Understanding Policy Lifecycle Management in Distributed SOA Network Environments 

                                                                                 (Draft)

In the narrow sense of the term, policy is focused on description and configuration of certain non-functional features of specific SOA elements typically associated with rules around security and identity management. However policy management in SOA environments is meant to take on a broader meaning and can take on additional functionality in the form of constraint and compliance policies. Constraint Policies represent constraints (typically non-functional) or agreements that need to be fulfilled like a Service Level Agreement (SLA). Additionally Compliance Policies are simple tags that mark either existing or desired compliance to specification, standards, for example to WS.I policy or WSDL specifications.

Policy Management is an underlying capability of SOA and provides flexibility, configurability, and the business service interface layer is a convenient and architecturally sound place to apply policies for technical operation.

The real value-added of SOA lies in the ability to move beyond the basic management and securing of services to higher levels of business-level management and associated policies. Security is important and is a baseline that is required for all SOA Infrastructure deployments. However the real value delivered to the business lies in the higher levels of the stack where of the policy management and the capabilities of SOA can really be exploited.

Policy Lifecycle Management Process

Policy Management must be considered in terms of a process. Generally a process is made up of the following steps which are common to all processes: Plan -> Do -> Check-> Correct. In terms of a Policy Lifecycle Management Process the process is made up of: Policy Administration, Policy Deployment, Policy Monitoring, and Policy Enforcement. And since it is a closed loop process then the resulting enforcement needs to be feed back to the policy creation where the policies effectiveness can be measured and modified.

     



Policy Administration Point (PAP)

The Policy Administration Point is any functional component that supports centralized definition and authoring of policies and the remote distribution of these policies to one or more policy enforcement points.  Vendor-provided authoring tools for creating and administering various classes of policies: business-based, content-based, message-based, and session-handling policies.  The PAP distributes policies to the policy enforcement points for execution and enforcement.  PAPs are evolving and include reporting tools to identity exceptions and the ability to modify policies.  Policies also need to be captured to a repository, and recorded so they may later be audited.  Integration with an overall Governance solution is important capability.

Policy Monitoring Point (PMP)

A Policy Monitoring Point usually captures real time collection and statistics analysis for display.  This management console provides visibility into the management of distributed network of policy enforcement points and the status of these enforcements.  In addition, these consoles log, aggregate measurements and highlight significant events.  The data is correlated, analyzed and visualization of data fed in by the various policy enforcement point.  The PMP and PAP can be integrated into a visual oriented management tool such as a Business Automation Monitoring (BAM) Tool to monitor business processes as well as policies.

Policy Enforcement Points (PEP)

Policy Enforcement Points can be implemented in software or as a standalone network device.  It is any hardware-based, high-performance functional component that intercepts, inspects, filters and performs content-aware policy-driven processing on application messages and their payloads.  The PEP may execute diverse policies, and lower level message functionality outlined above such as addressing transformation, routing, caching, compression, and other content handling functions. The specific packaging functionality varies among vendor implementations and can be packaged in software and/or hardware (firmware).  PEP functionality can also be implemented in conjunction with other network device functionality: co-processors, proxies, gateways, blade servers, routers, grids, and other configurations.
 

In the narrow sense of the term, Policy Management is associated with the management of security, identity management, access control and application performance management.  However in the world of SOA, policy management has been broadened to encompass the management of other processes (on a service by service basis) and based upon the Plan, Do, Check, and Correct process.  In the highly regulated post Enron world and the need for vendors to provide return on investment, Policy Lifecycle Management now encompasses Governance, Compliance, and Risk (GRC).  However many Policy Administration and Authoring tools in addition allow for the authoring, and the management of user defined policies.

Governance, Compliance, Risk, SLA’s, and User-Defined Policies

Software Development Compliance is a small subset of an organizations overall “Business Compliance” efforts. However Policy Lifecycle Management is seen as way to help organizations support “Software Development Compliance”

             




SOA Governance, Risk, and Compliance (GRC)

Policy in a SOA is a broad process that can be applied to a variety of different processes, and more recently the focus has been on SOA Governance of the software development process. 

Governance is usually expressed in terms of management of one’s own environment.  This management may be in response to internal and/or external forces.  

Compliance requires governance, but governance alone is not sufficient to demonstrate compliance unless specific goals and measurements related to the regulations have been put in place and fulfilled. This means that a business-driven process must not only have measurement, policy and control mechanisms in place, but it must also be auditable.  To be auditable many implementations include repositories to store and manage services.

Risk is a measurement between the actual state and a desired state and in terms of Policy Lifecycle Management Process could be measured by the delta between Policy Definitions and results of Policy Enforcement.

With compliant development environments, executives can manage risk associated with development.  Project teams can have more control and predictability across their project.  This implies an ongoing program to respond quickly to changing regulatory environments thus hopefully reducing risk. Governance, Compliance are instances of Policy Lifecycle Management but there are other applications of Policy Lifecycle Management.

Service Level Agreements (SLA’s) and Contracts

Service Level Agreements (SLA’s) and Contracts could also be theoretically managed through the same Policy Lifecycle Management process. SLA’s address situations when access thresholds or latencies need to be managed on a service by service basis.  SLA management is being used with increasing frequency in general outsourcing, e-business, and distributed B2B applications.  Metrics like processing time, messages per hour, rejected transaction counts, etc are then compared by through Policy Enforcement to the desired level.  The result then drives some sort of corrective action which may be simply reporting and auditing of results and violations or changing SLA’s or contract agreements.

User Defined and Managed Policies

If one were to extrapolate the idea of Policy Lifecycle Management a step further - then pretty much any policy relating to your business can be authored, deployed and managed; providing such a solution is flexible in doing so.  When looking for a overall SOA solution, you will want to keep in mind a SOA Platform that has an end to end Policy Managment solution otherwise you will have to try to piece together the entire solution.  A SOA Governance solution that allows for the authoring of policies at the front end, deploying the policies across a distributed network and the closing the loop on the management and monitoring of these policies should ideally be able to be done in one fully integrated environment.


Policy Collaboration

Finally taking this concept one step further it is possible to expose these policies to third parties or even customers to manage a subset of policies in the context of the overall process; in the form of Policy Collaboration.  This would allow customers/partners to have some freedom on managing policies around a service(s) being delivered.  In this case the enterprise would provide the overall process and policy guidelines, while the customer/partner could manage policies within these guidelines.  An SOA Solution that can give you this kind of flexibility will become more important in future networked deployments.


This is from a paper I am working on and is in Draft form and would appreciate any comments or feedback.

References:


____________________________________________




____________________________________________

>> Back to Main Page

Gary E. Smith
SOA Network Architect - SOA in a Connected World