SOA initiatives will fail unless they are made reliable enough to support the daily business of the enterprise. In operational terms, the goal is to ensure that applications and their constituent components are highly available and responsive, that the user experience is free of errors and outages, and that the systems are secure enough for trustworthy enterprise deployment.

However, the distributed nature of SOA exponentially increases the risk of failure by liquidating application silos into multiple components scattered across a network. 24x7 production environments demand comprehensive system-wide tracking and operational visibility to minimize failures and downtime. Because they are exposed, SOA components raise heightened concerns for security.

Before they can deliver business value, SOA systems require management and security capabilities that are beyond the scope of traditional solutions.

Discovering and Managing Applications and Services

To help organizations maintain awareness of services deployed in the runtime environment, AmberPoint automatically discovers the deployed application components, as well as the dependencies among those components. It bootstraps governance processes by automatically publishing this information to registries or repositories, while periodically updating these stores to keep the data up to date. It provides an informative view of the service network and its dynamic relationships to help manage the complex dependencies inherent to loosely-coupled business systems.

AmberPoint’s runtime SOA blueprint enables architects and managers to ensure that only approved application components are deployed within their environments. It also helps them to weed-out "rogue" services and brings these unapproved components into the fold by submitting them to the appropriate governance processes. Runtime dependency information is particularly useful for service impact analysis.

Optimizing Runtime Performance and Availability

AmberPoint brings predictability, visibility and control to SOA applications by delivering comprehensive service level management for services, transactions and business processes across heterogeneous environments.

Users can set different SLAs for discrete business segments and prioritize service use by any business criteria—such as focusing on most valuable users (customers, partners, etc.) or providing the best Quality of Service (QoS) during peak hours. SLAs can be set and monitored for individual services as well as composites such as processes and transactions.

Knowing who's using what is also a critical aspect of understanding and controlling SOA systems. That's why AmberPoint records and archives service performance as well as usage for historical analysis. AmberPoint supports detailed usage analysis over time to help identify trends and revenue opportunities.

AmberPoint prevents service problems by providing early warnings, facilitating impact analysis and initiating timely response. It has the unique capability of preventing traffic spikes and overloads from impacting the system by selectively throttling traffic before peak capacity is reached. This service throttling feature is particularly valuable in protecting new SOA investments—such as SOA-enabled mainframe systems—from unexpected demand. Throttling may also be used to prioritize delivery of services based on business criteria.

Security

AmberPoint addresses the challenges of security within the service network in three key architectural areas: Endpoint enforcement, mediation, and consumer enablement. We refer to these areas as last-, middle- and first-mile security, respectively.

Last-mile Security addresses the security needs at the service endpoint—that is, the point where the application itself is running. Only by securing the service endpoint itself can the enterprise be assured that services cannot be exploited. This applies to both inbound and outbound messaging. Inbound messages need to be checked for integrity, and the sensitive data they contain should never be exposed over the network. Therefore, digital signatures must be checked, and data decrypted, on the machine where the service is deployed. Otherwise, data can be viewed or modified while it is transiting the network. Similarly, data must be signed, encrypted, and filtered before being sent out over the network in response messages. AmberPoint also provides authentication and fine-grained access control at the endpoint itself, ensuring that attackers cannot use ‘end-run’ attacks to bypass security mechanisms or services, such as security appliances or brokers, configured to perform security on behalf of the services.

Middle-mile Security addresses issues of security mediation and confidentiality. Often, services rely on different kinds authentication credentials and tokens—username/passwords, digital signatures, single-sign on tokens, and so on. AmberPoint provides the capability to securely map one form of credential into another, while maintaining the same authenticated identity for the service consumer. Thus, a user who logs into a portal with a username/password may have that credential mediated by AmberPoint into a SAML assertion. Using this mechanism, AmberPoint provides security support for transitional networks, in which some services support more advanced types of security, while legacy applications still require legacy credentials. Additionally, AmberPoint supports many standard identity repositories, such as LDAPs and Identity Management Systems to provide federation and propagation within the service network.

First-mile Security addresses service consumer enablement. AmberPoint provides a mechanism that enables client applications to dynamically conform to the security requirements of secure services. AmberPoint-enabled service consumers can be begin applying authentication tokens, performing encryption and decryption, and dynamic lookup of service endpoints, with no coding required. Using AmberPoint’s capabilities, organizations can update security policies on services without the fear of breaking dependent service consumers, giving them the flexibility to fine-tune security over time to provide the maximum level of assurance with the minimum overhead for security processing.

AmberPoint security capabilities provide leverage to enterprises by enabling easy integration with existing security infrastructure, such as security appliances, user stores, identity management systems, and public-key infrastructure.

Policy Management & Enforcement

AmberPoint addresses the management requirements common to all services as "policies." Policies can be thought of as the declarative specification of generic characteristics of the system. Policies can represent a range of concerns common to a system, ranging from process and function to security, performance and availability requirements for the infrastructure on which the system executes. Systems can be governed more effectively by transferring behavior into policy rather than encoding those behaviors in application logic.

Policies are more concise, easier to understand and verify, and much simpler to manage over time than code or widely dispersed configuration files. They can also be centrally managed and configured according to the separation of duties supported by an organization. Policies are easier to enforce consistently across distributed, heterogeneous environments.

AmberPoint provides a unique mechanism for ensuring that services are continually provisioned with appropriate policies. Using AmberPoint, organizations are assured that new services deployed will be provisioned with all the requisite policies—logging, auditing, QoS, etc. Rather than applying policies individually, AmberPoint provisions policies based on a service’s characteristics—that is, its metadata. For example. AmberPoint can provision all HR applications with a similar set of policies, while Finance applications might be provisioned with another set. In this way, AmberPoint drastically reduces your risk of deploying ungoverned, or improperly governed services.

Service Virtualization & Versioning

AmberPoint has sophisticated capabilities for building task-specific "virtual" services out of existing, deployed services. These capabilities maximize reuse, while minimizing the ongoing challenges of maintaining multiple service versions simultaneously in the production environment.

AmberPoint’s virtualization features enable reuse of existing enterprise capabilities by consolidating operations from different services into a new service—complete with its own service artifacts, such as WSDL. This new service aggregates only those operations specified from the original set of services being reused. This enables the deployment of highly targeted services, customized to the needs of specific users. Likewise, selected operations of an existing service can be deprecated on the fly, enabling organizations to decommission specific capabilities, while avoiding the development cycle that process usually entails.

AmberPoint also enables organizations to manage the complex process of service versioning, since it’s often necessary to provide multiple versions of the same service to support legacy customers. AmberPoint’s versioning capabilities enable organizations to run multiple versions of the same service simultaneously, while allowing transparent rolling upgrades to published services. Based on the content of a message and specific features requested by the client, AmberPoint can automatically route the request to the service version capable of processing it.