By Larry Lange

Service-oriented architecture is hot, and with good reason. Better known as SOA (pronounced "so-ah"), the technology promises a wealth of benefits, including unprecedented flexibility, interoperability and agility. SOA also enables innovative solutions that can lead to dynamic business growth. Last but by no means least, SOA can also deliver substantial cost savings. In fact, by implementing SOA, companies worldwide could collectively reduce their IT spending by as much as $53 billion over the next five years, estimates market-watcher Gartner. Further, SOA can help companies comply with a wide range of government and industry regulations. "Some people say this is just the latest craze," says Paul Lipton, a CA senior architect who has been developing enterprise systems for more than 20 years. "But it's not like there's an alternative to SOA waiting in the wings. This is it."

But SOA also brings risk. A virtual "SOA constrictor" can make unwary CIOs its prey in the IT jungle. These risks include significant up-front costs, hard-to-gauge ROI, protracted time to realize value, immature standards, tough decisions on choosing vendors, and difficult security issues. "SOA can consume a lot of energy and resources before you realize what's happening," says Dave Hansen, CIO at CA. "You don't want to let it swallow you up."

Despite the risks, SOA is gaining momentum, and fast. Market-watcher IDC says spending on SOA-based services reached $8.6 billion last year, nearly 140 percent more than the previous year. Looking ahead, IDC projects SOA-based spending will quadruple by 2010. Similarly, Randy Heffner, a vice president and industry analyst at Forrester Research, reports that more than half of the IT executives recently surveyed by his firm have either invested in SOA or are considering implementing it. "Implementing a SOA is worth the risk," he says. "Just keep the risk in perspective."

Among those SOA risks: substantial startup costs. That's because implementing a SOA involves both re-engineering an existing system's architecture and a good deal of human capital: vendors (if deployed), analysts, system architects, software engineers, developers and project managers. In fact, Forrester Research cost twice as much as traditional approaches when viewed solely from the perspective of building a specific application component. Though Forrester adds that when that application component is reused, SOA becomes 30 percent more cost-effective than traditional development approaches.

Further, implementing a SOA can be a long, slow process. "It's taken us six years," says Bill Miller, the CIO of El Paso County, Colo. "We were fortunate to have access to some money for the first two years of the implementation." It took that long, Miller says, because the county's systems were custom-written software solutions running on an old Digital VAX architecture. In the end, his staff provided much of the system's SOA solution in a home-grown manner. "I'd say it's about 60 percent COTS [commercial off the shelf] and 40 percent custom built by us," Miller adds.

At AbeBooks Inc., a Victoria, B.C., online marketplace for books, implementing a SOA took nearly as long. Jayson Minard, the company's CTO, arranged his 33 developers into three teams, one of which worked full-time on SOA. Even so, the total implementation took nearly four years. "For us, SOA was more of a grassroots approach," Minard says. "We started when some core services started to appear, and over time, we started standardizing our behavior and developing best practices around them."

There's also the issue of standards. Some industry experts warn that SOA standards, although important, are still immature. What's more, they say, there are so many SOA standards, they're difficult to keep track of. "There are probably 100 or more SOA-related standards out there, including XML standards," says Forrester's Heffner. "There are at least 25 you need to watch."

High on that must-watch list is the Reference Model for Service-Oriented Architecture, better known as SOA-RM. It was ratified as a standard by the Organization for the Advancement of Structured Information Standards (OASIS) last fall. Reflecting the growing interest in SOA, the OASIS technical committee that's working on the approach now has 65 enterprise participants, including Boeing, GM and the U.S. Department of Homeland Security.

"The SOA Reference Model got started because a bunch of people who were working in XML, Web services and other methods were frustrated with the attempt to define service orientation," says James Bryce Clark, director of standards development at OASIS. He says SOA-RM is primarily an attempt to define SOA's basic building blocks; these building blocks could then be applied to architectures. "It's great work," Clark says. "And it helps organize architectural plans."

Another important standard is Service Modeling Language (SML). It's an XML based specification that defines a consistent way to express how networks, applications and servers are modeled. The goal: to help businesses more easily manage services built on these resources. "SML could wind up being a basis of communication through service-oriented architectures," says Marv Waschke, senior technology strategist at CA and a member of the SML working group.

SOA is an approach to building distributed applications that will facilitate new business and technical opportunities, Lipton explains. "Many SOA standards that either exist or are in development may expand the possibilities of what we can do with IT and how IT can add value to the business," he adds. "It may be that some of these new opportunities will only appear to businesses later on in the development of their SOA." For example, a standard called oBIX enables mechanical and electrical control systems in buildings to communicate with enterprise applications. "Imagine a world," Lipton adds, "where you can even have buildings as part of a SOA."

Partner Picking
Another challenge for CIOs who intend to implement SOA is picking the right partner. This involves working with architects and developers to figure out how much of the work can be done in-house and how much needs to be bought from outside—and from whom. CIOs dealing with this decision have a long list of partners to choose from, including CA and Microsoft. For instance, Waschke says that with CA Unicenter® Service Desk, "we've been offering SOA since 2000—though we didn't necessarily call it SOA." Adds Lipton: "The CA Wily Web Services Manager supports the goals of SOA in fundamental ways: It enables people to make sure their SOA meets consumer expectations and Service Level Agreements. It also helps IT figure out what SOA service or underlying component is problematic if their SOA is not meeting expectations. It can even help predict such occurrences. SOA applications tend to be very visible and can be used by outside agencies such as partners, customers and suppliers. Being aware of the service user's experience can be critical."

Another concern is security. Experts say that with large enterprises building up huge SOA architectures, there's a need for a security infrastructure that can keep pace. Others cite identity and access management (IAM) as the biggest security challenge right now, because so many companies have unwittingly stored employee and partner user identities differently across too many applications and systems (see sidebar, "SOA Insecurity,").

In fact, Glenn Crossman, vice president of product management at CA, sees identity and access management as the single biggest challenge for SOA security. "What's really driving significant awareness are regulations," he says. Since the vast majority of companies still have many information silos —in which each business unit has its own directory—user identities may be stored differently in many different applications and systems. "So you don't actually know where John Doe might be," Crossman explains. "He might be 'John D' in one system, and 'Doe, John' in another."

Further, Crossman says, the loosely coupled architecture of SOA necessitates the ability to pass identities between systems, not only between internal systems, but also across company boundaries. "That's a big challenge, and it opens up issues of trust," he says. Crossman says the security product he oversees, CA SiteMinder® Web Access Manager, provides the critical centralized security management foundation that enables secure user authentication and controlled access to Web applications and portals.

Return on investment remains a thorny problem, too. Early adopters of SOA have resorted to digging deep into the technology to glean returns from their investment. "ROI is a hard model to prove in general," says Minard of AbeBooks.

Still, ROI proof is beginning to emerge. Heffner of Forrester Research says AT&T achieved a $40 million benefit from SOA between 2004 and 2006. Much of that benefit, he adds, came from reducing the number of integration interfaces across the company's large telecommunications applications. "How do you put that into an ROI formula?" Heffner asks, answering, "You count up the number of integration interfaces you build each year, subtract the money spent maintaining the ones you already have and find out by how much those numbers go down. Then, boom, there's your business value."

Others have found ROI by uncovering the benefit of code reuse both during and after implementation. It's an unwieldy task, to be sure, although it can be done (see sidebar, "The ROI of Reuse,").

Hard-Earned Benefits
For CIOs who successfully make their way through this obstacle course of SOA hazards, the rewards can be great. For one, the loose coupling of systems and data that SOA promises can address a huge problem, namely, inflexible systems that don't share data well and which cannot be reconfigured and reused quickly enough to meet changing business needs. "SOA means flexibility," says Dana Gardner, president of Interarbor Solutions, a Gilford, N.H., market analysis firm. "You're not locked into a specific technology, which greatly reduces the risk of losing your earlier IT investments. In a very real sense, you're future-proofing yourself."

For another, SOA can help companies enjoy the lower costs offered by globalization. By integrating systems and making them interoperable, SOA offers a standardized approach to enable services to work together, regardless of their location in the world.

That's been the case for AbeBooks, which serves 13,000 book sellers in nearly 50 countries. "SOA helped our mix of services—all running over Java—become interoperable," says CTO Minard. "Our inventory service, which includes more than 50 million unique items, provides direct updates to the system, and the service-oriented approach works for sellers who need immediate inventory changes."

Interoperability of systems was also the chief appeal of SOA for El Paso County's Miller. Before implementing SOA, the county's main system was standardized on an ERP system, a document management platform and a geographic information system (GIS). The three systems were not at all interoperable, but Miller's SOA implementation tied them all together. Now, with SOA implemented, El Paso County can make the most of its interoperable system. "It's not just the financial, HR, payroll and procurement," CIO Miller says. "We tied together the maintenance side of it as well: work orders, job costing and asset management. We designed everything around a SOA workflow concept with a customer-centric philosophy."

What's more, SOA gives El Paso County's 2,500 employees across 50 departments a common platform for seamless access to financial, HR, payroll and other core systems. "Many of our county's departments weren't centralized early on," Miller says, "so the idea behind implementing SOA was to have our different platforms be able to talk with one another."

At CA, CIO Hansen is looking to SOA to bring aboard real-time interoperable benefits to better satisfy both internal and external customers. "We see SOA as a way to deliver those benefits faster than we have in the past," he says. More specifically, Hansen is connecting an internal customer support system with another that monitors open support issues. "Getting the application and the data to everyone involved faster is really going to help all of us perform better," he says.

Another benefit of SOA is increasingly agile business processes and faster time to market. The ability to move certain applications around and fit them together differently is critical. Explains CA's Waschke: "Say a retail institution decides to launch a new online catalog, and they want it fast. They may want to set it up for the holiday season. On the IT side, they've got to set up the servers, as well as the failover—the ability to switch over automatically to a redundant or standby server, system or network. With a SOA, it becomes so much easier to fit all the pieces together. That's where I see the agility side of SOA."

There's also the promise of substantial cost savings, once reuse is factored in. "On the conservative side, I'd say we've had a 25 percent cost savings since deploying our SOA a few years ago; on the optimistic side, I'd say it was closer to 50," says Miller of El Paso County. "We were able to connect every module of the company's system, not just the financial and HR, payroll and procurement, but also the maintenance side. Things like work orders, job costing and asset management. This goes across the entire county. We even have employee self service, where people can sign up for their benefits, and manage self-service." Further, a SOA system in the county assessor's office has reduced staff requirements by 20 percent. "When you factor in the facilities [needed] to put those people in, and all the extra equipment, it's a tremendous amount of money, "Miller adds.

Costs Matter
"Cost-reduction is still important for CIOs, and SOA provides it," adds Gardner of Interarbor Solutions. Today, the highest costs in a CIO's budget are dedicated to ongoing maintenance and operational costs and labor. In fact, an estimated 70 percent of all IT budgets are devoted to simply keeping current systems up and running. "With SOA, you can move toward IT consolidation, which means fewer servers and fewer farms, "Gardner says. "You get more bang for the buck."

Finally, SOA offers relief for CIOs who need to help their organizations comply with regulations such as Sarbanes-Oxley, HIPAA and the Payment Card Industry (PCI) data-security standard. Waschke of CA offers this real world example: "We worked with a pharmaceutical company that needed to replace a homegrown service desk/help desk system, because it wasn't providing an adequate audit trail for SOX compliance. Since their applications were closed—they were hand-built to fit into their environment— the company decided to go with CA Unicenter® Service Desk, which we'd made 'wide open' on the service-orientation side. They met their auditing capabilities, which, in turn, helped them meet their requirements."

To keep the SOA constrictor at bay, experts recommend that CIOs start small, then build out their SOA solutions over time. SOA can be done incrementally; CIOs don't need to throw a big switch so the whole thing lights up at once, Gardner says. Instead, they can start at a project level, then go project-by-project. "Suddenly you've got critical mass," he adds. "You're doing everything of, for and by services. At that point, it stops being bells and whistles, and your SOA is mainstream."

Bear in mind, however, that the SOA constrictor is lurking, waiting to be either your friend—or its victim. "The SOA can help your enterprise be more resilient," Lipton says. "By encouraging reuse of services and loose-coupling, SOA can help you clean out some of the vermin, if you will, that inhabit your IT infrastructure." But, he warns, when CIOs build a SOA, their business will really depend on it. So you need to keep a close eye on the inner workings—the guts of the SOA. Otherwise, you could find a SOA constrictor lurking ahead.

Larry Lange is a freelance writer and a former senior editor at TechWeb, PlanetIT.com, EE Times and IEEE Spectrum.