COMPASCompliance-driven Models, Languages, and Architectures

for Services

"The COMPAS project will design and implement novel models, languages, and an architectural framework to ensure dynamic and on-going compliance of software services to business

regulations and stated user service-requirements. COMPAS will use model-driven techniques, domain-specific languages, and service-oriented infrastructure software to enable organizations

developing business compliance solutions easier and faster“

http://www.compas-ict.eu

COMPAS: Compliance-driven Models, Languages, and

Architectures for Services

1

Overview

Central problems addressed by COMPAS COMPAS assumptions and approach Contribution to NEXOF

2

COMPAS: Overview

COMPAS addresses a major shortcoming in today’s approach to design SOAs: Throughout the architecture various compliance concerns must be considered

Examples: Service composition policies, Service deployment

policies, Information sharing/exchange policies, Security

policies, QoS policies, Business policies, jurisdictional policies, preference

rules, intellectual property and licenses So far, the SOA approach does not provide any

clear technological strategy or concept of how to realize, enforce, or validate them

3

Problem in Detail

A number of approaches, such as business rules or composition concepts for services, have been proposed None of these approaches offers a unified approach

with which all kinds of compliance rules can be tackled Compliance rules are often scattered throughout

the SOA They must be considered in all components of the

SOA They must be considered at different development

phases, including analysis, design, and runtime

4

Current Practice vs. COMPAS Approach

5

Modelling

Specification

Static verification/validation

Generation

Dynamic verification and validation

Using

Go

ver

na

nc

e an

d M

on

ito

rin

g

Current practice:o per case basiso no generic strategyo ad hoc, hand-crafted solutions

COMPAS:o unified frameworko agile o extensible, tailor-ableo domain-orientationo automationo etc.

COMPAS Approach: Auditor’s View

66

Regulation /Legislation

Norm/Standard

Controls

Automated Controls

ReportManual

ControlsManual

Implementation

Risk Management Department

Goals:• Support the automated controls better• Provide more automated controls

Goals:• Support the automated controls better• Provide more automated controls

COMPAS Assumptions

Types of compliance concerns tackled: We concentrate on the service & process world We concentrate on automated controls

Compliance expert selects and interprets laws and regulations

We deal with two scenarios of introducing compliance (and variations of them): Greenfield Existing processes

We distinguish: High-level processes (e.g., BPMN), non-technical and “blurry” Low-level processes (e.g., BPEL), technical and detailed

7

Compliance Solution: Overview & Roles

8

Monitoring

InternalizationBusiness execution

Internal evaluation

Regulations, laws, best practices, contracts,...

Internal policies

Business processes

Events

Execution data

Auditor

Process Manager /

Compliance Officer

assists

Compliance Officer

Process Analyst /Compliance Officer / Technical Specialist

Validation

Design

Process Analyst /Technical Specialist

Contribution to NEXOF Conceptual model contribution:

Conceptual model and terminology shared with NEXOF-RA, contributing to the Conceptual Reference Model (including Glossary) where compliance concerns could be acquired, modeled, realized, enforced and validated.

Architecture & Pattern contribution: COMPAS contributed its overall architecture to NEXOF-RA to identify

functional elements and derive architectural choices if not patterns to be proposed;

Design of a channel-based coordination pattern for design-time service composition within NEXOF-RA.

Participation & contribution to NEXOF-RA events Open Call for Contribution, Investigation teams

2 publications: Collaborative web service discovery with the Implicit Culture Framework,

NESSI Open Framework - Reference Architecture (NEXOF-RA), 2008 ; Design Time Service Composition with Reo Coordination Tools, NESSI

Open Framework - Reference Architecture (NEXOF-RA), 2008.

9

Questions?

10

Thanks for your attention!

http://www.compas-ict.eu