An Integrated Solution for Runtime Compliance Governance in SOA

Aliaksandr Birukou, Vincenzo D’Andrea, Frank Leymann, Ja-cek Serafinski, Patricia Silveira, Steve Strauch, Marek Tluczek

COMPASCompliance-driven Models, Languages, and Architectures

for Services

"The COMPAS project will design and implement novel models, languages, and an architectural framework to ensure dynamic and on-going compliance of software services to business

regulations and stated user service-requirements. COMPAS will use model-driven techniques, domain-specific languages, and service-oriented infrastructure software to enable organizations

developing business compliance solutions easier and faster“

http://www.compas-ict.eu

Compliance

Conformance of a company in fulfilling compliance requirements, i.e. constraints or assertions that are results of the interpretation of the compliance sources

2

Sarbanes-Oxley Act

Basel III

Security policy

Compliant ?

Do I care about compliance?

Legge n.6 06/02/2009

Legge n. 152 13/08/2010

Sarbanes-Oxley Act

Basel III

Direttiva 2010/40/UE

Image from http://www.blogfinanza.com/wp-content/uploads/2010/09/banca1.jpg

ECB

Image from http://www.exponent.com/Nuclear-Plant-Services-Capabilities/

Direttiva 2009/548/CE

Decreto 10/09/2010

AEGGSE

http://altocasertano.files.wordpress.com/2007/12/rifiuti1.jpg

Direttiva 2008/763/CE

Ministry of Natural

Resources

http://www.seebiz.eu/hr/tvrtke/transport/pevec-transporti-u-stecaju,65063.html

Ministry of transportation

Not yet convinced?

4

• Dimension: $29.8 Bln in US in 2010

• 47% spent on the internal compliance efforts

• Market growth (in US):

• 2005-2007: 18.4%/ year

• 3.9% in 2010

(after the crisis)

GRC Spending forecastSource: AMR Research, 2009

Compliance market

2010 GRC software investments prioritiesSource: AMR Research, 2009

18%Compliance management

17%

16%

Business process management

15%

Continuous control monitoring

Security (internal/external)

Risk management

Sustainability software

Documents/record management

Reporting

14%

12%

11%

10%

Investments priorities

About COMPAS Funding: European Commission, 7th Framework

Programme, Specific Targeted Research Project (STREP)

Duration: February 2008 till January 2011 Budget: 3.920.000 € Partners: 6 research and 3 industrial partners from

Austria, France, Germany, the Netherlands, Italy, Poland More at http://www.compas-ict.eu

7

Case study: Advanced Telecom Services

Internet

Audio providers

Video providers

InternetMVNO MVNO

companycompany

AudioSport License

FootballGamesLicense

EU MVNO directives

Austria Telecommunication

Act 2003

...

Bob

Alice

Carol

Customer contracts

Problem Diversity of compliance sources

Compliance rules are often scattered through the SOA

…and must be considered in all components of the SOA and at all development phases

9

AudioSport License

FootballGamesLicense

EU MVNO directives

Austria Telecommunication

Act 2003

Customer contracts

Compliance governance in COMPAS

10

Regulations, business contracts,

standardsInternal policies

InternalizationInternalization DesignDesign

Business processes

Events

Execution data

Internal evaluation

Internal evaluation

Business executionBusiness execution

Auditor

Runtime compliance governance

Compliance Domains in COMPAS

11

RegulationsLicenses

QoS

1. Selecting compliance sources and requirements

12

VideoSport License

FootballGamesLicense

EU MVNO directives

Austria Telecommunication

Act 2003

Customer contracts

Pay-per-view plan

When MVNO company subscribes for the Pay-per-view plan it has to pay 29.90 euro first and then receive 300 streams from the media supplier

Pay-per-view plan

When MVNO company subscribes for the Pay-per-view plan it has to pay 29.90 euro first and then receive 300 streams from the media supplier

Composition permission

VideoSport can only have audio streams from AudioSport

Composition permission

VideoSport can only have audio streams from AudioSport

Availability

The WatchMe service must deliver a valid URL at least in 90% of requests per customer subscription.

Availability

The WatchMe service must deliver a valid URL at least in 90% of requests per customer subscription.

1. From high-level DSLs to code

13

Code generation

Apache ODEApache ODE

2. Process (re-)design

Business processes are (re-)designed to emit events to check compliance requirements

Extended Apache ODE: using Universal Unique Identifiers (UUIDs) to trace information on a specific process/activity instance

14

ProcessDeployedEvent

BPEL file

XPath

Trace

BPEL file

Traceability

Trace

3. Monitoring. Complex Event Processing

15

3. Monitoring - ETL and Data Warehouse

16

4.Informing on the current state of compliance

17

Compliance indicators

Different types of compliance

Details on compliance

18

(c) Compliance violations page with low-level details about individual violations for business processes and activities.

4.Informing on the current state of compliance

Current Practice vs. COMPAS Approach

Modelling

Specification

Static verification/validation

Generation

Dynamic verification and validation

Using

Go

ver

na

nc

e an

d M

on

ito

rin

g

Current practice:o per case basiso no generic strategyo ad hoc, hand-crafted solutions

COMPAS:o unified frameworko agile o extensible, tailorableo domain-orientationo automationo etc.

Pros COMPAS provides a framework dealing with the

whole cycle compliance governance: from sources to informing interested parties

Service-oriented technology is mature enough to support such a compliance framework

The compliance governance framework has been tested in real-world case studies: Advanced Telecom Services + Loan Approval

20

Cons Focus on the service & process world Compliance expert selects and interprets sources

Future work

DSLs for other compliance domains Apply in different scenarios Reuse knowledge about compliance

within/between organizations

COMPAS website http://www.compas-ict.eu/ COMPAS

prototypeshttp://compas-ict.eu/prototypes.php

Learn more about our approach

More about COMPAS at ICSOC’2010 11:00-12:30 P1 Service and Business Process

Modelling (1) Root-Cause Analysis of Design-time Compliance

Violations on the basis of Property PatternsAmal Elgammal, Oktay Turetken, Willem-Jan van den Heuvel, Mike Papazoglou

12:30-13:30 and 15:00-17:00 Demo Session An integrated solution for runtime compliance

governance in SOA. Aliaksandr Birukou, Agnieszka Betkowska Cavalcante,

Fabio Casati, Soudip Roy Chowdhury, Vincenzo D'Andrea, Frank Leymann, Ernst Oberortner, Jacek Serafinski, Patrícia Silveira, Steve Strauch, Marek Tluczek

22

Tomorrow

COMPAS Dissemination Workshop

Technical University of Warsaw 24-26 January 2011

23

Questions?

24

Thanks for your attention!

Contacts• COMPAS website http://www.compas-ict.eu/ Dashboard website http://compas.disi.unitn.it/CGD/home.html COMPAS prototypes http://compas-ict.eu/prototypes.php birukou AT gmail DOT com