The DoD is perhaps the largest and most complex organization in the world, employing nearly 1.4 million people and holding approximately $1.4 trillion in assets. IT spending for business support activities in the DoD BMA—funds to operate, maintain, and modernize business systems—comprise $15.7 billion of annual DoD IT spending, roughly equal to the rest of the federal government.

While the DoD has long been acknowledged for its premier warfighting capabilities, fragmentation of financial and business management practices leaves the DoD vulnerable to waste, fraud, and abuse, as well as risk of failure on attempts to build larger, more complex systems. To support the DoD mission and the changing nature of the threats to which the federal government must respond, the DoD BMA is engaged in a massive business transformation. It must modernize and become agile in order to support 21st century national security requirements. The BMA CTO evaluated DoD BMA enterprise processes and associated systems—including human resource and personnel management, supply chain, and logistics, as well as financial and accounting management functions—to determine the best strategy for achieving agility. After analysis and assessment of BMA objectives and study of the overall direction for IT within the DoD, the strategy selected to move the BMA forward is the adoption of an SOA.

The U.S. Government Accountability Office describes an SOA as an “approach for sharing functions and applications across an organization by designing them as discrete, reusable, business-oriented services” [1]. Most importantly, an SOA is a mechanism by which business capabilities can be aligned with the technical infrastructure in support of an agile business strategy. The DoD’s SOA vision calls for such alignment through an architecture of discrete components called services delivering business capabilities deployed in a supportive infrastructure designed for this purpose. The Office of the BMA CTO and CA collaborated with the chief information officers (CIOs) representing the military services, defense agencies, combatant commands, mission areas, and DoD Enterprise Services to develop an SOA strategy, including a supporting environment termed the Business Operating Environment (BOE). The BOE leverages industry best practices to federate technical architectures, develop capability requirements, and support the delivery of portfolios of business capabilities based on collections of atomic and/or composite service orchestrations. The BOE is defined in [2], which details the infrastructure component of the BOE and the business transformation infrastructure (BTI), shown in Figure 1. Some functions of the BTI will be met through and built upon the DoD Global Information Grid Enterprise Services. The technical core of the BTI, designated the Business Transformation Engine (BTE), is to be built from commercially available products.

To assess the feasibility of this strategy, the BMA CTO conducted market research into maturity and readiness to support this strategy in SOA technologies from more than 30 organizations. These had survived a preliminary screening to ensure that they were realistic and relevant. The technical research included all components of the BTE, and was conducted in accordance with departmental regulations guiding pre-acquisition market research. The organizations provided live demonstrations of their development, test, operational, and production environments. CIO offices from each military service and many defense agencies were invited to attend and participate in the presentations. This article provides research conclusions across the BTE components (numbered in Figure 1), as well as SOA information assurance and governance.

Figure 1: The Business Transformation Infrastructure
(Click on image above to show full-size version in pop-up window.)

The research approach gathered data to correspond to key technical capabilities required to build the BTI and included an assessment of the industry’s maturity in providing tools to support these technical capabilities. The research did not consider SOA technologies not relevant to the BTI. In this section, we present the assessment.

The interoperability controller component of the BTI is a pattern or foundation architecture for brokering, routing, and processing messages and service invocations within an SOA. It consists of an extensible set of integration brokers interconnected on the network by robust messaging middleware. The research looked at products supporting this pattern, examining them for a number of characteristics, including support for indirection and interception, loose coupling, scalability, and robustness. In general, the products that most closely support this pattern are enterprise service bus (ESB) products, as well as enterprise application integration and message-oriented middleware through composition.

The market research shows that the state of industry products as reasonably mature and can support the implementation of the BMA vision for the BTI’s interoperability controller component. The message-oriented middleware and enterprise application integration product vendors have been working in this direction through many generations of products. The ESB vendors have built on this experience to provide an enterprise-wide solution, though often with proprietary features. The challenge with the latter is to build a standards-based SOA that leverages the success of Web technologies rather than an ESB-based solution that provides some aspects of SOA but could lead to over-dependence on a particular vendor’s technology.

While increasingly more BMA systems and data sources will communicate natively in terms of standard message sets and vocabularies, there is a short-term need for mediation of information exchanges, translating, and transforming messages between information providers and consumers. The research found good support of this pattern in both the standard and high-volume variations. Many vendors, (such as Fiorano, BEA Systems, IBM, Iona, Tibco, and webMethods) are producing capable transformation engines, especially those focused on eXtensible Markup Language (XML) messaging and the use of Extensible Stylesheet Language Transformation engines. For high volume, Ab Initio, with its advanced parallel processing capabilities, allows for the development of high-performance, straight-through mediation services. However, the vision for dynamic generation of transformations on a semantic mediation basis was found to still be a future capability. The semantic technology needed is immature, so semantic tools from companies like Revelytix and IBM are best suited for supporting development time activities, with semantics being early-bound into runtime environments.

The BMA’s approach to SOA calls for metadata registries and repositories supporting the discovery of services and information assets. DoD registries are built around Organization for the Advancement of Structured Information standards, such as Universal Description and Discovery Interface (UDDI) and electronic business XML (ebXML) Registry Information Model and Registry Services (including a UDDI service registry), a Metadata Registry that contains the DoD’s structural and semantic metadata, and an enterprise catalog containing DoD specification metadata to support discovery of information assets. Given the DoD’s size and the likely need to federate registries, the BMA included this category in the market research.

Many of the vendors in the market research provide UDDI service registries, notably Systinet, now a part of HP. Many vendors include UDDI capability (e.g., IBM, BEA, Software AG), with a number of vendors using Systinet. Many vendors also include metadata management capabilities and repository components (e.g., Fiorano, Lombardi), while others such as Revelytix specialize around semantic metadata. The DoD’s metadata discovery specification is not directly supported by vendors, though those that support the ebXML architecture can act as enterprise catalog instances.

Business activity monitoring (BAM) allows management of an SOA in business terms. Market research found that BAM is still in early development. There are many vendors providing BAM functionality coming from diverse industry segments. Application integration and enterprise software vendors (BEA, Fiorano, IBM, IONA Technologies, Microsoft, Oracle, SAP, TIBCO, web-Methods, etc.) are extending existing assets and acquiring additional capabilities in order to support BAM. Business intelligence vendors (Business Objects, Cognos, Software AG, etc.) are working to adapt technology and incorporate business rules engines into their solutions to support real-time BAM operations. There is also a set of pure-play BAM providers who focus on complete BAM solutions. Overall, the research found little standardization across vendor implementations, making true interoperability difficult to achieve on an enterprise level. The most common uses found in the research revolve more around project-based, application-specific uses rather than as general enterprise infrastructure.

Enterprise services management (ESM) provides for managing the service life cycle and is the foundation for SOA runtime governance. Market research found a limited number of SOA ESM vendors. The main vendors (e.g., IBM, Hewlett-Packard) possess strong portfolios in traditional network management and integrated service management markets that they have extended to ESM. Most of the tools researched include feature sets spanning the range from low-level IT service management to the higher-level business management needs, and the differences are more in terms of focus. Often, a more comprehensive solution can be composed by combining products (e.g., AmberPoint and HP OpenView SOA Manager).

The BTI must provide for the modeling and execution of business processes through the orchestration of services, and the monitoring of those business processes. While the research found that there are still many proprietary modeling offerings, there is considerable convergence around Business Process Modeling Notation (BPMN). The research also found strong support across vendors for the Business Process Execution Language standard, though there is also emerging support for direct execution of BPMN through the use of the XML Process Definition Language, an XML serialization of BPMN. Many vendors also provide the needed monitoring of those processes at runtime, often building on extensive experience with network and application monitoring capabilities. Still further in the future are tools with semantic continuity from modeling to execution in the business process arena; however, the research did find that what already exists is maturing rapidly, and can provide a base for implementing the BTI. Perhaps surprisingly, not a single vendor included the Unified Modeling Language in either its list of product offerings relative to an SOA, or as a tool that it uses in its SOA engagements.

Among virtualization trends, virtualizing data sources has emerged as a real-world capability, and is a key component of the BMA SOA vision in which a virtual data store makes information from many sources available in real time without a physical store. The vendors include Composite Software, Red Hat Meta-matrix, IBM, and Streambase.

The BMA research found that overall data virtualization and associated data services have matured to the point that there are many cases where they can produce high-performance and robust data sources and services to be used in a net-centric environment, significantly reducing the latency in data availability to business analysts and decision makers who do not need to wait for the periodic load of a data warehouse or data mart.

An SOA introduces new information assurance (IA) challenges. The interoperability and extended, net-centric data sharing capabilities enabled by SOAs are themselves potential points of vulnerability. A compromised service registry provides an attacker with a detailed map of the operations and capabilities of an organization. Standards and standard protocols narrow the range of network capabilities that an attacker must subvert, and success wins wide access. Deploying an SOA in a responsible fashion must consider the effects of information warfare in addition to other planning. Only through such IA diligence will the DoD be able to truly realize the savings and benefits that an SOA promises for a large, geographically dispersed organization that must operate in the face of the exigencies of war. Additionally, SOAs must also meet old IA challenges including reliability, availability, and non-repudiation. An SOA does not relieve implementers of the responsibility for solid engineering in areas of platforms, networking, back-ups, and auditing. Past best practices and standards must be brought to bear on SOA implementations as well as traditional ones.

As would be expected, the DoD is making IA services a part of the Net-Centric Core Enterprise Services so that security is ubiquitous, well-tested, and a part of the infrastructure. An SOA provides the possibility to externalize security as a common, cross-cutting set of capabilities, themselves presented as services. In this way, each application or program does not have to master the complex technical capabilities required, but can declaratively define IA requirements and expect them to be honored and enforced by the infrastructure. At the same time, DoD-level IA policy can be enforced on SOA operations, including authorization control, redaction, and auditing. An SOA must also work with the DoD’s Public Key Infrastructure to enable secure single sign-on, and to ensure preservation of appropriate non-repudiation characteristics as people and systems take action against DoD and BMA data assets.

The BTI is intended to embrace and extend the DoD SOA and IA foundations. During the research, the BMA team studied vendor capabilities with regard to IA and security in a number of areas. In particular, there was support for emerging Web Services security standards and the inclusion of IA capabilities, both for enabling IA and for working with an enterprise’s existing IA infrastructure.

• Support for Web Services IA Standards. Vendor support for the Web Services standards stack (WS-*) and related sets of XML and network IA standards—such as the WS-Security Assertion Markup Language, and the eXtensible Access Control Markup Language—is maturing rapidly along with the standards themselves. These standards are key to moving IA into the infrastructure, the SOA foundation, and enabling a declarative IA. Most of the deep stacks of SOA capability, such as those from IBM, BEA, Oracle, and Microsoft, have incorporated these standards throughout.
• Enabling IA Infrastructure Capabilities. Some organizations included in the research (such as AmberPoint) focus explicitly on providing SOA security capabilities. The market research found that there is a trend to make IA an integral part of SOA through provisioning, governance, and key infrastructure, such as with the BTI’s interoperability controller. This holds out the promise that as an SOA is implemented in the BMA, it will not prove to be the soft and chewy inside of a hard and crunchy perimeter defense.
• Integration With Existing IA Infrastructure. DoD IA must be a consideration from the beginning of the life cycle. An SOA must be able to work and interoperate with IA standards, practices, and approaches developed during the DoD and U.S. intelligence community’s long experience in producing networked IT systems to provide defense in depth. The market research found that there is a convergence in this arena, with the DoD looking to adopt industry and commercial best practices in IA for its solutions, and SOA vendors (included in the research) willing to meet and accommodate the stringent IA requirements of the DoD.

Governance—the means to assure that laws, regulations, and policies are met in IT operations and investments—is of key importance for the move to an SOA. An SOA introduces new challenges for IT and business governance due to solutions composed from numerous distributed services in an environment of heterogeneous ownership and control, and by enabling widespread sharing of information and capabilities. The BMA strategy for SOA governance addresses both buildtime and runtime needs.

The research assessed buildtime governance in the following areas:

• Enterprise Architecture Satisfaction. The research found that enterprise architecture tools are moving to explicitly model services, such as those from Mega Software or IBM (Telelogic). However, these tools have (at most) limited interoperability with tools used to design and develop services. These tools also provide little in the way of automated compliance checking or management of the transition between enterprise architecture models and service designs and implementations.
• Duplication Avoidance. The research found that this aspect of governance is provided largely by the ability of SOA development tools and environments to access service registries and repositories. This allows developers to determine whether an implementation for their service already exists. Additional metadata repository capabilities (providing further information) support this process.
• Service Usage. The market research found that the main mechanisms for assuring that existing services are used as appropriate are through development tools that integrate with an enterprise’s service registries and repositories. These tools provide developers with service descriptions and specifications at design and build time. Many tool vendors, such as Lombardi and IBM, provide this capability.
• Service Verification. The market research found that there is good support for test and verify SOA services—against functional requirements and service level agreements (SLAs)—when combined with more traditional automated testing tools.
• SLA Development. The market research found support for capturing SLAs, but support for the actual initial development of the SLAs is more limited. System architects and designers need to pay close attention to how they develop SLAs and translate them into digital form for use by automated SLA management capabilities.

Runtime governance should provide visibility into service operation allowing management of services, the ability to take corrective action (as needed) to ensure effectively uninterrupted business operations, and the capture of operation audit information. Provisioning, deploying new services, and taking old services out of operation without significant impact on business activities or overall operations, are key parts of overall runtime governance. Characteristics looked for in runtime governance include the following:

• Operational Visibility. Make the runtime state visible in both technical (network and machine usage) and business terms.
• Service Management. Monitor and manage the execution and operation of services in an SOA.
• Policy Enforcement. Enforce security and other policy-based constraints in a declarative fashion, external to SOA services, allowing systems to adapt quickly to changing policy circumstances without coding.
• Auditing. Track and record key events and actions within the SOA environment for later analysis.
• Provisioning and Configuration Management. Provision services for deployment in the SOA and track its configuration across changes as they occur.

The market research found no complete solution available as a single package, but there is considerable governance capability available in the marketplace. For example, in the area of provisioning and configuration management, the research found that SOA management tools provide some of this capability, but may need to be joined with more traditional configuration management and deployment tools for reasonable capability. Governance capability (as required by the BMA strategy for SOA) can be provided through commercial tools, but designers must carefully assess and acquire the components from various vendors in accordance with a strong design and plan that they must create for themselves.

The DoD BMA has embarked on an SOA strategy. The “BMA Architecture Federation Strategy and Roadmap” provides guidance for the DoD BMA to quickly gain business value by delivering capability to support the warfighter through an SOA, while using a phased approach for transforming legacy systems. The market research performed by the BMA Office of the CTO and CA has found that industry capabilities to implement or enable the components defined in the BMA Service-Oriented Infrastructure have matured in the marketplace. While serious caution remains in the areas of IA and security, and the need for significant cultural change for successful SOA implementation cannot be overemphasized, it is clear that it is feasible for an enterprise the size of the DoD to move forward on implementing an SOA and to realize the business benefits of agility, interoperability, and net-centric data sharing that an SOA provides.

The opinions expressed in this article are those of the authors only and in no way constitutes the policy or express direction of the DoD. Click here for additional information about the vendors.

1. According to the U.S. Government Accountability Office, “A service-oriented architecture is an approach for sharing functions and applications across an organization by designing them as discrete, reusable, business-oriented services. These services need to be, among other things, (1) self-contained …; (2) published and exposed as self-describing …; and (3) subscribed to via well-defined and standardized interfaces.”

1. United States. Government Accountability Office. Defense Business Transformation: A Comprehensive Plan, Integrated Efforts, and Sustained Leadership Are Needed to Assure Success. 16 Nov. 2006 <www.gao.gov/new.items/d07229t.pdf>.
2. United States. DoD. Business Mission Area Architecture Federation Strategy and Roadmap. Ver. 2.4a. 29 Jan. 2008 <www.defenselink.mil/dbt/federation_strategy.html>.

1. United States. DoD CIO. Global Information Grid Architectural Vision for a Net-Centric, Service-Oriented DoD Enterprise. 21 Mar. 2008. Ver. 1.0. June 2007 <www.defenselink.mil/cio-nii/docs/GIGArchVision.pdf>.
2. Erl, Thomas. Service-Oriented Architecture: Concepts, Technology, and Design. New Jersey: Prentice Hall PTR, 2005.

Dennis E. Wisnosky’s responsibilities include guiding development of Federated Architectures and SOA within the DoD’s BMA. He is recognized as the father of the Integrated Definition Language and the author of several books. Wisnosky holds a bachelor’s degree from California University of Pennsylvania and master’s degrees from both the University of Dayton and the University of Pittsburgh. He has received numerous honors for his work, including the Federal 100 Award in 2007.

DoD
Office of Business Transformation
3600 Defense Pentagon
Room 3C889A
Washington, D.C. 20301-2600
Phone: (703) 607-3440
Fax: (703) 607-2451
E-mail: dennis.wisnosky@osd.mil

Al (Edward) Gough is a senior enterprise architect supporting the DoD BMA CTO and CA. Gough is chief technology officer for CAC International Inc.’s transformation solutions group. He works on furthering the adoption and implementation of SOA across the BMA and DoD.

Dimitry Feldshteyn is a chief of SOA strategy supporting the DoD BMA CTO and CA. He is president for eMillennium Inc., and has 18 years experience working in the IT industry, 12 years of which he has spent in leadership and executive positions at Hewlett-Packard and IBM.

Eric J. Riutort is a business and IT management consultant supporting the DoD BMA CTO and CA. He works for Tech Team Government Solutions, Inc., and has 15 years of industry experience in software development, semiconductor, and automotive manufacturing. Riutort wrote the BMA’s SOA governance and change management strategies.

Wil Mancuso is one of the lead SOA architects supporting the DoD BMA CTO and CA. He is the president of Information Management Solutions Consultants, Inc., and has more than 20 years of experience in industry. Mancuso developed the DoD Log EA, the Defense Logistics Agency’s Integrated Data Environment, and the BMA’s Common Vocabulary.

Paul A. Strassmann was DoD CIO from 1988 to 1992. In addition, he has been the chief information executive of General Foods, Kraft, Xerox, and NASA. He is presently distinguished professor of information sciences at George Mason University. He received the Distinguished Public Service Medal from the DoD as well as the Exceptional Service Medal from NASA for his work on information security and systems architecture.