Service-oriented Computing

COMPAS: Compliance-driven Models, Languages, and Architectures for Services 1

COMPASCompliance-driven Models, Languages, and Architectures for Services"The COMPAS project will design and implement novel models, languages, and an architectural framework to ensure dynamic and on-going compliance of software services to business regulations and stated user service-requirements. COMPAS will use model-driven techniques, domain-specific languages, and service-oriented infrastructure software to enable organizations developing business compliance solutions easier and faster

http://www.compas-ict.eu1OverviewCOMPAS: OverviewCentral problems addressed by COMPASCOMPAS assumptions and approachCase Study: Advanced Telecom ServicesRuntime compliance governance in COMPAS

Credits: slides used from presentations of Schahram Dustdar, Uwe Zdun, Marek Tluczek, and other members of the COMPAS project

22About COMPASFunding: European Commission, 7th Framework Programme, Specific Targeted Research Project (STREP)Duration: February 2008 till January 2011Budget: 3.920.000 Partners: 6 research and 3 industrial partners from Austria, France, Germany, the Netherlands, Italy, PolandMore at http://www.compas-ict.eu33COMPAS: OverviewCOMPAS addresses a major shortcoming in todays approach to design SOAs: Throughout the architecture various compliance concerns must be consideredExamples: Service composition policies, Service deployment policies, Information sharing/exchange policies, Security policies, QoS policies, Business policies, jurisdictional policies, preference rules, intellectual property and licensesSo far, the SOA approach does not provide any clear technological strategy or concept of how to realize, enforce, or validate them 44Problem in DetailA number of approaches, such as business rules or composition concepts for services, have been proposedNone of these approaches offers a unified approach with which all kinds of compliance rules can be tackled Compliance rules are often scattered throughout the SOA They must be considered in all components of the SOAThey must be considered at different development phases, including analysis, design, and runtime

55Current Practice vs. COMPAS Approach6

Current practice: per case basis no generic strategy ad hoc, hand-crafted solutionsCOMPAS: unified framework agile extensible, tailor-able domain-orientation automation etc.6COMPAS Approach: Auditors View77

Goals: Support the automated controls better Provide more automated controls7COMPAS AssumptionsTypes of compliance concerns tackled:We concentrate on the service & process worldWe concentrate on automated controlsCompliance expert selects and interprets laws and regulationsWe deal with two scenarios of introducing compliance (and variations of them):GreenfieldExisting processes88COMPAS AssumptionsCOMPAS provides an architecture and approach for dealing with complianceSome compliance examples from the case studies are used to exemplify and validate that architecture and approachExisting languages (e.g., BPMN, BPEL, UML Activity Diagrams), technologies (e.g., ESBs, Process Engines), etc., are used wherever possibleNew software components are realized for specific compliance related solutions (see D1.1 and DA.1)99COMPAS AssumptionsWe distinguish:High-level processes (e.g., BPMN), non-technical and blurryLow-level processes (e.g., BPEL), technical and detailed

1010Compliance Solution: Overview & Roles11

11Case study: Advanced Telecom Services (WatchMe)12

12Compliance in WatchMeDomains: Internal policies, QoS and Licensing13ComplianceRequirements Description of Compliance RequirementsControl LicensingPay-per-view planWhen the WatchMe company subscribes for the Pay-per-view plan it acquires a limited number of streams based on the amount paid to the media supplier.When WatchMe company subscribes for the Pay-per-view plan it has to pay 29.90 euro first and then receive 300 streams from the media supplier.Time-based planWhen the WatchMe company subscribes for the Time-based plan it acquires any number of times any possible streams in a certain period, based on the amount paid to the media supplier.When WatchMe company subscribes for the time-based plan it has to pay 89.90 euro first and then receive an unlimited number of times any available stream from the media supplier in a 30 days period starting from the contract start date. Composition permissionOnly pre-defined combinations of video and audio providers are allowed due to the licenses specified by the video provider.VideoTube can only have audios streams from AudioTube or QuickAudio. QuickVideo can only have audio streams from QuickAudio.13Business process execution14

14User Interface - Login15

15Business process execution16

16User Interface - Search17

17Business process execution18

18User Interface Choose19

19Business process execution20

20Business process execution21

21User Interface Choose22

22Runtime compliance governance in COMPAS23

23

24Quality of Service DSLQuality-of-Service Compliance Concerns: Specified in Service-Level-Agreements (SLA), e.g., Availability > 99%Support for stakeholders with different expertise:Domain expertsTechnical expertsRuntime measuring of QoS valuesMonitoring of QoS events24

25Licensing DSLA high-level language for specifying license constraints in service-oriented business environments that is targeted at domain expertsRuntime integration similar to the QoS DSL

25

26Process Engine and ExtensionsExtension of event model:Extended Apache ODE version 1.1.1Provisioning of information required for compliance monitoring and mining Extension for enabling traceability: Integrate Universally Unique Identifiers (UUIDs) in BPEL and Events to identify models from which the processes are generated 26

27Complex Event Processing and Esper RulesComplex Event Processing to aggregate compliance eventsCompliance violation detection on high-level (aggregated, business) events 27

28Business protocol-based monitoringContinuously observe and check the correct behavior of a system during run-time Checking of temporal properties specification during execution of a system 28

29Event Log and DatawarehouseStore and provide access to all events (low and high level)Separate the operative part (running processes) of COMPAS from the assessment part (data warehouse analysis and reporting)Provide a general schema that can accommodate process and compliance requirements without need to change for each new process or requirement29

30Compliance Governance DashboardReport on compliance, to create an awareness of possible problems or violations, and to facilitate the identification of root-causes for non-compliant situationsTargeted at several classes of users: chief officers of a company, line of business managers, internal auditors, and external auditors (certification agencies)

30Questions?

31

Thanks for your attention!http://www.compas-ict.eu31