Beware the 'P' word
Yesterday was a day out of the office. The other Neil and I were at briefings with the VP of Product Development of an ESB company and then the President/CEO of a service-oriented management company. Whilst the focus of their employers' respective offerings is clearly different, there was one theme that came across loud and clear in their respective pitches: policy.
Unsurprisingly - these were SOA-related briefings after all - interoperability and standards support were equally strong themes and, more specifically in this regard,
WS-Policy. They were both describing the use of WS-Policy to define operational requirements - security, load balancing, transformation etc. - which can be enforced by their own solutions and other components of the SOA infrastructure.
Once back here in
The Fens, I began trawling through the list of unread blog posts when I came across
this from Ian Glazer at
Trusted Network Technologies (via the very useful
Planet Identity feed - thanks
Pat). Ian calls out
a post from
Sara Gates', Sun's VP of Identity Management reflecting on the recent
RSA Conference calling for a moratorium on the use of the 'p' word because:
It’s become a bad word in that the word “policy” in the technology arena has so many meanings that it has actually become meaningless. “Policy” means a lot of things, all of them ultimately in a business, and often, security context. A policy can be on data protection, a policy can be on access control in the platform or application, a policy can be in a dusty three-ring binder that no one ever uses, a policy can be made in response to a law or regulation
Ian goes on to say that
The Identity lexicon is a strange one. We use words that have multiple meanings. We use terms to hide the realities of market segments. Policy is definitely high on the list of overused and under-defined terms.
and cites as evidence the proliferation of policy management interfaces within identity management solutions:
I spent last week asking a variety of vendors how many different policy management interfaces they have for their products. I think the average for a decent sized identity management vendor is around 5. (One vendor told me of over 10 different policy management interfaces for their suite of products.) Customers are being overwhelmed with different policy tools. Multiple policy management interfaces from multiple vendors.
Don't get me wrong. Here at MWD we are strong advocates of policy-based approaches, as anybody who is familiar with our views on
SOA will be aware:
By encouraging openness, flexibility and reuse, a service-oriented approach guarantees that we cannot know in advance which consumers might request which services. We cannot know what kinds of obligations might need to be fulfilled, until a request is made. The way to handle this uncertainty, which is sure to arise as service portfolios expand and become more complex, is to use the design concept of “policy” to dictate the conditions which must exist for the contract between a consumer and a provider to be fulfilled.
As IT organisations strive to break down the application and infrastructure stovepipes which are constraining their businesses and move towards a distributed, virtualised, heterogeneous architecture, their ability to define business-meaningful policies which can be enforced consistently throughout the fabric of the
'next-generation data centre' will be critical. I agree completely with Sara when she says:
How about a moratorium on the “P” word unless it is modified with a precise, readable explanation of what we mean?
I would go further to add 'consistent' to her list of adjectives. Customers are currently suffering from a case of policy overload. Vendors operating across broad swathes of the technology landscape - application lifecycle management, information lifecycle management, IT governance, IT service management, service infrastructure etc etc - are promoting policy-based approaches. But can they interoperate? Ahh - but surely that's where WS-Policy comes in.
Let's be clear. First of all, WS-Policy has not been submitted to a standards body.
Secondly, as the authors (BEA, IBM, Microsoft, SAP, Sonic and VeriSign)
point out:
WS-Policy provides a general purpose model and syntax to describe and communicate the policies of a Web service.
The Web Services Policy Framework (WS-Policy) provides a general purpose model and corresponding syntax to describe and communicate the policies of a Web service. WS-Policy defines a base set of constructs that can be used and extended by other Web services specifications to describe a broad range of service requirements, preferences, and capabilities.
The key phrases here are "general purpose" and "can be used and extended by other specifications to describe a broad range of service requirements, preferences, and capabilities" (WS-SecurityPolicy is one example of such an extension, focussed on policy assertions for web services security). In other words, WS-Policy does not deal with semantics: it provides a framework within which those semantics can be defined. Support for WS-Policy provides no guarantee that the way one vendor defines a particular policy can be interpreted and enforced effectively by another. That will require agreement on semantics. It's not going to be easy! It will require the participation and cooperation of vendors of all shapes and sizes. Vendors, moreover, who are going to have to relinquish the control that ownership of policy definition can provide.
We will certainly continue to highlight this issue in our discussions with vendors but I am not naive enough to believe that the opinions of analysts carry the same weight as those of customers and prospects holding IT budgets. I am hopeful that as the 'p' word is raised in vendor pitches some tough questioning ensues.
