[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [soa-rm-ra] Requirements for Governance
Looking at SOA service interaction governance based on a sliding scale for security, the requirement for Policy Guided Delivery can go from none for no security to very complex for maximum security. I describe this in terms of zero, professional, and military security. Zero Security - Zero Security is a computing environment where there are no threats to the interoperability of SOA services. The Zero Security environment explores the minimum SOA governance necessary to have meaningful interoperation between SOA services. This could be achieved through the RA Effectiveness requirements for Visibility, Interaction, and Real World Effect. In a Zero Security environment, SOA services could be created with meaningful interoperation without the requirement for Policy Guided Delivery. Professional Security - Professional Security is a computing environment that would typically be suitable for the business industry. Security requirements for Professional Security would consist of the same security requirements defined for the WSA architecture. Policy Guided Delivery is a requirement for Professional Security. http://www.w3.org/TR/ws-arch/ Military Security – Military Security is an extension of Professional Security. Military Security can provide stronger security mechanisms than what would typically be found for the business industry. Military Security also provides a high assurance computing environment that maintains separation of data in transit and data at rest for information sharing groups. Policy governs all service interactions. Policy also governs all information sharing between information sharing groups. It seems to me that the Policy Guided Delivery requirement is written in such a way that it provides the flexibility to have any of the above security policy governance plans. Danny --- Chiusano Joseph <chiusano_joseph@bah.com> wrote: > I agree, Ken - it's a fine line for us. I think it > would be valuable for > another initiative (outside of our TC/SC) to create > a standard framework > for establishing SOA governance within an > organization, but for us to > consider treating the topic more on the light side. > > Joe > > Joseph Chiusano > Associate > Booz Allen Hamilton > > 700 13th St. NW, Suite 1100 > Washington, DC 20005 > O: 202-508-6514 > C: 202-251-0731 > Visit us online@ http://www.boozallen.com > <blocked::http://www.boozallen.com/> > > > ________________________________ > > From: Ken Laskey [mailto:klaskey@mitre.org] > Sent: Sunday, April 30, 2006 3:00 PM > To: Danny Thornton > Cc: soa-rm-ra@lists.oasis-open.org > Subject: Re: [soa-rm-ra] Requirements for Governance > > > My question with governance, especially the > management variety, is how > much is it just having the appropriate information > available through > description. With the caveat that I am behind in my > reading and have > not gone through the articles identified over the > past week, I don't > believe SOA requires policy beyond what is usually > generated in the > world, but it needs a disciplined way to make use of > policy. So service > description needs to be able to point to the > applicable policy, possibly > indicate the criticality of the policy (by using a > defined criticality > term and pointing to the definition of that term), > and possibly point to > the engine to be used to evaluate whether the > current or proposed > interaction complies with the policy. A level of > compliance can be > specified, again with the level definition being > referenced along with > any specific level value. > > Note, the onus here is how do you specify policy and > how do you evaluate > compliance. (For those who missed it, this week W3C > acknowledged the > Member Submission of WS-Policy.) Obviously, we need > to prod this a > little harder but it seems to give the flexibility > to have any specific > governance plan without SOA caring about the > specifics. > > Am I missing something? > > Ken > > > On Apr 30, 2006, at 10:19 AM, Danny Thornton wrote: > > > In last Wednesday's telecon, our discussion of SOA > Governance centered on reflecting the roles, > rights, > and obligations of participants. Particpants could > be > people, organizations, or entities directly or > indirectly involved in the interactions with a > service. In order to embed the service in human > society, there are also participants involved in > the > delivery of the services, monitoring the services, > etc. > > When thinking through SOA Governance, two questions > arise. How are services governed through > management > and how are the interactions of services governed? > The > RA requirements for Effectiveness relate to the > Governance of interactions. These requirements are > closely related to discussions of Governance and > Policy. > > > http://wiki.oasis-open.org/soa-rm/Goals,_Critical_Success_Factors_and_Re > quirements > > The RA requirements for Graduated engagement and > Manageability relate to the management type of > Governance. These requirements are closely related > to > discussions of Governance and life cycle. > > I would argue that if you looked at the RA > requirements with Governance tinted glasses, you > would > find the necessary requirements. Creating a > critical > success factor for Governance would mean providing > a > different view of the requirements for > Effectiveness > and Assurance. > > Danny > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > > > --- > Ken Laskey > MITRE Corporation, M/S H305 phone: 703-983-7934 > 7515 Colshire Drive fax: > 703-983-1379 > McLean VA 22102-7508 > > > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]