SOA Governance Questions


As I work on my SOA governance story, I came up with a list of questions for companies about SOA governance. Feel free to leave comments or to contact my directly with answers and ideas. As I dig into this, it's clear there's a book waiting to be written around this topic.

  1. How would you characterize the stage your company is at in deploying SOA-based systems? (some examples; pilot, beginning, advanced)
  2. Do you have a strong Enterprise IT Governance process now?
  3. If so, how is you SOA governance related to IT governance? Is it just a piece of it with no significant differences or have you changed your IT governance processes in significant ways to accommodate SOA?
  4. Do you have an SOA center of excellence? What role does it play? Who does it report to?
  5. Is SOA governance mostly a technology play (i.e. just buy the right tools and it will work out) or more about people and policies?
  6. What governance lessons have you learned in your early SOA deployments?
  7. What are the critical requirements for governing SOA? What do you have to get right? Where are the places you can make significant errors?
  8. How do you set, store, disseminate, enforce, and maintain SOA policies?
  9. One of the dangers in SOA policy is to only concentrate on those that can be represented electronically and enforced by tools, or to go the other direction and not use any automated support for policy enforcement. How do you deal with that?
  10. How does technology aid in SOA governance?
  11. Have you deployed a registry?
  12. Did you use your registry to govern the deployment process (i.e. use a registry for holding metadata about services in development and another to hold metadata about production-quality services with a governance process for promoting services from the first to the second)?
  13. What is the role of service intermediaries in SOA governance? Do you use them or enforcement of policy?
  14. Suppose your organization needed to make a decision about what kind of security tokens (SAML, Kerberos, etc.) to use in the WS-Security container in SOAP messages within the organization. What's the governance process your organization would use to make, communicate, and enforce that decision?
  15. What advice about governance would you give a CIO or IT Architect just starting an SOA project?
  16. Is it OK to ignore governance in the pilot stage?
  17. Do you need technology like registries and service management intermediaries early on, or can those wait until you have critical mass?
  18. What are the steps that someone should take in establishing an SOA governance process in their organization?

To some people, this topic is a big yawner, but not to anyone who's tried to make a big deployment work. Admittedly, talking about all the cool things you can do with SOA is more fun, but it's just talk without governance.