Creating Comprehensive SOA Governance
As one of the world's leading employee benefits providers, thousands of businesses count on this Fortune 250 insurance company. The insurer helps businesses build robust benefits packages, provide absence management services and stay informed about emerging trends in employee benefits.
By the Numbers
- Fortune 250 Insurer
- >20M protected worldwide
- >150K customers in the US & UK
- Provides >30% of the Fortune 500 with benefits
- Top 10 in group/individual disability & long term care
- Top 10 in voluntary insurance
The insurer provides disability, long term care, life and voluntary insurance products backed by a >10,000 strong employee workface that is committed to meeting the needs of their customers. A separate division also provides for voluntary worksite benefits.
In 2007, the insurer began an IT journey to a Service Oriented Architecture (SOA) based on the Microsoft .NET platform. But without a formal SOA Governance infrastructure in place, they soon began to experience a number of challenges.
When making the move to SOA, the insurer wanted to ensure they retained the same level of security and privacy for their customers’ data as they had implemented with their traditional architecture. For this reason, they implemented their existing proprietary Secure Token Service (STS), which leveraged attributes stored in an SQL Server database, as the central point of authorization.
While this STS was more than adequate for a traditional architecture, the overhead of per-request SAML security caused slowdowns due to the high level of CPU usage for message decryption. Switching from NetTCPBinding to WSFederationHttpBinding and utilizing WS-SecureConversation solved the slowdown problem, but introduced a new issue with dropped sessions as a result of poor “sticky” load balancing. As a workaround, the insurer added code to both the client and server applications that would generate an HTTP cookie. Now, if the load balancer redirected a client to a new server, it could use the cookie to rebuild the session context and avoid renegotiating WS-SecureConversation.
At this juncture, the insurer discovered that their clients and services were no longer loosely coupled, making it far too easy to introduce breaking changes: any change in a service API would break compatibility with the client. In an environment that featured 10,000 desktops loaded with tens of client applications interacting with multiple backend services, tight coupling was a recipe for disaster. Even with extensive planning, there was still an extremely high risk of something going wrong. And any change introduced to a service would require time consuming, labor intensive and costly updating of the client-side software, effectively bringing server side rollouts to a standstill.
What the insurer required was something that could act as a mediator in their environment in order to mitigate the risk of API changes, negotiate the security regime, and translate the content.
Layer 7 Provides Mediation
The Layer 7 SecureSpan SOA Gateway is a SOA mediation device that sits between clients and backend services, providing a number of key, runtime SOA governance capabilities. For example, the Layer 7 Gateway mediates security regimes, consuming the insurer’s inbound NTLM and producing WSHTTPFederationBinding for backend communication. The Gateway also mediates transport regimes, converting inbound HTTP to outbound MQSeries message oriented middleware. Finally, Layer 7 is able to mediate between API versions, transparently translating incoming queries designed for version 1.0 of an API (for example) into API 2.0 calls, thereby ensuring existing applications won’t break.
Implemented in conjunction with HP SOA Systinet and HP Business Availability Center (BAC), the SOA Gateway helps create a comprehensive SOA Governance solution. The Systinet UDDI Registry acts as the SOA repository of record, providing design-time Governance through its service cataloguing and policy lifecycle management capabilities. The Systinet and Layer 7 solution allows the insurer to track the entire service lifecycle, from design through production, enforcing Systinet policies across their extended enterprise.
HP BAC enables trust and control of services by providing end-to-end performance monitoring and diagnostics of SOA services, applications and infrastructures. Deployed together with the Layer 7 Gateway, BAC allows the insurer to report across all their message-oriented systems; track requests that access multiple backend services, and report across different transport layers.
With a comprehensive SOA Governance solution in place, the insurer will now be able to gain greater business agility with less duplication of effort by enabling the realization of shared services that can be consistently discovered, understood and trusted.
Benefits include lower application maintenance costs and improved application flexibility/adaptability gained through the introduction of a layer of abstraction – the Layer 7 SOA Gateway’s policy layer – between clients and services. The Gateway also provides for reduced IT and business risk by introducing a mediation layer to mitigate changes at the client and Web service.
Finally, the insurer can expect higher-quality services and fewer service outages by utilizing HP BAC’s SOA monitoring capabilities to ensure uninterrupted performance.