Most people don't know that IBM's SOA test bed has been IBM itself. To date, IBM has deployed more than 50 services that have sped our transformation to on demand business. As a result, clients often ask us to share our experience with them. In this article I provide details of two more IBM initiatives that represent a wide range of business challenges solved by SOA-enabled solution. Read the first case studies here. Read Part one.
Case Study 3: IBM Intranet Password
As IBM internal Web applications proliferated -- many of them business critical -- they all created their own authentication processes and functionality. It became clear that IBM needed a global authentication facility for Web applications – one ID/password for each employee.
At the time, there was no industry standard for a Web identity solution. The rapid proliferation of IDs and passwords created huge problems for both employees and the enterprise. For employees, this meant more time spent keeping track of numerous IDs and passwords, as well as time spent managing expiration and different rules for what constituted a valid password.
With multiple groups developing their own authentication solutions, we were wasting time and money. Moreover, with no common authentication solution it was impossible to quickly respond to security threats, including blocking certain IDs or instituting corporate-wide authentication standards. This was becoming a security exposure risk since every application would implement renewal and security differently.
Challenges addressed by this initiative are summarized below:
- Redundancy across applications, each implementing ID/password and renewal, meant wasted development and maintenance costs
- No systematic approach to security – exposure
- Employees had to remember/maintain dozens of IDs/passwords, spending significant time reentering and resetting them – loss of productivity and low IT satisfaction
- Need non-disruptive migration of multiple applications to enterprise authentication service and a central place to manage all IBM's IDs/passwords
Figure 3 IIP architecture overview
IBM Intranet Password is a self-service, single-ID authentication (depicted in Figure 3) solution that addresses these challenges by providing simple password reset, password expiration and similar authentication-related functionality. All data is stored within the IBM Enterprise LDAP directory.
First-time visitors to the "password" site can create a new password. Returning visitors can reset or change an existing password. The service insures users choose passwords that meet the IBM's corporate security standards.
ID-password pairs are passed through a Simple Object Access Protocol (SOAP) interface, which forwards the information via an XML data stream in a secure encrypted packet. Incoming packets are unencrypted and authenticated against the IBM enterprise LDAP directory.
IIP has become the standard for all internal IBM applications that require authentication services. The solution has enabled controls in password standards, changes to which can easily take effect across the IBM. Today about 97% of all applications are on board with IIP, with others coming on all the time. The obvious savings to business units and convenience to employees made it a winner.
- Affordable incremental migration from legacy – demonstrated how to quickly move from an experimentation stages to enterprise-wide deployment
- Built into the IBM infrastructure fabric with 97% compliance today, with remaining applications on-going on-boarding
- Single IBM employee ID/password improved employee productivity and IT satisfaction
- Greatly improved security model for IBM Intranet
- Development/maintenance costs reduction translated to savings to business units
Best practices/lessons learned
IIP was a showcase for a new service. It started as an early working prototype, followed with incremental roll-out as a non-disruptive migration path. Prototyping was a key element to the success of the initiative.
The creators quickly discovered that they needed a developer toolkit to encourage usage. The developer kit is required to accelerate roll-out.
Case Study 4: Export Validation - regulatory compliance
IBM must comply with US export regulations for product deliveries within the US and abroad. This requirement is met by multiple applications performing export checks on customer demographic data and product purchases and delivery.
Each month the U.S. Export Regulations Office publishes a new version of its Denied Parties List. When a new list is distributed we have to check existing customer data against the new list additions to ensure none of the additions match existing customers.
Multiple applications support US export regulations compliance. Existing brittle legacy architecture made modifications and extensions cumbersome. Each time an application needed export checks there was integration work required to incorporate the existing common export code. It was custom work each time and very specific to the application. The IBM Software Delivery and Fulfillment organization, responsible for implementing the US Export Regulations Procedures, wanted a solution that would be easy to integrate and was highly reusable without rework.
Figure 4 Export Validation Service architecture overview
The Export Validation Service (EVS) was first deployed in December of 2003. Implemented as a Web service, it is easily used by multiple business applications requiring export validation functionality.
The solution, depicted in Figure 5, includes externalized business rules that allow for real-time updates of U.S.-government–driven compliance lists. The EVS fits perfectly with what service-orientation is intended for – use by multiple applications on different platforms since no specific integration is required.
EVS does export checks with the provisions for override capability. Requests and responses are sent in XML format using SOAP over HTTPS. Once a consumer application has set up the interface to access the EVC no additional changes are required.
Updates to the Denied Parties List or other export regulation checks are contained within the service. The consuming application sends customer demographic data via the defined interface implemented as XML documents. Export checks are run using this data and the results are returned via the defined interface. When there is an export failure the customer's data is added to an override administrator's queue for review via the Override Administration service.
Through this solution IBM was able to improve responsiveness to frequently changing U.S. government export regulations. For new applications requiring export validation functionality, dramatic development cost and cycle time reductions were realized. In addition, measurable cost savings were achieved in ongoing support of compliance with changes in the U.S. government Denied Parties List and other business rules.
Best practices/lessons learned
During the implementation of this solution, we once again saw the importance of externalization of business rules. In addition to allowing more flexibility, externalized business rules allowed delegation of decision-making authority, accountability on rules interpretation and support to a single team of experts. Identifying what decisions need to be made, and who needs to make them is an important step in overall SOA governance.
The team has also used incremental on-boarding of legacy applications that allowed for a non-disruptive transition path.
The parallel evolutions of businesses and IT raised the new challenge of establishing a tighter linkage between business strategy and enabling technologies. SOA finds increasingly broad acceptance and is emerging as the dominant technology to support business transformation as a significant step in bridging this business-IT gap.
The four SOA initiatives described in this article have helped IBM reach new levels of business efficiency through faster introduction of new business capabilities and optimized business processes. As these case studies demonstrate, SOA enables historically isolated data and functionality to interoperate throughout enterprises and greatly improve collaboration with customers and business partners. It uses existing resources to improve productivity and enterprise's ability to quickly react to changing business needs, regulatory demands and market conditions. SOA-enabled solutions help achieve desired business flexibility by providing increased visibility into business operations and making changing to processes and business rules faster, broader and less-expensive, even across organizational boundaries.
SOA could be one of the most significant technological advances helping enterprises achieve business agility required in 21 century.
I thank the following colleagues for their insight and their contributions by providing cases-study experience reports: Carl Osipov, Dick Panko, Germán Goldszmidt, Geoffrey Meissner and Lance Walker.
I also thank many IBM colleagues, consultants, architects, development and project managers, who developed described above innovative solutions and took their time to document and shared their experiences and lessons learned (both best practices and anti-patterns). There are too many of them to mention here.