No vendor yet offers a best-in-class service-oriented architecture (SOA) governance technology set. Best of breed is preferable to best of brand, when technologies coming from different vendors are reasonably well-integrated.

Integrating SOA governance between disparate domains remains complex, and although obtaining SOA governance technologies from your installed middleware vendor may be less expensive than from a third-party vendor (in many cases, new technology licenses can be combined with existing ones), ensuring that the technology supports heterogeneous environments is essential. Interoperability can sometimes be difficult, and SOA governance standards and specifications are immature or nonexistent. Ensuring that your vendor participates in some governance interoperability specification can help ease deployments, especially in best-of-breed situations where appropriateness can no longer be ignored. A full set of SOA governance technologies has been identified and is now making its way into the hands of knowledgeable SOA proponents (see "No 'Leader' Exists in SOA Governance ... At Least Not Yet").

The market for SOA governance is a varied one, with many different types of products providing support for governing the behavior of an SOA. In short, SOA governance is about ensuring and validating that assets and artifacts within the architecture are operating as expected and maintaining a certain level of quality. This Magic Quadrant reduces the market to one set of technologies with strong architectural cohesion (integration) promoting ease of use and interoperability of products. This integration includes the idea that multiple personas will be involved in governing an SOA (see "The Pedigree of the Integrated Service Environment Market"). Each of these personas will bring a different perspective to the process of performing different kinds of tasks. However, all of these tasks must be part of a single governance effort instead of a different, but related, effort.

We avoid use of the term "governance suite" because it is not representative of the product sets sold today. The majority of SOA governance technologies are not integrated into a single suite but are provided from very different technology code bases. Policy management and enforcement engines seldom share the same integrated code base as registries and repositories. In addition, many of the features of SOA governance are being built into other SOA infrastructure offerings (for example, Tibco Software, IBM, BEA Systems and Oracle) and, as such, do not constitute an independent suite in packaging or product stock-keeping unit. However, the need to provide a set of governance functions in an integrated fashion, no matter what the original source of the technology feature, is important. Likewise, these technologies are not a platform but are, rather, part of a larger set of integrated composition technologies designed for creating and deploying an SOA.

We have included vendors that explicitly sell into the SOA governance technology market. This means that we included only companies with products, sales, marketing and services specifically targeted at providing SOA governance.

We currently do not include SOA and service-testing companies in the Magic Quadrant, even though SOA testing is a closely related market to SOA governance technologies. However, SOA testing capability enhances the ability of a governance technology set. It is our belief that SOA testing and validation will be a key area to watch for emerging governance offerings as companies like HP, iTKO, Mindreef, Parasoft and Solstice grow their presence in SOA governance-related initiatives. In addition, Oracle didn't qualify for this Magic Quadrant because it only markets and sells governance technologies to users with Oracle Application Server or Oracle SOA Suite. Users considering or using technologies that don't meet those specific requirements should look elsewhere for SOA governance technologies.

Gartner analysts evaluate technology providers on the quality and efficacy of the processes, systems, methods or procedures that enable IT provider performance to be competitive, efficient and effective, and to positively impact revenue, retention and reputation. Ultimately, technology providers are judged on their ability and success in capitalizing on their vision.

Gartner evaluates technology providers on their ability to convincingly articulate their current and future market direction, innovation, customer needs and competitive forces and how well they map to the Gartner position. Ultimately, technology providers are rated on their understanding of how market forces can be exploited to create opportunity for the provider.

AmberPoint

• AmberPoint has crafted a solid message around SOA governance.
• It has an impressive ecosystem of partners, resellers, referrals and OEMs, giving it a strong chance to remain an independent, heterogeneous solution.
• With development and support teams outnumbering sales and marketing 3 to 1, AmberPoint does not spend a lot on marketing.
• AmberPoint can rely on these partnerships to bring solid revenue and growth.
• Validation and monitoring technology is also leading edge and visionary.
• AmberPoint, which started as a service-management-centric vendor, can improve on the marketing of its service security functionality.

HP

• HP continues to benefit greatly from its acquisition of Mercury and Systinet, and HP Systinet is one of the better-known and deployed registry/repository solutions.
• The Systinet message, although aged, still resonates with the market, and HP has integrated the Mercury/Systinet team with the SOA Manager (originally Talking Blocks) teams to unify organizationally and technically (through the Governance Interoperability Framework) its SOA governance offering.
• HP continues to pursue a successful strategy of remaining platform-neutral.
• Lack of strong HP marketing of governance puts its position at risk in the long term.

IBM

• IBM has a coherent set of SOA governance messages to the market.
• The holistic SOA message often overshadows governance messaging.
• The combination of WSRR, Datapower, ITCam, WSBSF (from Webify) and Rational Asset Manager (RAM) addresses SOA governance, from the technical perspective.
• IBM Global Services and the IBM partner ecosystem integrate these solutions well.
• IBM, however, needs to message its vision, particularly for governance interoperability (an open specification is currently in development) and standards support (WSRR is built on WebSphere Application Server, which includes a UDDI-compliant registry and also synchronizes with any UDDI-based registries).
• Regarding overall messaging around heterogeneity, IBM needs to strengthen its message. For example, many Gartner clients believe, erroneously, that to leverage IBM's SOA governance, there must be a WebSphere enterprise service bus (ESB) or broker implementation.

Progress Software (Actional/Westbridge)

• Progress has reinvented itself with the Sonic ESB.
• Acquisition of Actional gave users the opportunity to have an out-of-the-box, well-governed solution and further distinguishes Progress.
• Weak marketing of Actional products allowed competitors SOA Software and AmberPoint to rise to prominence in policy management and administration.
• In 2006, linkage in the messaging and marketing of Actional and Sonic caused market confusion and trepidation about Progress technologies in a heterogeneous environment.
• Progress must better position Actional as a general-purpose governance solution, with or without Sonic.

SOA Software

• Offers a full set of well-integrated governance technologies.
• Technologies acquired from Flamenco technologies and Blue Titan provided mediation and multienterprise collaboration functionality.
• Service virtualization, validation and policy management are also market-leading and valuable.
• SOA's partner ecosystem can improve with stronger governance interoperability.
• Policy management and enforcement across a virtual service network are central to its ability.

Software AG

• Software AG and Fujitsu partnered to create and maintain CentraSite and the CentraSite community.
• CentraSite is among the most functional SOA registry/repositories.
• References to any asset (process, policy, identity) relationship and life cycle management of any of the above, JAXR, UDDI and ebXML standards support and federation.
• Policy management is provided by CentraSite Governance Edition (functionality from Infravio, acquired via webMethods) and by various members of the CentraSite community.
• Software AG should continue its expansion into North America by continuing to leverage webMethods' installed base and shed its image of only offering legacy modernization and data management.
• The CentraSite community should become more of a community with best practices and a simple, public SOA governance interoperability specification.

Microsoft

• Microsoft has strong partnerships with AmberPoint and SOA Software.
• Microsoft's SOA governance capabilities are delivered via a combination of the Microsoft Windows Server OS (Microsoft Windows UDDI Server) and products such as the .NET Framework (Windows Communication Foundation).
• AmberPoint Express ships with the latest versions of Visual Studio, encouraging the community of Visual Studio developers to experiment with service management and policy enforcement.
• Microsoft's future strategy around the .NET Framework (Windows Communication Foundation) and Oslo specifically includes a registry/repository and policy management technologies.

BEA Systems

• BEA has made significant investments in SOA governance technologies, partnering with AmberPoint and Systinet via an OEM agreement, acquiring Flashline (a registry/repository) and integrating them with business process management (BPM) technologies allowing governance throughout many elements of the life cycle.
• The AquaLogic family of products and the WorkSpace 360 strategies are solid and have been well-received by the market.
• BEA does have challenges in vision and execution. From a vision perspective, BEA continues to heavily focus on the design-time aspects of SOA governance. This is not surprising, given both Flashline's and BEA's focus on the various aspects of development.
• BEA has also been hampered by recent buyout propositions from Oracle. Gartner doesn't expect that BEA's SOA governance technologies will be eliminated; rather, we feel they may make a complementary addition to any existing technology set of SOA governance technologies. In fact, they would form a solid foundation for building SOA governance leadership.
• BEA's SOA governance technology is worthy of leadership in this market but is hampered in its ability to execute based on recent acquisition plays and speculation about the company's future.

Fujitsu

• CentraSite is among the most functional SOA registry/repositories.
• References to any asset (process, policy, identity) relationship and life cycle management of any of the above, JAXR, UDDI and ebXML standards support and federation. Fujitsu and Software AG partnered to create and maintain CentraSite and the CentraSite community.
• Fujitsu continues to have every opportunity to pursue SOA governance, particularly in the Asia/Pacific region, where Fujitsu enjoys a large installed base, but it needs to increase focus on the larger SOA governance market.
• Fujitsu should enhance relationships with other members of the CentraSite community for policy management and validation.

Iona

• Iona's registry/repository includes service provisioning and SOA policy management.
• It offers strong life cycle management throughout the design, testing and execution cycles.
• It lacks enforcement technologies and a strong/deep governance ecosystem.

Layer 7 Technologies

• Layer 7 is establishing partnerships and OEM agreements with platform vendors and also participating in both the CentraSite community and Governance Interoperability Framework.
• It innovates in areas like federated policy management and governing Web 2.0-style artifacts.
• It actively participates in and implements key SOA policy interoperability standards.
• It is best-known for being an XML firewall appliance vendor, although it is making the transition to SOA policy and operations management.

LogicLibrary

• LogicLibrary possesses expertise in asset (services and components) management and life cycle management.
• It integrates with existing registry solutions and partnerships with other third-party SOA governance technologies.
• It provides users' SOA governance organizations and SOA centers of excellence with insight into the use and enforcement of policy during various asset life cycles, linking the business and the IT department.
• It has an integrated federation capability for integration with metadata registries and repositories.
• LogicLibrary focuses mainly on the design-time aspects of life cycle management, limiting its exposure to customers looking for runtime and design-time management and governance technologies.
• It has limited visibility in the governance market; it is more known for metadata management solutions.

SAP

• SAP has full SOA life cycle management capability, supports SAP's integrated service environment and policy management tools, and is the epicenter of SAP's SOA development.
• The Enterprise Services Repository (ESR) is a misnomer, because the product also includes a full service registry, support for UDDI and graphical modeling.
• In an SAP Business Application environment, this solution should be shortlisted and can be considered in a heterogeneous business application environment.
• Technically, SAP ESR can be deployed in non-SAP environments, but Gartner has not seen many examples of this.
• SAP needs to encourage additional third-party governance technologies to participate in its partner programs to help push its heterogeneous, "not just for SAP" message about middleware and governance.

Tibco Software

• Tibco is transforming into an SOA infrastructure vendor with Java and .NET service hosting and SOA governance that make up the ActiveMatrix product family.
• Both registry/repository and policy management are essential elements of ActiveMatrix.
• Tibco also offers a credible service virtualization message and emerging federation story.
• Federation would be a clear path to leadership for Tibco should the company establish itself as a dominant federated SOA governance provider.
• Version 2 of Active Matrix will include additional SOA governance functionality and support for traditional and emerging multienterprise collaboration.
• Consistent with the challenges of most platform vendors, Tibco needs to further message the heterogeneity of Active Matrix.
• Tibco should consider acquiring or developing (on top of the XML Cannon) its own registry/repository. Partnering for such an essential component of SOA governance is a good stopgap solution but should not be considered a viable long-term option.

Vordel

• Vordel is the oldest security/policy management appliance vendor.
• It has a strong business-to-business (B2B) and business-to-consumer (B2C) strategy and messaging around various forms of security, access control and authentication.
• It is best-known for being an XML firewall appliance vendor, although it is making the transition to SOA policy management.
• It has an active OEM channel, and recently CA entered into an OEM agreement for the XML Gateway, which is tightly integrated with SiteMinder.

WebLayers

• WebLayers focuses on all aspects of policy management, including the organization and administration of policy, ownership, policy governance, control over every aspect of the life cycle of any policy, and policy enforcement.
• WebLayers uses a policy-specific registry/repository that can be federated with other metadata repositories, directories and service registries within an SOA governance implementation.
• Given the relative immaturity of many SOA governance initiatives, the value of the WebLayers solutions is not yet well-understood.
• WebLayers has not effectively marketed the importance of policy management.
• It will benefit from other companies' market efforts around policy management.

CA

• CA had a credible message around policy management delivered in a solution called WSDM, but two years later the market is still waiting on a new version of this product.
• CA is working on its configuration management database (CMDB), but Gartner has seen little development and messaging around SOA governance from CA.
• CA lacks a prominent SOA governance product suite, marketing around SOA governance, and a vision statement for governance of policy, services, processes or profiles in SOA.
• It has a strong historical position as an enterprise management player.
• CA should leverage a bottom-up SOA governance strategy based on enterprise management being surfaced through SOA technologies.

Sun

• The open-source, UDDI/ebXML-compliant registry/repository from Sun remains underleveraged by Sun and unseen by many of our clients.
• The registry/repository should be at the heart of any SOA governance strategy, but it still needs a credible policy management and validation strategy, even if those functionalities are provide by partners.
• ebXML remains somewhat of an albatross to Sun, which frequently leads with an ebXML-compliant message, even given the failure of many parts of the standard (see "ebXML's Future Appears Brightest in Messaging").
• An acquisition of one or two of the smaller visionaries will enhance and supplement existing functionality, but execution and long-term vision will have to be achieved organically.

• AmberPoint, while a smaller vendor, has an impressive ecosystem of partners, resellers, referrals and OEMs.
• AmberPoint's validation and monitoring functionality is powerful enough to detect and capture events and pass them to a complex event processor for adaptive management.

• AmberPoint is frequently seen as an agent-based "runtime" policy enforcement solution. It needs to better message its role in all aspects of SOA artifact life cycle policy management.
• Because its development and support teams outnumber sales and marketing by at least 3:1, AmberPoint has chosen to invest in its partnerships and OEM agreements for growth.

• BEA has made significant investments in its SOA governance technologies, partnering with AmberPoint and Systinet, acquiring Flashline (a registry/repository), and integrating them with BPM technologies allowing governance throughout many elements of the life cycle.
• The AquaLogic family of products and the WorkSpace 360 strategies are solid and have been well-received by the market.

• BEA continues to focus heavily on the design-time aspects of SOA governance. This is not surprising, given Flashline's and BEA's focus on the various aspects of development.
• BEA has also been hampered by recent buyout propositions from Oracle, affecting its ability to execute in this market.

• CA's WSDM solution has strong integration into its Unicenter product for "top to bottom" configuration and dependency management.
• CA has the resources to quickly acquire and integrate a smaller, more visionary vendor offering an independent (from middleware and platform) heterogeneous SOA governance technology solution.

• After WSDM's release more than two years ago, CA has not articulated an SOA governance technology strategy.
• After early support of HP's GIF (under Systinet), CA has no ecosystem of SOA governance vendors and service providers.

• Fujitsu has positioned its registry/repository CentraSite (codeveloped with Software AG) as the center of its Enterprise Management and Visibility strategy, delivering a fully functional free version and an enterprise edition that integrates with its larger enterprise system management (ESM) offering.
• Fujitsu messaging around the importance of configuration and dependency in relation to SOA governance and life cycle management is crisp and well-articulated.

• Fujitsu continues to have every opportunity to pursue SOA governance, particularly in the Asia/Pacific region, where Fujitsu enjoys a large installed base, but it needs to increase its focus on the larger SOA governance market.
• Fujitsu should enhance the relationships with other members of the CentraSite community for policy management and validation.

• HP's acquisition of Mercury, which had previously acquired Systinet, and more importantly its promotion of Mercury and Systinet staff to high-level positions within the HP Software division, has consistently kept HP on the shortlists of SOA governance technology RFPs.
• HP's Governance Interoperability Framework continues to attract third-party infrastructure vendors such as Tibco, AmberPoint and Progress. Combined with strong OEM partnerships, HP has an enormous sales channel for its SOA governance technologies.

• First released in the first quarter of 2006, the next generation of HP's SOA governance flagship brand, Systinet (perhaps Systinet 3), is still months from being released. Considering its dominance in the market, in terms of deployments, partnerships and messaging, the lack of information or insight on this new release is notable.
• HP's SOA governance strategy, which is largely based on Mercury's testing technologies and Systinet's registry/repository technologies, doesn't market its integration and the availability of its policy management solution based on technology from its prior acquisition, Talking Blocks.

• Continued growth and sales of Datapower, an XML firewall, policy management and quasi-ESB, add to the overall ability to execute of IBM.
• IBM's marketing of WSRR, ITCAM and Rational Asset Manager as SOA governance technology has matured, resulting in IBM's being shortlisted in many RFPs.

• Datapower's functionality around service management and enforcement of performance policy needs to improve to be on a par with its security capability.
• Although IBM's strategy for SOA governance technologies is well-integrated, deployments aren't; in many cases, they require a substantial professional-services investment.

• Distributed configuration and provisioning infrastructure provides unique decentralized coordination of services across diverse middleware.
• Its large historical acceptance in financial services provides opportunities for compelling complex case studies and implementations.

• Iona's lack of visibility as a platform leader underscores the need to become a federated governance player.
• Its historical reliance on CORBA customers undercuts innovation in distributed SOA technologies.

• Layer 7 continues to support and lead industry efforts around SOA governance and management standardization, such as WS-Policy.
• It has an appliance-based approach to policy management that includes XML firewalling, virtualization, parsing and content-based routing.

• Layer 7 is still considered by many to be solely an XML firewall appliance vendor.
• If Layer 7 wants to be considered for all policy management (that is, security and performance), it needs to balance its strongly focused security message.

• LogicLibrary offers an extensive asset management environment that goes beyond simple registries.
• The development life cycle management transition to SOA life cycle management unifies service governance and metadata management.

• The development life cycle management message suggests that users should distinguish between design time and runtime, which can stymie SOA governance initiatives.
• It must overcome impressions that the company needs a larger partnership strategy that might lead to acquisition.

• Microsoft partnered early and includes a free version of AmberPoint Express with Visual Studio 2008. For many .NET programmers, this was the first opportunity to experiment with SOA policy enforcement agents.
• Microsoft has certified HP, AmberPoint and SOA Software as its SOA governance technology partners for most aspects of the Microsoft portfolio, including BizTalk and its development solutions.

• Microsoft's overall SOA message is weak and well-behind its competitors. Despite some high-profile partnerships with SOA governance technology partners, the Microsoft SOA governance "story" is still unclear.
• Microsoft is heavily relying on the Windows Communication Foundation (WCF) to help enable SOA governance strategies. There hasn't been widespread use of WCF by customers, and the "Plan B" (BizTalk in conjunction with SOA Software) doesn't connote Microsoft's overall SOA governance strategy.

• Progress acquired Actional, which earlier merged with Westbridge Technologies, providing expertise in policy management for security, performance and availability.
• It had early success with Actional Server (previously called Looking Glass), which provided end-to-end monitoring and reporting.

• Until 2007, the marketing and messaging of SOA governance technologies has been second-tier to Progress' ESB solution, Sonic.
• Because the Sonic ESB is a competitor to many platform vendors, Actional's ecosystem of partners and resellers has been reduced.

• SAP's ESR is a well-integrated registry/repository that includes the processes, service models and policies associated with its business applications that SAP also uses for its own development.
• SAP's ESR includes tools for enterprise architects to introspect the registry/repository and better-align SOA governance initiatives with overall IT governance strategies.

• Although SAP offers heterogeneous SOA governance, we do not see non-SAP users considering these solutions yet.

• Software AG has strongly positioned its registry/repository CentraSite (codeveloped with Fujitsu) as the center of its webMethods and SOA governance technology strategy, delivering a fully functional free version, an enterprise edition and a governance edition.
• Software AG has fully integrated Infravio technologies (acquired with webMethods) into CentraSite and also is the co-founder of one of the two leading governance interoperability initiatives (CentraSite Community).

• Software AG has not fully leveraged its partner ecosystem for functionalities and sales channels.
• Software AG has not leveraged webMethods' B2B technologies (a leading B2B gateway technology) to message and deliver an SOA-based multienterprise collaborative solution.

• SOA Software has credibly delivered all the components of an integrated SOA governance set, including registry/repository, policy management and validation.
• SOA Software's acquisition of Blue Titan and Flamenco Networks and the integration of those technologies give SOA Software an excellent opportunity to successfully compete in the emerging SOA-based multienterprise collaboration space.

• SOA Software has a limited ecosystem of partners and does little to promote its governance interoperability functionality.
• SOA Software should consider increasing its marketing resources to better compete against its main competitors, IBM, HP and BEA.

• Sun's registry/repository was early in the market, supporting UDDI and ebXML registry (although Sun clearly prefers ebXML over UDDI).

• Sun's continued overenthusiastic support of all things ebXML continues to alienate potential customers of Sun's SOA governance technology.
• Sun appears to have abandoned all messaging and marketing of SOA governance.

• Registry/repository and policy management are essential elements of ActiveMatrix and are included with most deployments.
• Tibco offers a credible service virtualization message and emerging federation story.

• Transforming from an integration platform to an SOA governance technology vendor remains a challenge to Tibco's marketing and sales organizations.
• Thus far, Active Matrix governance technology users have been purposely limited to a handful of progressive customers.

• Vordel has an appliance-based approach to security policy management that includes XML firewalling, parsing and content-based routing.
• It has an active OEM channel, and recently CA entered into an OEM agreement for the XML Gateway, which is tightly integrated with SiteMinder.

• Major competitors, such as Cisco, F5 and IBM, will continue to diminish the opportunities for appliances solely providing security policy enforcement.

• WebLayers has developed an innovative architecture to automate and enforce policies consistently through all stages of the life cycle of an SOA infrastructure.
• WebLayers has been a visionary in policy management and offers libraries of 2,000 pre-built policies, providing a foundation to establish an SOA center of excellence or competency center.

• Given the relative immaturity of many SOA governance initiatives, the value of the WebLayers' solutions is not yet well-understood.
• Although improving, WebLayers needs to be more effective in educating the market on the critical importance of policy management and governance.