enterprise Repository implements a design-time governance toolset used to support service lifecycle and other key stages of a solution, such as service discovery, and to provide a framework to promote service reuse.
·         Oracle Service Registry (OSR): Oracle Service Registry is an UDDI version 3 compliant registry used to support runtime governance. It provides a runtime interface to the Enterprise Repository allowing service consumers to dynamically lookup service locations at runtime.
·         JDeveloper: Is Oracle's preferred integrated development environment (IDE) for the development of software solutions using Java, SOA Suite and other technologies such as SQL, PLSQL, XML, PHP, amongst others. JDeveloper offers a wide variety of plugins to integrate with other products such as OER and OSR.
·         Web Service Manager (WSM): This is a security policy manager that allows administrators to centrally define and manage security policies in a non- intrusive manner. Policies can be attached to services in order to enforce security and to enforce compliance to enterprise security policies. Policies can be attached during the design phases as well as at runtime.
·         Oracle API Gateway (OAG): Former Oracle Enterprise Gateway, OAG is a standalone for implementing robust security polices into services. OAG is typically deployed as a policy enforcement point (PeP) in demilitarized zones (DMZ) where services are consumed or exposed by applications located in untrusted networks.
·         Oracle Enterprise Manager (OEM): This is a web based application for managing and monitoring the Oracle based infrastructures on which services execute. The OEM SOA Management Pack is an add-on for Oracle Enterprise Manager that delivers a complete toolset for configuration management and monitoring of SOA infrastructures.
·         Business Transaction Management (BTM): Delivered as part of OEM (although requires separate installation), BTM as its name suggests is a tools that allows transactions to be monitored as they spammed across multiple systems. Unlike tools like OEM or Fusion Middleware Control that monitor transactions within their own containers, BTM uses observers to collect transaction information from different sources then using complex matching algorithms, it reconstructs the end to end transaction in a single graph. The sources can be anything from a J2EE application server, an MS Internet Information Server, to products such as OSB, SOA Suite and Webcenter.

Refer to the following Oracle website for more information on Oracle’s SOA Governance solution

9.      To what degree does successful SOA governance require organizational change?

R. In many ways. SOA Governance defines new processes that spam across different departments, it may require implementation of new tools and also processes around it, and also requires the creation of new roles and responsibilities.

It also implies that people from different aspects of the organisation need to interact and collaborate. One would think that this is not an issue, but in fact is one of the greatest challenges when implementing governance as previously mentioned.

In the following article I elaborate a bit more on this topic and also provide useful tips that can help reach organisational maturity.

10.      What impact, if any, trends such as Cloud, API development, Mobile Computing, Big Data, and the Internet of Things( IoT) have on SOA Governance?

R. All these new trends require and implement SOA one way or another. The fact is that all of these evolving technologies are in their core dependent on distributed computing as the systems and data that these new technologies depend and interact with are located all over the internet. For example, Big Data systems such as Hadoop, feed from structured and unstructured data sources located all over the internet. Mobile apps also require information to be made available to them preferably using light weight services such as RESTful services that could be located anywhere on the internet. IoT it's all about internet enabling devices that we use in our day to day life (watches, fridges, alarms, etc, etc, etc) and allowing them interact with intelligent systems which are located somewhere in the cloud. These systems would then help us become smarter and more efficient in our day to day activities by making sense of the data that is constantly being captured. Again, without some sort of efficient and distributed client/server communications this would simply be impossible

SOA as an architectural style and philosophy, was conceived to fundamentally support the concept of distributed computing whilst inheriting the best features from other paradigms such as Object Oriented Programming (OOP) and Enterprise Architecture Integration (EAI).

Moreover, all of these emerging technologies relay on Application Programming Interfaces (APIs) either to make their data available to other systems and/or apps or to consume data from other systems. Although initially the API movement evolved somehow independently of SOA architectures, APIs eventually evolved to become an integral part of SOA. This is because many of the problems that APIs were designed to solve are actually shared by SOA (i.e. support for a diverse of technologies and open standards, support for componentization and abstraction, deliver flexibility and promote reuse, etc). Even the tools use to create, monitor and managed API are the same or very similar to the tools used when implementing more traditional SOA architectures.

Having said that, SOA Governance, as a discipline, is aimed at ensuring that  people, processes and tools are all aligned towards achieving the same goal: delivering IT and Business benefits. The impact these trends have on SOA Governance? well, SOA Governance will have to adapt to support many new asset types (i.e. APIs) and support the emerging processes, tools and roles that are required to enable these new technologies to deliver benefits not anymore to the one company implementing SOA, but also to the many parties (businesses, people and machines) that benefit from these technologies. For example, in the case of APIs, there is another discipline known as API Management, but in reality this discipline is of an extension of SOA Governance however more focused on achieving similar goals but more specifically around APIs. The consumer of an API can be anyone on the internet: a person, a business or even a machine

11.      Are there any practical books on how to implement SOA Governance?

R. Although there are several books out there in the topic of SOA Governance, there isn’t in fact many in the topic of how to actually implement it in practice. For this same reason I decided to write a book on the topic.

If you are interested in knowing more about the book please have a look at the following link:

For regular updates on SOA Governance join the Oracle SOA Communities: