Active SOA Rules Enforcement

Without SOA rules for security, regulatory compliance, and business agreements, companies are at risk of litigation, financial penalties, and loss of business. Yet creating accurate rules and enforcing them consistently in the SOA runtime environment is a challenge.

SOA Rules on Security

SOA security is complex. There are many forms of security–including authorization, authentication, and different credential types–and many Web service standards for them. This is particularly true in a heterogeneous SOA environment, for example, with one with SAP SOA services and non-SAP services. In such environments, there may be different credential types for different services, requiring mediation across a business process that couples them.

Policies may be incomplete or inconsistently enforced because the developers who create the service logic are also creating the SOA rules for securing individual services. Security requirements may differ from service to service. What's more, security isn't developers' area of expertise or core competency. Making them responsible for security can lead to security errors and SOA security rule inconsistencies.

The solution is to centralize SOA security management. In fact, the Progress® Actional® SOA management solution allows SOA rules on security to be abstracted or decoupled from the services. As a result, security can be managed centrally by specialists with both project-level security and global security knowledge.

In addition, with Actional, the various SOA rules for security are enforced at the service endpoints to which they apply, without much system overhead. As a result, with its central management and distributed operations, Actional ensures that right security is enforced both effectively and consistently across the organization in the runtime environment.

SOA Rules on Government Regulations and Business Procedures

In addition to security rules, companies must enforce SOA rules involving regulatory compliance and business policy. These may govern information (e.g., privacy laws), processes (e.g., auditing for Sarbanes-Oxley compliance), and business procedures (e.g., alerts when "gold" customer service levels are near violation).

With Actional, specialists can centrally create and manage these SOA rules and then push them out to the relevant endpoints of the network for enforcement. Specifically, with Actional, experts can centrally define and manage each rule at the business level, which can then be applied and reused appropriately and consistently.

As services or processes change, there's no additional work required to keep the related rules enforced. As rules and policies change, there's no work required on the individual services because the policies and rules are decoupled from services.

Closing the SOA Governance Loop: Updating SOA Rules

SOA registries and repositories are SOA governance solutions that manage the metadata describing the business services and the SOA rules governing their use. But these "ideal" descriptions may not reflect what actually happens during SOA runtime operations.

Actional ensures runtime governance. It integrates with SOA governance solutions to enforce SOA rules in runtime and provide rules updates. It also offers other SOA runtime governance support in the areas of rogue service control and governance wrappers that bring applications into compliance with SOA rules they cannot support natively.

One area critical for SOA governance is rogue service control. Rogue services can occur in different forms. They can be registered services reused in unauthorized ways or services that appear in the runtime environment that are not registered, as shown below.

Rogue services include unexpected reuse of registered services as well as unregistered services.

Rogue services can cause multiple problems:

• Unauthorized people may have access to sensitive customer data, violating some key SOA rules for regulatory compliance with privacy laws.
• Unexpected reuse of known services can cause IT capacity overload and degrade business process performance, impacting customer service levels.
• Versioning of services may lead to unexpected process problems, because the developers don't know what other services are affected by their version changes.

Actional solves these problems. It provides visibility into what's going on in that runtime environment. When it finds rogue services, it secures the unencrypted sharing of private data or rogue service operation. And it provides information about what is actually occurring (who is using services and their interrelationships with other services environment to update the registry data so that it is synchronized with the actual runtime environment. This revised information is valuable to developers, who then have an accurate picture of services and their dependencies and can act accordingly when they create new versions of services.

Actional provides visibility into rogue service operations, updates the SOA governance platform with the information, and brings rogue services under control.

In this way, Actional helps to ensure that SOA rules are enforced and that SOA operations are aligned with business needs, such as reducing the risks of security breaches and of non-compliance with government regulations.

For More Information on SOA Rules

To learn more about best practices for active SOA rules enforcement in the runtime environment, register to watch the on-demand webinar: "Jumpstarting SOA in your SAP Environment".