Tricky Business: Building Fault-Tolerant Web Services

Web services and underlying service oriented architectures (SOAs) offer organizations a heretofore unattainable capacity to capture information from disparate information resources by directly representing and linking these assets, making them available selectively across their information systems environments.

Given their scale, scope and complexity, these technologies require significant investment and well-coordinated, cross-departmental collaboration, training and education efforts before organizations can reap the potential rewards.

The good news is that a growing host of vendors and service providers offer performance, fault and security monitoring and management software tools for SOA and Web services, based on industry standards.

Who Ya Gonna Call?

BEA, HP, IBM, Microsoft, Sun Microsystems and other IT industry stalwarts are among those who are playing key roles in helping design industry-wide Web services and SOA standards.

A growing range of smaller “boutique” vendors and consultants specializing in designing and building SOAs and Web services, such as Progress Software’s Actional and SOA Software, are doing likewise.

“IBM Business Service Management (BSM) software helps business and operations staff understand the complex relationships between business services and supporting technology. It gives organizations advanced, real-time visibility of services and processes in a comprehensive service dependency model. It incorporates data from a broad array of IT resources and business support systems that contribute to defining a service,” explained Pierre Coyne, manager of enterprise and business service management solutions for IBM’s Tivoli Software unit.

“Examples include application, system, network, security and storage assets, and business-related assets that track transactions, revenue or operational indicators. This information is populated into a real-time, federated service model for automated service impact analysis, root-cause analysis and tracking of SLAs (service level agreements) and KPIs (key performance indicators),” he said.

Industrywide Collaboration

Industry associations such as OASIS (The Organization for the Advancement of Structured Information Standards) are the nexus for collaborative, inter-industry Web services and SOA standards development efforts.

“There are several industry groups focused on SOA and standards-based integration, including the SOA Consortium and Eclipse. Of note, IBM leads over 50 SOA-based industry committees and has made over 150 content contributions,” Coyne stated.

Building and using Web services and SOA entails accessing, repackaging and binding together information from disparate sources both within and outside the enterprise.

The development of the Service Component Architecture (SCA) standard is an effort by a number of major software vendors to simplify building SOAs. The companies involved have established the Open Service Oriented Architecture organization to host the SCA specifications.

What’s Involved?

Building Web services and SOAs requires nothing less than a complete and thorough review and re-engineering of IT systems environments, from storage media and databases to servers and networks to end-user applications.

Of equal if not greater importance “to effectively manage service health requires a contextual understanding of the relationship of service infrastructure components to business services, as well as the impact of problems on overall service availability, performance and integrity (security and storage aspects),” IBM-Tivoli’s Coyne commented.

One broad, positive and potentially profound aspect of such an undertaking is that it offers an opportunity for management and staff to dig deep into their organizational structures and knowledge base to better understand the nature of their business, its organization and its processes.

“SLA tracking is critical to managing and prioritizing response to problems based on the actual business impact. Business and operational staff also require visibility into the key performance indicators against which they measure ongoing business performance and long term success,” Coyne emphasized.

Working on the Building

Doing so requires that organizations first have a thorough and rigorous set of tools, methods and organizational structures in place.

“The most important benefit of SOA is the potential to align IT with the business and sustain that alignment over time. That will only happen if effective governance is in place,” Dan Foody, vice president of Actional Products for Progress Software, told the E-Commerce Times.

“Whether organizations are just starting SOA projects or have a fully deployed SOA, it’s imperative that they have the ability to see and manage all services in the enterprise,” he said.

Some organizations are starting small, focusing on one particular functional unit, such as CRM, and building out from there. Others, lacking the necessary IT resources in-house, have started down the SOA track by outsourcing Web services to third-party providers running SOAs, such as Sterling Commerce.

In either case, employees and management need to carry out thorough interdepartmental training, design and development efforts to make effective use of SOAs and Web services platforms.

IT staff and management need to be able to monitor, track, measure and evaluate the system’s performance both in terms of security and technological and operational performance.

Optimizing Business Processes

In an online survey conducted by ebizQ for Progress Software, 64 percent of 313 respondents across 21 economic sectors cited increased business agility as the most important reason to build an SOA. IT reuse and business process optimization were other frequently mentioned drivers.

In order to realize these goals, organizations need to be able to monitor, measure and evaluate the performance, costs and benefits of Web services and SOAs in meaningful ways from both IT and operational perspectives.

“IT organizations already generate a cornucopia of metrics, but, fundamentally, it doesn’t matter what metrics you measure if you can’t relate them back to the business,” Foody elaborated.

“From an IT perspective, a simple measure is the number of reuses of services, not the number of services themselves. Every time you reuse a service, that’s one service that you don’t need to build and maintain — a clear and measurable cost savings. … But the more powerful value comes when you can clearly tie the business and IT contexts together. This can result in dramatic improvements — though these benefits are often organization- or industry-specific.”

“In one travel customer, they found that partners that generated 70 percent of the load on their reservation system were responsible for only 10 percent of their revenue. By being able to continuously re-balance the load on their IT systems by partner revenue contribution — ensuring the partners that generated 90 percent of the revenue could use up to 90 percent of the capacity — they were able to move to an architecture that saves them US$10 million per year in operating costs.”

The Governance Issue

Responses from IT representatives to the ebizQ-Progress survey, however, showed that governance is being shortchanged in the rush to build SOAs and Web services,.

While 65 percent of the organizations are actively pursuing SOA in the form of planning, pilots or production deployments, 94 percent have no formal methods for governing SOA or are relying on manual processes to enforce SOA governance.

Less than 6 percent have automated runtime monitoring of policies, and fewer than 5 percent automatically check services for policy enforcement before services are checked into a repository.

“SOA is more of a business initiative than an IT initiative. Organizations must do a better job of setting and enforcing governance policies in order for their SOA to properly support key business objectives,” Beth Gold-Bernstein, director of the ebizQ Training Center, told the E-Commerce Times.

“Automated solutions for both design-time and runtime governance are necessary to effectively manage SOA implementations,” she said. “Insufficient governance capabilities will negatively impact business agility and service reuse — the top drivers behind SOA adoption.”

“Progress Actional provides business insight into SOA operations for decision support as well as integrated runtime control to optimize business outcomes. This ensures alignment between business and IT by enabling organizations to directly measure, prioritize and optimize SOA service delivery based on business goals,” Foody said.

The Security Issue

Provisioning software services across distributed systems architectures means that a much greater surface area is open to potential attacks and malicious incursions.

Currently, OASIS technical committees are working on several Web services standards related to security, according to Hal Lockhart of BEA Systems and cochair of the OASIS Technical Advisory Board, XACML and Security Services (SAML) Technical Committees.

“WS-SecureConversation and WS-Trust are currently up for vote as OASIS Standards. WS-SecurityPolicy has completed public review and will be submitted for OASIS voting in April or May. A number of new SAML profiles will also be submitted for OASIS voting this spring. Many of them have already been publicly reviewed,” he told the E-Commerce Times.

Work continues on Version 3.0 of XACML, or the OASIS eXtensible Access Control Markup Language, which extends the model to include policies controlling the administration and delegation of policies. “This will increase the ability of XACML to be used in highly dynamic ways,” he added.