An Integrated Solution for Runtime Compliance Governance in SOA


Published on

In response to recent financial scandals (e.g. those involving Enron, Fortis, Parmalat), new regulations for protecting the society from financial and operational risks of the companies have been introduced. Therefore, companies are required to assure compliance of their operations with those new regulations as well as those already in place. Regulations are only one example of compliance sources modern organizations deal with every day. Other sources of compliance include licenses of business partners and other contracts, internal policies, and international standards. The diversity of compliance sources introduces the problem of compliance governance in an organization. In this paper, we propose an integrated solution for runtime compliance governance in Service-Oriented Architectures (SOAs). We show how the proposed solution supports the whole cycle of compliance management: from modeling compliance requirements in domain-specific languages through monitoring them during process execution to displaying information about the current state of compliance in dashboards. We focus on the runtime part of the proposed solution and describe it in detail. We apply the developed framework in a real case study coming from EU FP7 project COMPAS, and this case study is used through the paper to illustrate our solution.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • I’ll show later how we derive requirements, etc
  • Waste management
  • Solutions like COMPAS can help companies to save those money buy providing more automated controls
  • COMPAS – Compliance-driven Models, Languages and Architectures for services
  • The case study we consider deals with telecommunication domain[CLICK] There is a Virtual Mobile Network Operator which uses network of other operators to provide additional services[CLICK] It combines video and audio from different content providers and streams sport content to its customers over the internet This case study focuses on particularly challenging evnironment, since network infrastructure and many applications that provide service components are owned and managed by different interprises, including third party application providers, network carriers and the MVNO company. The business of the MVNO company must run in accordance with different regulations.[CLICK] And it also must adhere contracts with audio and video providers and contracts of their customers. So, it faces the problem of ensuring the compliance with all those regulations. If they do not comply they can be sued by the companies, loose customers, or loose a lot of money in fines because of not following legislation. Now we will show how our approach allows the company to deal with those concerns in a systematic manner.
  • selecting the sources to be compliant with and designing corresponding compliance requirements; (2) (re-)designing business processes compliant with the selected requirements; (3) monitoring compliance of processes during their execution; (4) informing interested parties (managers, auditors) on the current state of compliance; (5) taking specific actions or chang- ing the processes in cases of (predicted or happened) non-compliance. DESIGN ASPECTS – in parallel session
  • Benefits of our solution
  • … and we presented runtime aspects of such system
  • STARTUP on compas – contact US!
  • An Integrated Solution for Runtime Compliance Governance in SOA

    1. 1. An Integrated Solution for Runtime Compliance Governance in SOA Aliaksandr Birukou , Vincenzo D’Andrea, Frank Leymann, Ja- cek Serafinski, Patricia Silveira, Steve Strauch, Marek Tluczek COMPAS Compliance-driven Models, Languages, and Architectures for Services "The COMPAS project will design and implement novel models, languages, and an architectural framework to ensure dynamic and on-going compliance of software services to business regulations and stated user service-requirements. COMPAS will use model-driven techniques, domain-specific languages, and service-oriented infrastructure software to enable organizations developing business compliance solutions easier and faster“
    2. 2. Compliance <ul><li>Conformance of a company in fulfilling compliance requirements , i.e. constraints or assertions that are results of the interpretation of the compliance sources </li></ul>Compliant ? Sarbanes-Oxley Act Basel III Security policy
    3. 3. Do I care about compliance ? Image from ECB Image from AEG GSE Ministry of Natural Resources,65063.html Ministry of transportation Legge n.6 06/02/2009 Legge n. 152 13/08/2010 Sarbanes-Oxley Act Basel III Direttiva 2010/40/UE Direttiva 2009/548/CE Decreto 10/09/2010 Direttiva 2008/763/CE
    4. 4. Not yet convinced?
    5. 5. <ul><li>Dimension : $29.8 Bln in US in 2010 </li></ul><ul><ul><li>47% spent on the internal compliance efforts </li></ul></ul><ul><li>Market growth (in US): </li></ul><ul><ul><li>2005-2007: 18.4%/ year </li></ul></ul><ul><ul><li>3.9% in 2010 </li></ul></ul><ul><ul><li>(after the crisis) </li></ul></ul>GRC Spending forecast Source: AMR Research, 2009 Compliance market
    6. 6. 2010 GRC software investments priorities Source: AMR Research, 2009 18% Compliance management 17% 16% Business process management 15% Continuous control monitoring Security (internal/external) Risk management Sustainability software Documents/record management Reporting 14% 12% 11% 10% Investments priorities
    7. 7. About COMPAS <ul><li>Funding: European Commission, 7 th Framework Programme, Specific Targeted Research Project (STREP) </li></ul><ul><li>Duration: February 2008 till January 2011 </li></ul><ul><li>Budget: 3.920.000 € </li></ul><ul><li>Partners: 6 research and 3 industrial partners from Austria, France, Germany, the Netherlands, Italy, Poland </li></ul><ul><li>More at </li></ul>
    8. 8. Case study: Advanced Telecom Services Internet Internet ... Audio providers Video providers MVNO company AudioSport License FootballGames License EU MVNO directives Austria Telecommunication Act 2003 Bob Alice Carol Customer contracts
    9. 9. Problem <ul><li>Diversity of compliance sources </li></ul><ul><li>Compliance rules are often scattered through the SOA </li></ul><ul><li>… and must be considered in all components of the SOA and at all development phases </li></ul>AudioSport License FootballGames License EU MVNO directives Austria Telecommunication Act 2003 Customer contracts
    10. 10. Compliance governance in COMPAS Internalization Design Regulations, business contracts, standards Internal policies Business processes Events Execution data Internal evaluation Business execution Auditor Runtime compliance governance
    11. 11. Compliance Domains in COMPAS Regulations Licenses QoS
    12. 12. 1. Selecting compliance sources and requirements Pay-per-view plan When MVNO company subscribes for the Pay-per-view plan it has to pay 29.90 euro first and then receive 300 streams from the media supplier Composition permission VideoSport can only have audio streams from AudioSport Availability The WatchMe service must deliver a valid URL at least in 90% of requests per customer subscription. VideoSport License FootballGames License EU MVNO directives Austria Telecommunication Act 2003 Customer contracts
    13. 13. 1. From high-level DSLs to code Code generation
    14. 14. 2. Process (re-)design <ul><li>Business processes are (re-)designed to emit events to check compliance requirements </li></ul><ul><li>Extended Apache ODE: using Universal Unique Identifiers (UUIDs) to trace information on a specific process/activity instance </li></ul>Apache ODE Process Deployed Event BPEL file XPath Trace Trace BPEL file Traceability
    15. 15. 3. Monitoring. Complex Event Processing
    16. 16. 3. Monitoring - ETL and Data Warehouse
    17. 17. 4.Informing on the current state of compliance Compliance indicators Different types of compliance Details on compliance
    18. 18. 4.Informing on the current state of compliance
    19. 19. Current Practice vs. COMPAS Approach <ul><li>Current practice: </li></ul><ul><ul><li>per case basis </li></ul></ul><ul><ul><li>no generic strategy </li></ul></ul><ul><ul><li>ad hoc, hand-crafted solutions </li></ul></ul><ul><li>COMPAS: </li></ul><ul><ul><li>unified framework </li></ul></ul><ul><ul><li>agile </li></ul></ul><ul><ul><li>extensible, tailorable </li></ul></ul><ul><ul><li>domain-orientation </li></ul></ul><ul><ul><li>automation </li></ul></ul><ul><ul><li>etc. </li></ul></ul>
    20. 20. Pros <ul><li>COMPAS provides a framework dealing with the whole cycle compliance governance: from sources to informing interested parties </li></ul><ul><li>Service-oriented technology is mature enough to support such a compliance framework </li></ul><ul><li>The compliance governance framework has been tested in real-world case studies: Advanced Telecom Services + Loan Approval </li></ul>Cons <ul><li>Focus on the service & process world </li></ul><ul><li>Compliance expert selects and interprets sources </li></ul>
    21. 21. Future work <ul><li>DSLs for other compliance domains </li></ul><ul><li>Apply in different scenarios </li></ul><ul><li>Reuse knowledge about compliance within/between organizations </li></ul><ul><li>COMPAS website </li></ul><ul><li>COMPAS prototypes </li></ul>Learn more about our approach
    22. 22. More about COMPAS at ICSOC’2010 <ul><li>11:00-12:30 P1 Service and Business Process Modelling (1) </li></ul><ul><ul><li>Root-Cause Analysis of Design-time Compliance Violations on the basis of Property Patterns
 Amal Elgammal, Oktay Turetken, Willem-Jan van den Heuvel, Mike Papazoglou </li></ul></ul><ul><li>12:30-13:30 and 15:00-17:00 Demo Session </li></ul><ul><ul><li>An integrated solution for runtime compliance governance in SOA. </li></ul></ul><ul><ul><li>Aliaksandr Birukou, Agnieszka Betkowska Cavalcante, Fabio Casati, Soudip Roy Chowdhury, Vincenzo D'Andrea, Frank Leymann, Ernst Oberortner, Jacek Serafinski, Patrícia Silveira, Steve Strauch, Marek Tluczek </li></ul></ul>Tomorrow
    23. 23. COMPAS Dissemination Workshop <ul><li>Technical University of Warsaw </li></ul><ul><li>24-26 January 2011 </li></ul>
    24. 24. Questions? Thanks for your attention! Contacts <ul><li>COMPAS website </li></ul><ul><li>Dashboard website </li></ul><ul><li>COMPAS prototypes </li></ul><ul><li>birukou AT gmail DOT com </li></ul>