Many paths lead to SOA, yet they have but one destination—aligning IT with business. Along this path, business requirements—and the risks associated with them—are transferred to IT. It is challenging enough to manage applications within organizational "silos." As SOA initiatives dissolve these boundaries, it’s easy to see how the risk of application failures and issues such as performance degradation can grow exponentially, with increasingly direct impact on the business. 24x7 production environments demand comprehensive system-wide tracking and operational visibility to minimize failures and downtime.

At the same time, the IT infrastructure becomes increasingly subject to the regulatory compliance guidelines that govern business processes— from HIPAA, to Sarbanes-Oxley, to PCI/DSS. The traditional tradeoff between security and flexibility can introduce challenges that may thwart an organization’s efforts to move to open and distributed IT architecture.

Before they can realize the business value of SOA, organizations require management and security capabilities that are beyond the scope of traditional solutions.

Discovering and Managing Applications and Services

To help organizations maintain awareness of services in the runtime environment, AmberPoint automatically discovers the deployed application components, as well as the dependencies among those components. It bootstraps governance processes by automatically publishing this information to registries or repositories, while periodically updating these stores to keep the data up to date. It provides an informative view of the service network and its dynamic relationships to help organizations manage the complex dependencies inherent to loosely-coupled business systems.

AmberPoint’s runtime SOA blueprint enables architects and managers to ensure that only approved application components are deployed within their environments. It also helps them to weed-out "rogue" services and brings these unapproved components into the fold by submitting them to the appropriate governance processes. Runtime dependency information is particularly useful for service impact analysis.

Optimizing Runtime Performance and Availability

AmberPoint brings predictability, visibility and control to SOA applications by delivering comprehensive service level management for services, transactions and business processes across heterogeneous environments.

Users can set different SLAs for discrete business segments and prioritize service use by any business criteria—such as focusing on most valuable users (customers, partners, etc.) or providing the best Quality of Service (QoS) during peak hours. SLAs can be set and monitored for individual services as well as composites such as processes and transactions.

Knowing who's using what is also a critical aspect of understanding and controlling SOA systems. That's why AmberPoint records and archives service performance as well as usage for historical analysis. AmberPoint supports detailed usage analysis over time to help identify trends and revenue opportunities.

AmberPoint prevents service problems by providing early warnings, facilitating impact analysis and initiating timely response. It has the unique capability of preventing traffic spikes and overloads from impacting the system by selectively throttling traffic before peak capacity is reached. This service throttling feature is particularly valuable in protecting new SOA investments—such as SOA-enabled mainframe systems—from unexpected demand. Throttling may also be used to prioritize delivery of services based on business criteria.

Security

AmberPoint addresses the challenges of security within the service network in three key areas: Endpoint enforcement, mediation, and consumer enablement. We refer to these areas as last-, middle- and first-mile security, respectively.

Last-mile Security addresses security where the application and data are most vulnerable—at the service endpoint itself. In the absence of last-mile security, the enterprise has no defense against an end-run attack around security appliances or gateways. Last-mile security needs to be applied to incoming and outgoing messages, to ensure that malicious users are kept out, but also that sensitive data is kept confidential before it hits the network.

Middle-mile Security
Every SOA has its intermediaries—from services buses, to security services, or appliances. Given that internal attacks are at least as common as those originating outside the enterprise, it’s critical to keep all those intermediaries on a "need-to-know" basis. This requires the ability to make some data confidential as it flows across the network, while exposing other data that’s required for routing, transformation, and other necessary processing. It means the ability to mediate among different credential types, to support human credentials like usernames and passwords, and machine credentials like SAML assertions, all in a single coordinated transaction.

First-mile Security
Once you’ve secured your services, how do enable your consumers to meet those new security requirements? If you require them to encode security into their consumer applications, you’ve moved the onus from you to your valued customer. Remember, security should be an enabler—not a disabler—of rapid integration and service consumption.

AmberPoint provides a mechanism that enables client applications to dynamically conform to the security requirements of secure services. AmberPoint-enabled service consumers can be begin applying authentication tokens, performing encryption and decryption, and dynamic lookup of service endpoints—with no coding required. Using AmberPoint, organizations can update security policies on services without fear of breaking dependent service consumers. This gives them the flexibility to fine-tune security over time to provide the maximum level of assurance with the minimum overhead for security processing.

AmberPoint security capabilities enable enterprises to easily integrate with existing security infrastructure, such as security appliances, user stores, identity management systems and public-key infrastructure.

Policy Management & Enforcement

AmberPoint uses a policy-based approach to management. The use of policies externalizes a range of behavior that is common across a system—ranging from logging to security, to customer-facing performance and availability. Systems can be governed more effectively by transferring this kind of behavior into centrally-managed policy, rather than having developers encode these common behaviors inconsistently across different applications.

Policies are more concise than code or configuration files. They are easier to understand and verify, and thus much simpler to manage over time. They can also be centrally managed and configured according to the separation of duties supported by an organization. Therefore, policies provide consistent enforcement, overcoming a major challenge in distributed, heterogeneous environments.

AmberPoint provides a unique mechanism for ensuring that services are continually provisioned with appropriate policies. Using AmberPoint, organizations are assured that newly deployed services will be provisioned with all the requisite policies—logging, auditing, QoS, etc. Rather than applying policies individually, AmberPoint provisions policies based on a service’s metadata—the characteristics of each service. For example. AmberPoint can provision all HR applications with a similar set of policies, while Finance applications might be provisioned with another set. In this way, AmberPoint drastically reduces the risk of deploying ungoverned, or improperly governed services.

Service Virtualization & Versioning

In an SOA system, application components become increasingly dynamic. Through loose-coupling reuse, they also become increasingly distributed, complex and interdependent, which raises issues around making changes to components. The composite application can’t be taken out of service every time one of its components needs to be updated. Doing so might break other applications that consume components of the application being updated. What’s more, consumers of the system need to be transparently migrated, with minimal impact, between capabilities and versions as the distributed system evolves over time.

Virtualization addresses these issues. Service virtualization enables the creation of service ‘facades’ that can provide new services by combining the capabilities of existing services, while also shielding consumers or dependent applications from changes in the underlying implementation. Built-in versioning support is also necessary to manage the migration of consumers and dependent applications as service 2.0 and service 3.0 are deployed in production.

AmberPoint has sophisticated capabilities for building task-specific "virtual" services out of existing, deployed services. These capabilities maximize reuse, while minimizing the ongoing challenges of maintaining multiple service versions simultaneously in the production environment.

AmberPoint’s virtualization features enable reuse of existing enterprise capabilities by consolidating operations from different services into a new service—complete with its own service artifacts, such as WSDL. This new service aggregates only those operations specified from the original set of services being reused. This enables the deployment of highly targeted services, customized to the needs of specific users. Likewise, selected operations of an existing service can be deprecated on the fly, enabling organizations to decommission specific capabilities, while avoiding the development cycle that process usually entails.

AmberPoint also enables organizations to manage the complex process of service versioning, since it’s often necessary to provide multiple versions of the same service to support legacy customers. AmberPoint’s versioning capabilities enable organizations to run multiple instances of the same service simultaneously, while allowing transparent rolling upgrades to published services. AmberPoint can use message content and features requested by the client to automatically route requests to the service version capable of processing them.