Embed Size (px)
Citation preview
COMPASCompliance-driven Models, Languages, and Architectures
for Services
"The COMPAS project will design and implement novel models, languages, and an architectural framework to ensure dynamic and on-going compliance of software services to business
regulations and stated user service-requirements. COMPAS will use model-driven techniques, domain-specific languages, and service-oriented infrastructure software to enable organizations
developing business compliance solutions easier and faster“
http://www.compas-ict.eu
COMPAS: Compliance-driven Models, Languages, and
Architectures for Services
1
Overview
COMPAS: Overview Central problems addressed by COMPAS COMPAS assumptions and approach Case Study: Advanced Telecom Services Runtime compliance governance in COMPAS
Credits: slides used from presentations of Schahram Dustdar, Uwe Zdun, Marek Tluczek, and other members of the COMPAS project
2
About COMPAS
Funding: European Commission, 7th Framework Programme, Specific Targeted Research Project (STREP)
Duration: February 2008 till January 2011 Budget: 3.920.000 € Partners: 6 research and 3 industrial partners
from Austria, France, Germany, the Netherlands, Italy, Poland
More at http://www.compas-ict.eu
3
COMPAS: Overview
COMPAS addresses a major shortcoming in today’s approach to design SOAs: Throughout the architecture various compliance concerns must be considered
Examples: Service composition policies, Service deployment
policies, Information sharing/exchange policies, Security
policies, QoS policies, Business policies, jurisdictional policies, preference
rules, intellectual property and licenses So far, the SOA approach does not provide any
clear technological strategy or concept of how to realize, enforce, or validate them
4
Problem in Detail
A number of approaches, such as business rules or composition concepts for services, have been proposed None of these approaches offers a unified approach
with which all kinds of compliance rules can be tackled Compliance rules are often scattered throughout
the SOA They must be considered in all components of the
SOA They must be considered at different development
phases, including analysis, design, and runtime
5
Current Practice vs. COMPAS Approach
6
Modelling
Specification
Static verification/validation
Generation
Dynamic verification and validation
Using
Go
ver
nan
ce a
nd
Mo
nit
ori
ng
Current practice:o per case basiso no generic strategyo ad hoc, hand-crafted solutions
COMPAS:o unified frameworko agile o extensible, tailor-ableo domain-orientationo automationo etc.
COMPAS Approach: Auditor’s View
77
Regulation /Legislation
Norm/Standard
Controls
Automated Controls
ReportManual
ControlsManual
Implementation
Risk Management Department
Goals:• Support the automated controls better• Provide more automated controls
COMPAS Assumptions
Types of compliance concerns tackled: We concentrate on the service & process world We concentrate on automated controls
Compliance expert selects and interprets laws and regulations
We deal with two scenarios of introducing compliance (and variations of them): Greenfield Existing processes
8
COMPAS Assumptions
COMPAS provides an architecture and approach for dealing with compliance Some compliance examples from the case studies
are used to exemplify and validate that architecture and approach
Existing languages (e.g., BPMN, BPEL, UML Activity Diagrams), technologies (e.g., ESBs, Process Engines), etc., are used wherever possible New software components are realized for specific
compliance related solutions (see D1.1 and DA.1)
9
COMPAS Assumptions
We distinguish: High-level processes (e.g., BPMN), non-technical and
“blurry” Low-level processes (e.g., BPEL), technical and
detailed
10
Compliance Solution: Overview & Roles
11
Monitoring
InternalizationBusiness execution
Internal evaluation
Regulations, laws, best practices, contracts,...
Internal policies
Business processes
Events
Execution data
Auditor
Process Manager /
Compliance Officer
assists
Compliance Officer
Process Analyst /Compliance Officer / Technical Specialist
Validation
Design
Process Analyst /Technical Specialist
Case study: Advanced Telecom Services (WatchMe)
12
Compliance in WatchMe
Domains: Internal policies, QoS and Licensing
13
ComplianceRequirements
Description of Compliance RequirementsControl
Licensing
Pay-per-view plan
When the WatchMe company subscribes for the Pay-per-view plan it acquires a limited number of streams based on the amount paid to the media supplier.
When WatchMe company subscribes for the Pay-per-view plan it has to pay 29.90 euro first and then receive 300 streams from the media supplier.
Time-based plan
When the WatchMe company subscribes for the Time-based plan it acquires any number of times any possible streams in a certain period, based on the amount paid to the media supplier.
When WatchMe company subscribes for the time-based plan it has to pay 89.90 euro first and then receive an unlimited number of times any available stream from the media supplier in a 30 days period starting from the contract start date.
Composition permission
Only pre-defined combinations of video and audio providers are allowed due to the licenses specified by the video provider.
VideoTube can only have audios streams from AudioTube or QuickAudio. QuickVideo can only have audio streams from QuickAudio.
Business process execution
14
User Interface - Login
15
Business process execution
16
User Interface - Search
17
Business process execution
18
User Interface – Choose
19
Business process execution
20
Business process execution
21
User Interface – Choose
22
Runtime compliance governance in COMPAS
23
Online Compliance Monitoring
Business Protocol Monitoring
Compliance Governance Dashboard
CEP-Based Compliance Monitoring
Events
DisplayInformation
Events
Enterprise Service Bus (WP1, WP5)
Offline Compliance Monitoring
Log Mining
Display Information
Runtime compliance environment
Application Server (WP4)
Process Engine (WP1,WP5)
Services
Compliance governance architecture (WP5)
Event Log
Data Warehouse
Analysis / Business
Intelligence
Event Logs
ETL
Events
DataEvents
Data
DisplayInformation
Events,Messages
DSL Editors
DSL Instances
Deployable CodeMDSD software
framework (WP1)
DSL specification (WP1-5)
DSL Editors
Code Generator
DSL Instances
ModelInstances
Deployable Code
Events
DSL Transformation
View-based Modeling
Framework
Enterprise Service Bus (WP1, WP5)MDSD software
framework (WP1)
Runtime compliance environment
Application Server (WP4)
Process Engine (WP1,WP5)
Services
Compliance governance architecture (WP5)
DSL specification (WP1-5)
EMF ModelInstances
OnlineCompliance Monitoring
Compliance Governance Dashboard
CEP-Based Compliance Monitoring
DisplayInformation
Events
24
Quality of Service DSL
Quality-of-Service Compliance Concerns: Specified in Service-Level-Agreements (SLA), e.g., Availability > 99%
Support for stakeholders with different expertise:• Domain experts• Technical experts
Runtime measuring of QoS values
Monitoring of QoS events
DSL Editors
Code Generator
DSL Instances
ModelInstances
Deployable Code
Events
DSL Transformation
View-based Modeling
Framework
Enterprise Service Bus (WP1, WP5)MDSD software
framework (WP1)
Runtime compliance environment
Application Server (WP4)
Process Engine (WP1,WP5)
Services
Compliance governance architecture (WP5)
DSL specification (WP1-5)
EMF ModelInstances
OnlineCompliance Monitoring
Compliance Governance Dashboard
CEP-Based Compliance Monitoring
DisplayInformation
Events
25
Licensing DSL A high-level language for specifying license constraints in service-oriented business environments that is targeted at domain experts
Runtime integration similar to the QoS DSL
Events
Events
Enterprise Service Bus (WP1, WP5)
Runtime compliance environment
Application Server (WP4)
Process Engine (WP1,WP5)
Services
Compliance governance architecture (WP5)
Deployable Code
MDSD software framework (WP1)
26
Process Engine and Extensions
Extension of event model:• Extended Apache ODE version 1.1.1• Provisioning of information required for compliance monitoring and
mining
Extension for enabling traceability: Integrate Universally Unique Identifiers (UUIDs) in BPEL and Events to identify models from which the processes are generated
Events
Enterprise Service Bus (WP1, WP5)
Runtime compliance environment
Application Server (WP4)
Process Engine (WP1,WP5)
Services
Compliance governance architecture (WP5)
OnlineCompliance Monitoring
Compliance Governance Dashboard
CEP-Based Compliance Monitoring
DisplayInformation
Events
27
Complex Event Processing and Esper Rules
Complex Event Processing to aggregate compliance events
Compliance violation detection on high-level (aggregated, business) events
Events
Enterprise Service Bus (WP1, WP5)
Runtime compliance environment
Application Server (WP4)
Process Engine (WP1,WP5)
Services
Online Compliance Monitoring
Business Protocol Monitoring
Events,Messages
28
Business protocol-based monitoring
Continuously observe and check the correct behavior of a system during run-time
Checking of temporal properties specification during execution of a system
Compliance Governance Dashboard
Events
Enterprise Service Bus (WP1, WP5)
Offline Compliance Monitoring
Log Mining
Display Information
Runtime compliance environment
Application Server (WP4)
Process Engine (WP1,WP5)
Services
Compliance governance architecture (WP5)
Event Log
Data Warehouse
Analysis / Business
Intelligence
Event Logs
ETL
Events
DataEvents
Data
DisplayInformation
29
Event Log and Datawarehouse
Store and provide access to all events (low and high level)
Separate the operative part (running processes) of COMPAS from the assessment part (data warehouse analysis and reporting)
Provide a general schema that can accommodate process and compliance requirements without need to change for each new process or requirement
Compliance Governance Dashboard
Offline Compliance Monitoring
Log Mining
Display Information
Compliance governance architecture (WP5)
Event Log
Data Warehouse
Analysis / Business
Intelligence
Event Logs
ETL DataEvents
Data
DisplayInformation
OnlineCompliance Monitoring CEP-Based
Compliance Monitoring
DisplayInformation
30
Compliance Governance Dashboard
Report on compliance, to create an awareness of possible problems or violations, and to facilitate the identification of root-causes for non-compliant situations
Targeted at several classes of users: • chief officers of a company, • line of business managers, • internal auditors, and • external auditors (certification agencies)
