SOA Examples: How the Need for Governance Appears in the Real World

These real-world SOA examples point up the critical need for governance on services-enabled networks -- particularly in the context of rogue Web services. The first example involves a financial services firm. The second relates the catastrophic events that occurred at a credit-card processing company.

SOA Example: Financial Services

Consider the example of a large financial services institution that had started rolling out services on its network. IT knew, through various means, including their registry, that five approved applications were using one of their services. The deployment of various services had all (supposedly) followed the firm's pretty rigorous governance and compliance measures that had been put into place. Nonetheless, the firm consulted with Actional because IT began to realize that something wasn't quite right.

IT knew who was using their service -- or at least they thought they did -- but at the same time there were periods during the day when the service wasn't performing according to expectations: it got very slow, and IT wasn't really sure what the cause of the performance problem was. Plus, they weren't clear about the downstream impact of the performance issues.

This is where the value of Actional products came in with the ability to auto-discover what was going on amongst services, processes, transactions, applications and platforms. Much to the firm's surprise, they actually discovered that instead of five, there were 34 different applications that were using the service! So even with their strict processes in place, there was a lot more usage of their service occurring than they had ever imagined or intended.

This situation is not something that is limited to just a few instances in the field; it's something Actional has witnessed at over 50% of its onsite customer encounters. In this particular example, one of the five approved applications had packaged up the use of that application and the security credentials into a JAR file, and that JAR file (accidentally) got shared with some other application teams. Those application teams didn't realize that they were using a deployed service; they thought that they were just using a JAR file that they had been authorized to use -- but, in this example, it turned out that 29 additional applications ended up using the service.

Given the prevalence of this kind of "accidental" sharing in organizations, one can see the value of having the automated insight that Actional SOA management provides into who is using your services and what the downstream impact is.

SOA Example: The Problem of Rogue Web Services

The issue that we've been talking about essentially comes back to something called rogue Web services. These can fall into several categories, but in almost all cases, they aren't deployed as with an intent to be malicious, but the risk that they present is certainly something of great concern.

We can look at rogue services in two categories: one is rogue service deployment, which is when services get into production without approval. The second is rogue service usage, which involves services which may have gone through the right procedures to get deployed, but get used in un-intended ways, without proper approval.

SOA Example: Rogue Services and Your Packaged App

There are a number of ways that rogue Web services can actually get deployed: one example is packaged as part of a third-party application. Take for example SAP: SAP actually comes with thousands of services out of the box. So if you're deploying a packaged application like SAP, you're potentially deploying thousands of services, and it's unlikely that you've gone through the process of auditing all of those services to make sure that they're compliant with all your governance measures that you've put in place, and so there's a potential risk for one of these services to actually end up being a rogue service in your environment.

SOA Example: Rogue Services and Outsourcing Development

Another example is if you're outsourcing some of your software development. It's entirely possible that outsourcers could build in logic and services that they weren't aware of or didn't follow the compliance procedures put in place by your organization. And when you roll out the application logic built by the outsourcer, you're actually rolling out rogue services that no one is aware of.

The other example is rogue service usage, where services are initially deployed according to compliance measures but end up being used in ways which weren't intended by other users.

SOA Example: Credit Card Payment Processor

A second SOA example (covered widely in the news media) concerns a credit card payment processor based in Tucson, Ariz. The business processed large numbers of credit card payments and it worked with all of the major credit card companies -- Visa, MasterCard, Discover: each of these companies imposing their own strict rules and guidelines.

As it happened, the company deployed a rogue service that actually violated in-place company policy. The non-compliant service saved some of the credit card transaction data -- against stated company policy -- into a database because someone decided they wanted to do some trend analysis -- which again, was very much against company policy.

Unfortunately, this particular rogue service ended up getting hacked -- and 40 million credit card numbers wound up stolen! The net result of this security breach and the resulting complications was that the company -- CardSystems Solutions -- was ultimately liquidated.

While the CardSystems Solutions story may be an extreme example, it demonstrates the terrible risks that companies take when they allow rogue services to get deployed into a production environment because they don't have adequate SOA management in place.

For More Information

Understanding SOA examples are just the beginning of your learning experience. Found out how a total SOA governance solution can secure your services network. Download the free white paper, SOA Primer: Comprehensive Runtime Governance from Actional