<<Searching for rogue services isn't keeping Christopher Crowhurst up
at night. The vice president and chief architect at Thomson Learning
is confident that the SOA platform for the information and education
division of Thomson Corp. is not plagued with bad services, so he is
not standing in line to buy the latest rogue detection tools.
In his view, if you are buying detection tools, you've probably
already failed SOA 101.
"Rogue services detection has become something of interest to vendors
as they see their infrastructure stack having an ability to identify
the existence of rogue services," he said. "But what you really want
to point to is that if you do have rogue services, you are looking at
a failure."
He said he understands the need for detection when all else has
failed, but he suggests that it will be important to learn from past
policy and governance mistakes.
"The technologies that exist to identify rogue services are useful in
that it allows you to quickly deal with the situation," he said.
"However, you need to deal with the underlying problem of service
governance to prevent services from being exposed without having the
appropriate policy applied to them."
Thomson Learning, which links Web services in an SOA environment to
provide online products including specialized research and other
classroom materials to university professors, was an early adopter of
SOA starting in 2001, sending XML files over HTTP and then graduating
up to SOAP. But early on, Crowhurst realized that if he didn't
establish firm policies for Web services design, development and
deployment there were going to be problems later on. So he created
policies to keep seat-of-the-pants coders from infecting Thomson's
systems with what are now called rogue services.
His policies might be a model for how to keep the rogue services fox
locked out of the Web services hen house. He starts from the point of
view that while software tools may be useful, policy and governance
begins with people following procedures.
"There are a rich set of rules for the lifecycle of the service from
concept through to deployment," he explained. "We start at the
beginning stage of an application so part of the governance model
starts from the initial concept of the service needing to be created.
It flows through design requiring design documentation to go through
an approval process. Then in development there are design reviews,
code reviews and threat analysis. Then moving from development into QA
there's traceability matrixes based on required reviews of the test
cases against the design requirements. Once you're out of QA going
into staging there's required threat analysis, threat mitigation. Then
when you're deployed into production there are sets of defined rules
for cryptography, signature, etc., that are required."
How does he make sure the development teams are complying with the
policies every step of the way?
"We have representatives from the architecture team embedded into each
project to effectively manage the development lifecycle and make sure
our policies are complied with and we don't have rogue services being
developed," Crowhurst answered.
And what if I were a lone coder in the organization with a brilliant
idea for a quirky Web service if I could just kind of slip around this
policy and governance hassle?
"You'd never get near a production environment," the chief architect
said firmly.>>
Nice to know someone keeps their environment in such order...
You can read this at:
<http://searchwebservices.techtarget.com/originalContent/0,289142,sid26_gci1197510,00.html?track=NL-451&ad=558325&ASRC=EM_CNL_357100>
Gervas
------------------------ Yahoo! Groups Sponsor --------------------~-->
Something is new at Yahoo! Groups. Check out the enhanced email design.
http://us.click.yahoo.com/SISQkA/gOaOAA/yQLSAA/NhFolB/TM
--------------------------------------------------------------------~->
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/service-orientated-architecture/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
