Everybody talks about SOA best practices, but the Burton Group suggests it's the enterprise architects job to do something about them.
What Burton analysts suggest architects do is make best practices easier to do than worst practices. "You want to make the right way the path of least resistance," said Anne Thomas Manes, senior researcher at Burton, said in a teleconference on enterprise architecture last week titled "Build for Today, Architect for Tomorrow." In this way, best practices in SOA and Web services development go hand in hand with building in good governance.
"The secret to governance is it needs to be automatic," she said. "If you make governance onerous, then people resent it and they try to figure out ways to avoid it. But if you make governance the path of least resistance, then that, in fact, is the way people will do it. If the right way to do it is XYZ and the easiest way to do it is XYZ, then I'll do XYZ. If it's difficult to do ABC, people won't do it that way. They'll do it the easy way."
To make best practices and governance easy, enterprise architects need to make it automatic, but making it automatic isn't always easy. As Manes explained it, it's a balancing act between allowing developers freedom to experiment, thus fostering innovation without going off the rails and creating chaos. The architect group also needs to keep in mind that the goal of the project team is almost always to get the software to market as soon as possible.
"You have to let developers be expedient because it is their job to produce solutions as quickly as possible," Manes said. "Their focus needs to be on delivery time to market, but at the same time their projects must deliver maintainable systems. Therefore you want to make sure they are complying with corporate guidelines, following the best practices.
Joe Niski, a Burton analyst who covers integrated development environments, suggested that agile development methodologies can encourage both best practices and speed development.
"One of the biggest contributions that the agile movement has made in the last 10 years is to really encourage organizations to focus on what works in their environment and to tune and adapt processes for the different categories of project," he said. Agile methodologies recognize that not only do most people want to do a good job and want to communicate in a way that allows them to do a good job, but there's no one-size-fits-all approach to building software. Each set of business requirements is unique enough that in order to be effective people need to experiment, take a few risks and figure out what works in their environment."
The Burton Group recommends that one of the jobs of the enterprise architect is to provide developers on project teams with frameworks and infrastructure that actually simplify complex tasks, such as security.
"An organization should build a framework that they can then give to the development team to implement security," Manes said. "So they don't have to be responsible for doing it themselves. You don't leave security to the developer. You put it into a framework and the framework can then consume infrastructure services that support corporate best practices."
While making development agile and making best practices easy sounds good, Manes was asked how exactly enterprise architects would do this.
"For example, in your SDLC process your goal is to have an automated mechanism by which people check things in and automatically do builds, and automatically do tests," she answered. "If you actually implement governance and compliance testing as part of those processes, then the development team doesn't have to do anything extra. They are simply following their standard process. Yet at the same time you're doing compliance testing. And you can feed information directly back to the developers saying 'You might have violated a couple policies here. Here's the recommended approach to resolve that.' "
And what would be an example of that?
"Let's say for example in your runtime system you actually have management technology watching and monitoring what's going on and can automatically identify anomalies," Manes said. "Say somebody went off and deployed a Web service without going through the proper procedures. You're going to have management technology that will identify that it's out there and is running in a rogue fashion without proper management and security. Because you've automatically discovered it, you can automatically secure it. And you have the ability to identify that somebody did something that they weren't supposed to do and then you can slap them on the wrist."
Thus easy is not altogether painless.