With today's tools, quite a bit of monitoring can be performed on Web services, all the way from the transport layer, to the backend application layer. Some of the metrics that can be logged include: inbound requests to the stack such as client IP, SSL parameters, authentication at the Web server level; SOAP security headers (UsernameToken, SAMLToken, etc.); SOAP request payload parameters; SOAP response payload; service latency and response time; policy and security failures (authentication failure; authorization failure, malformed XML, non-valid XML schema).
There are two main blind spots that I see on a regular basis. First is the matter of making sure that your policy enforcement points are actually enforcing the right policies. In other words, ensuring effective compliance with your policies. Next is the issue of what to do with all the information, and how useful is that information. For example, signed audit logs can be used in some cases for non-repudiation, but that is not an automatic assumption. Some legal framework needs to be established in advance of that functionality. Another case is problem of reconciling Web services level faults with higher level business processes. For example, can the service monitoring information you collect help you correlate with an online product ordering process break-down, and can it help you streamline that process?
Dig Deeper on Topics Archive
Related Q&A from Toufic Boubez
In this expert response, Toufic Boubez discusses LAMP usability concerns and it's relationship with SOA. Continue Reading
In this expert response, Toufic Boubez discusses the advantages of using JDBC and ADO as opposed to Web services standards such as SOAP. Continue Reading
In this expert response, Toufic Boubez clarifies confusion about implementing governance. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.