An Integrated Solution for Runtime Compliance Governance in SOA
-
Upload
aliaksandr-birukou -
Category
Technology
-
view
889 -
download
1
description
Transcript of An Integrated Solution for Runtime Compliance Governance in SOA
An Integrated Solution for Runtime Compliance Governance in SOA
Aliaksandr Birukou, Vincenzo D’Andrea, Frank Leymann, Ja-cek Serafinski, Patricia Silveira, Steve Strauch, Marek Tluczek
COMPASCompliance-driven Models, Languages, and Architectures
for Services
"The COMPAS project will design and implement novel models, languages, and an architectural framework to ensure dynamic and on-going compliance of software services to business
regulations and stated user service-requirements. COMPAS will use model-driven techniques, domain-specific languages, and service-oriented infrastructure software to enable organizations
developing business compliance solutions easier and faster“
http://www.compas-ict.eu
Compliance
Conformance of a company in fulfilling compliance requirements, i.e. constraints or assertions that are results of the interpretation of the compliance sources
2
Sarbanes-Oxley Act
Basel III
Security policy
Compliant ?
Do I care about compliance?
Legge n.6 06/02/2009
Legge n. 152 13/08/2010
Sarbanes-Oxley Act
Basel III
Direttiva 2010/40/UE
Image from http://www.blogfinanza.com/wp-content/uploads/2010/09/banca1.jpg
ECB
Image from http://www.exponent.com/Nuclear-Plant-Services-Capabilities/
Direttiva 2009/548/CE
Decreto 10/09/2010
AEGGSE
http://altocasertano.files.wordpress.com/2007/12/rifiuti1.jpg
Direttiva 2008/763/CE
Ministry of Natural
Resources
http://www.seebiz.eu/hr/tvrtke/transport/pevec-transporti-u-stecaju,65063.html
Ministry of transportation
Not yet convinced?
4
• Dimension: $29.8 Bln in US in 2010
• 47% spent on the internal compliance efforts
• Market growth (in US):
• 2005-2007: 18.4%/ year
• 3.9% in 2010
(after the crisis)
GRC Spending forecastSource: AMR Research, 2009
Compliance market
2010 GRC software investments prioritiesSource: AMR Research, 2009
18%Compliance management
17%
16%
Business process management
15%
Continuous control monitoring
Security (internal/external)
Risk management
Sustainability software
Documents/record management
Reporting
14%
12%
11%
10%
Investments priorities
About COMPAS Funding: European Commission, 7th Framework
Programme, Specific Targeted Research Project (STREP)
Duration: February 2008 till January 2011 Budget: 3.920.000 € Partners: 6 research and 3 industrial partners from
Austria, France, Germany, the Netherlands, Italy, Poland More at http://www.compas-ict.eu
7
Case study: Advanced Telecom Services
Internet
Audio providers
Video providers
InternetMVNO MVNO
companycompany
AudioSport License
FootballGamesLicense
EU MVNO directives
Austria Telecommunication
Act 2003
...
Bob
Alice
Carol
Customer contracts
Problem Diversity of compliance sources
Compliance rules are often scattered through the SOA
…and must be considered in all components of the SOA and at all development phases
9
AudioSport License
FootballGamesLicense
EU MVNO directives
Austria Telecommunication
Act 2003
Customer contracts
Compliance governance in COMPAS
10
Regulations, business contracts,
standardsInternal policies
InternalizationInternalization DesignDesign
Business processes
Events
Execution data
Internal evaluation
Internal evaluation
Business executionBusiness execution
Auditor
Runtime compliance governance
Compliance Domains in COMPAS
11
RegulationsLicenses
QoS
1. Selecting compliance sources and requirements
12
VideoSport License
FootballGamesLicense
EU MVNO directives
Austria Telecommunication
Act 2003
Customer contracts
Pay-per-view plan
When MVNO company subscribes for the Pay-per-view plan it has to pay 29.90 euro first and then receive 300 streams from the media supplier
Pay-per-view plan
When MVNO company subscribes for the Pay-per-view plan it has to pay 29.90 euro first and then receive 300 streams from the media supplier
Composition permission
VideoSport can only have audio streams from AudioSport
Composition permission
VideoSport can only have audio streams from AudioSport
Availability
The WatchMe service must deliver a valid URL at least in 90% of requests per customer subscription.
Availability
The WatchMe service must deliver a valid URL at least in 90% of requests per customer subscription.
1. From high-level DSLs to code
13
Code generation
Apache ODEApache ODE
2. Process (re-)design
Business processes are (re-)designed to emit events to check compliance requirements
Extended Apache ODE: using Universal Unique Identifiers (UUIDs) to trace information on a specific process/activity instance
14
ProcessDeployedEvent
BPEL file
XPath
Trace
BPEL file
Traceability
Trace
3. Monitoring. Complex Event Processing
15
3. Monitoring - ETL and Data Warehouse
16
4.Informing on the current state of compliance
17
Compliance indicators
Different types of compliance
Details on compliance
18
(c) Compliance violations page with low-level details about individual violations for business processes and activities.
4.Informing on the current state of compliance
Current Practice vs. COMPAS Approach
Modelling
Specification
Static verification/validation
Generation
Dynamic verification and validation
Using
Go
ver
na
nc
e an
d M
on
ito
rin
g
Current practice:o per case basiso no generic strategyo ad hoc, hand-crafted solutions
COMPAS:o unified frameworko agile o extensible, tailorableo domain-orientationo automationo etc.
Pros COMPAS provides a framework dealing with the
whole cycle compliance governance: from sources to informing interested parties
Service-oriented technology is mature enough to support such a compliance framework
The compliance governance framework has been tested in real-world case studies: Advanced Telecom Services + Loan Approval
20
Cons Focus on the service & process world Compliance expert selects and interprets sources
Future work
DSLs for other compliance domains Apply in different scenarios Reuse knowledge about compliance
within/between organizations
COMPAS website http://www.compas-ict.eu/ COMPAS
prototypeshttp://compas-ict.eu/prototypes.php
Learn more about our approach
More about COMPAS at ICSOC’2010 11:00-12:30 P1 Service and Business Process
Modelling (1) Root-Cause Analysis of Design-time Compliance
Violations on the basis of Property PatternsAmal Elgammal, Oktay Turetken, Willem-Jan van den Heuvel, Mike Papazoglou
12:30-13:30 and 15:00-17:00 Demo Session An integrated solution for runtime compliance
governance in SOA. Aliaksandr Birukou, Agnieszka Betkowska Cavalcante,
Fabio Casati, Soudip Roy Chowdhury, Vincenzo D'Andrea, Frank Leymann, Ernst Oberortner, Jacek Serafinski, Patrícia Silveira, Steve Strauch, Marek Tluczek
22
Tomorrow
COMPAS Dissemination Workshop
Technical University of Warsaw 24-26 January 2011
23
Questions?
24
Thanks for your attention!
Contacts• COMPAS website http://www.compas-ict.eu/ Dashboard website http://compas.disi.unitn.it/CGD/home.html COMPAS prototypes http://compas-ict.eu/prototypes.php birukou AT gmail DOT com