Loraine Lawson spoke with Gartner analyst Frank Kenney, who co-authored Gartner's Magic Quadrant for Integrated SOA Governance Technology Sets, released in December 2007.
Lawson: It's integrated SOA governance technology-are there non-integrated SOA governance technologies?
Kenney: Absolutely. If you decide to buy a governance solution from a company like AmberPoint, and you buy a registry solution that is open source from a company like MuleSource, and if you buy, let's say, validation technologies from a company like PowerSoft, well those technologies aren't integrated. You have to integrate them yourself.
But if you buy SOA governance technology from IBM, those technologies will be pre-integrated. And that could be integrated from IBM's side, where they have their developers integrating tools, or it could be integrated from the standpoint of OEM relationships.
So, it's important to understand that we still see a very best-of-breed world, where people are taking various vendors' technologies and putting them together, but the fact that they don't have to be ripped apart and adapters built, etc., that there is some interoperability or there is some integration that has been done by the vendors - that's what gives you the connotation of an integrated SOA governance technology set. And we call it a set because it really isn't a suite of products, and it really isn't a platform, it is a set of products.
Lawson: So there's a separate magic quadrant for stand-alone governance?
Kenney: An organization can create a governance strategy, and then you have tools that are used to enact that strategy. And there are certain sets of tools. There are registry tools, there are registry repository tools, their policy enforcement tools, their validation tools, and so on. We don't have the individual pieces, because what we're finding is any of the platform vendors are just offering one tool that has multiple features, so you really don't get a clear apples-to-apples comparison.
For example, AmberPoint is a tool that enforces policy. They are generally known for enforcing policy around performance, and enforcing policy around availability, and enforcing policy around service level agreements. However, AmberPoint also has the capability to enforce policy around security - they're not looked at as a security vendor, but if you buy them in a management perspective, you can deploy their security solutions and get where you need to get to. So would they show up in two magic quadrants or one, and what's their core discipline?
We decided not to walk down that road, and you know, I have some other colleagues in both the analyst community and in the media that did walk down that road, and as a result, you ended up having non-apples-to-apples type of comparisons. And it's much more interesting, I think, and much more important to talk about the bigger picture and the fact that you use these tools to try to gain some type of control over the enforcement and deployment of your SOA governance strategy. It's a much more interesting story, and, I think, a necessary story to talk about from that level.
Lawson: Let's say governance tools are classified by feature, like cars. What would be an economy-level tool, what would be a standard tool, and what is a luxury-class when it comes to functionality? In other words, what should people expect, and what can they expect?
Kenney: Remember that the number-one registry repository tool today is probably spreadsheet technology - I dare say Microsoft Excel, all right? It's everywhere; it's ubiquitous in terms of companies and organizations. Many development teams are passing around Excel documents and just logging, OK, this service does this, and it's located here.
Remember visibility is one of the key attributes of governance. Being able to see the resources, or having the resources visible, is the first step in being able to change things. So, when you start to talk about entry-level, having visibility and being able to see what's going on, I think is absolutely critically important.
Then it obviously starts to scale up. There are management capabilities that are inherent in most platforms, and platforms meaning application servers, application platform suites, operating systems and enterprise service buses, or integration middleware. There's the management capability that comes functionally standard with every integration broker you buy. And in many cases, in the absence of a true governance tool, a true tool to enforce policy, those tools are going to be incredibly sufficient.
What we see happening is it's an issue of maturity. It's not how many services you have, it's how important, how critical those services are. We'd like to think that it's the criticality of services that will dictate a tool.
In other words, if you have one service that faces all of your customers, and you're relying on that service to have maximum uptime, well, that small set of services to have maximum uptime, and to be absolutely secure because you're taking credit card numbers, then you're going to want to probably bring in that Cadillac or Rolls Royce-class of governance technology, or at least security and management technology.
If you have a thousand services that are facing internally, that aren't mission critical, that are some test services, that are doing low-level computations and aren't being invoked but every couple of days, then having some type of a spread sheet technology, or having some type of a management capability that says, "This didn't execute," or "We never received an answer to this request," that may be enough.
I like to think all the vendors have different levels of technology for different cost structures of people. For instance, Software AG and the CentraSite product, you can get that in an evaluation version that is fully functional-and you can use it, and you can give it to your developers, and developers can experiment with it, but then you can pay tens of thousands, if not hundreds of thousands, of dollars to take that same product and give it an enterprise deployment across your entire enterprise, across the world.
So, it really depends on what you're doing, and all the vendors have some type of solution to get you started. And that's one of the good things about the vendors in this space.
Lawson: And how can companies determine which solution is right for them? Is there a way of choosing among the vendors?
Kenney: Certainly, they can subscribe to Gartner Services, and we can help them through that.
But on the other side, there are a couple of things that you can be aware of. Start to think about the relationship that you have with your infrastructure vendor. If you've bought everything from IBM, then it probably makes sense that at least one of your early stops should be to look at IBM's governance technologies. Now, by all means, understand that IBM has a very sophisticated ecosystem of partners, which will include SOA software, it will include AmberPoint, and some other folks, so the technology that you get from an IBM environment-even from IBM-may not be IBM technology. So, understand that there is an ecosystem there.
Certainly the charts and things that we offer from Gartner are a very, very big help, as well as really starting to look at who your installed vendors are, taking a look at which technologies come embedded in the products that you already have. For instance, SAP will give you instances of their enterprise service registry repository for free, or at low cost, as part of the deployment of their next generation of business applications. Why? Because if you're going to deploy their business applications, you need to have visibility into what you are deploying, and so they leverage their Enterprise Service Repository for that capability.
In many cases we're finding customers already have some governance in place in the form of registry repositories for visibility that were deployed when the applications were deployed. So, you start to look at your portfolio, understand what you have, understand what your relationships are, and then also understand the criticality of what you're trying to govern, and that's going to help you make good decisions about what technology to buy.
Lawson: Are there any "gotcha" issues when people go to buy a SOA governance solution-things they don't anticipate, or, I don't know, just sort of things they might overlook that could get them in trouble?
Kenney: Absolutely. The big thing I would say is, one, they're not cheap. So this whole SOA phenomenon is about agility, and flexibility, and in some cases, cost-cutting, and becoming more agile, and becoming more lean and reusing to get those benefits. To get that access to innovation and access to agility, you're going to have to spend money to do so. So, the first thing, I think, is sticker shock. That's the first thing that many of our clients see that they go, "Wow, we didn't realize that." Sometimes the technology to govern the solution is more expensive than the solution itself.
Secondly, there is a learning curve. There is a learning curve because the solutions-the idea of governance is not a design time, or a run-time aspect, it's a kind of all-the-time aspect. So, some of the folks in an organization that may be more design-centric work with developers, and that's really all they do, and they're not concentrating (or they're not bothered with) the execution time, or the execution environment will have to come up to speed with some attributes of the runtime, and vice versa. They have to understand some of the issues that happen during development and design time. And that's the tricky thing: Working with a vendor who only looks at their technology as being runtime or design time is probably going to get you in trouble because they're not telling the entire story. And if a vendor says to me, "We really deal with the design-time aspects," what they are basically saying to me is they don't understand truly what governance is.
Governance has to do with both times, a governance is all the time. Generally, when I talk to vendors that way, I mention that and they say, "Well, yes, but the customers understand one thing." And so, those are the big "gotcha's," those are the big things that when we talk to our customers, they seem very, very surprised to get back.