Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based...
description
Transcript of Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based...
![Page 1: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/1.jpg)
Compliance in service-oriented architectures: A model-driven and
view-based approach
Uwe ZdunSoftware Architecture Group
Department of Distributed and Multimedia SystemsUniversity of Vienna
http://cs.univie.ac.at/swa
![Page 2: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/2.jpg)
2 software architecture group
COMPLIANCE: THE PROBLEM DOMAIN
![Page 3: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/3.jpg)
3 software architecture group
IT Compliance
IT compliance means in general complying to regulations that apply to an IT systemExamples of regulations are: Basel II, IFRS, MiFID, Cobit, LSF, Tabaksblat, Sarbanes-Oxley ActThese cover issues such as auditor independence, corporate governance, and enhanced financial disclosure
![Page 4: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/4.jpg)
4 software architecture group
Other Compliance Sources
Regulations are just one exampleThere are many other rules and constraints in a software system that have similar characteristics
Service composition/Deployment rulesService execution order rulesInformation exchange policiesSecurity policiesQoS rulesBusiness rulesLawsLicenses
![Page 5: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/5.jpg)
5 software architecture group
Current Practice for Dealing with Compliance
Ideal case: A SW-framework for automatically dealing with complianceProblem: It is impossible to formalize all details of a jurisdictional text
Interpretation by domain experts neededComplex references to other (jurisdictional) texts
Hence, in many cases, compliance today is reached on a per-case basis
![Page 6: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/6.jpg)
6 software architecture group
Issues with the Current Practice
Systems are hard to maintain hard to evolve or change hard to reuse hard to understand
It is difficult to ensure guaranteed compliance to a given set of rules and regulationsIt is difficult to keep up with constant changes in regulations and lawsDomain experts are not involved enough
![Page 7: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/7.jpg)
Compliance in SOAs
So far the SOA approach does not provide any clear technological strategy or concept of how to realize, enforce, or validate various compliance concerns
![Page 8: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/8.jpg)
8 software architecture group
OUR APPROACH
![Page 9: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/9.jpg)
Approach Overview
Models and meta-models for the specification of the SOA and compliance concerns
Domain-specific languages (DSLs) and architectural views for compliance concerns
Model-driven validation and generation of the SOA from the models
Execution, monitoring, and enforcement of compliance concerns in the running SOA
![Page 10: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/10.jpg)
Approach: Auditor’s View
Regulation /Legislation
Norm/Standard
Controls
Automated Controls Report Manual
ControlsManual
Implementation
Risk Management Department
![Page 11: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/11.jpg)
Regulation /Legislation
Norm/Standard
Controls
Automated Controls Report Manual
Controls
View-based, model-driven
Approach
GeneratedImplementation
Risk Management Department
Approach: Auditor’s View
![Page 12: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/12.jpg)
12 software architecture group
Architectural Overview
MDSD Software
Framework
Repositories
Application Servers,ESB Online Monitoring
Offline Monitoring
Dashboard
Data Warehouse
Verification Tools
Compliance Request
Language
Design time
Runtime
![Page 13: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/13.jpg)
13 software architecture group
Compliance Solution: Overview & Roles
![Page 14: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/14.jpg)
14 software architecture group
View-based, Model-driven Architecture
Separation of concerns using architectural views Separate different concerns in view-based modelsSeparation of abstraction levels: Separate technical and domain-oriented views
Integrate via model relations and matching algorithms using the model-driven generator
![Page 15: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/15.jpg)
View-based Modeling Framework (VbMF)
![Page 16: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/16.jpg)
View-based Modeling Framework (VbMF)
Separation of concerns
![Page 17: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/17.jpg)
View-based Modeling Framework (VbMF)
Separation of technicaland domain-orientedviews
![Page 18: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/18.jpg)
Extended VbMF: Modelling and Integration of Compliance Concerns
Core Model
Flow View Model
CollaborationView Model
InformationView Model
Intellectual property and license
DSL
extends extends extends
BPELFLow View
Model
BPELCollaborationView Model
BPELInformationView Model
extends extends extends
Business Process Modeling
QoS policyDSL
Security policyDSL
Compliance Modeling
annotates
Process-driven model instances with annotated
compliance metadata
instance-of
Schematic RecurrentCode & Configurations
generates
extends
Regulatory or legislative
DSL
Compliance Metadata Model
annotates
Documentation
generates
![Page 19: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/19.jpg)
Domain-Specific Languages Tooling: High-level and low-level DSLs
Business/Domain experts
IT/Technicalexperts
![Page 20: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/20.jpg)
DSL – An Example
High-Level DSL - Editor
Low-Level DSL
![Page 21: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/21.jpg)
Compliance Metadata-Model
A bridge between compliance concerns and SOA elementsCompliance metadata model elements:
References to regulations, standards, norms, licenses, etc.Controls
Referencing Services, Processes, etc. (elements that implement the control)Control type (e.g., change management control)
Risks associated to the controlsThis allows us to specify statements like:
“Service/Process X is a change management control, defined in COBIT, to comply with SOX”
![Page 22: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/22.jpg)
Model-Driven Tool Chain
TransformationTemplates
![Page 23: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/23.jpg)
23 software architecture group
Execution and Monitoring
Process engine
Service monitors
Other IT event detector
Event Bus
Governance of Compliance
AuditTrail
Event Model
Dashboard
![Page 24: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/24.jpg)
24 software architecture group
Compliance Governance Dashboard
![Page 25: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/25.jpg)
25 software architecture group
EXAMPLE
![Page 26: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/26.jpg)
26 software architecture group
An Example of Process Design
![Page 27: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/27.jpg)
27 software architecture group
Searching for process fragments realizing SOX 409 concerns using the Compliance Request Language
Query
Models
![Page 28: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/28.jpg)
28 software architecture group
No suitable fragments are found. We model the concern using the MDD framework
Models
Generated Code
Verified Models
Generated CodeGenerated CodeGenerated Code
![Page 29: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/29.jpg)
29 software architecture group
Monitor The Process at Runtime
EventsEvents
Display Information
Display Information
![Page 30: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/30.jpg)
30 software architecture group
Analyze compliance violation: Perform root cause analysis using the models from the model repository
Models
ComplianceViolation
![Page 31: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/31.jpg)
31 software architecture group
Root cause analysis and process redesign in detail
Before: sequential task execution; slow, lots of violations
MORSE RepositoryUUID 1
formID = „Form8K“duration = 2unit = BusinessDays...
: PublishDeadline
UUID 5
Business process engine
1. Deploy process models
Monitoring Infrastructure
2. Emit events UUID 3UUID 2UUID 1
3. Get compliance models (rules) for process
4. Process and
analyze events
UUID 1
Violationdetected
5. Retrieve responsible / corresponding models
ID = „Sec 409 Real time issuer disclosures“...
: ComplianceConcern
UUID 4
Compliance governance
Web UI
6. Report violation
7. Root cause analysis / manipulation of model(s)
Assess Intrusion End
yes
no
Personal info lost or stolen?
Response Write Form 8-K
Approve Form 8-K
Publish Form 8-K
!UUID 3
UUID 2
UUID 4
UUID 5
Assess Intrusion End
yes
no
Personal info lost or stolen?
Response
Write Form 8-K
Approve Form 8-K
Intrusion detected
Publish Form 8-K!After: parallel task execution; faster, fewer violations
UUID 1
![Page 32: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/32.jpg)
32 software architecture group
Lessons Learned
On The nature of business compliance in a SOA systemScattered through many system’s elements at different abstraction levelsExisting in different development phases: analysis, design, implementation, and runtime
Enabling methods and technologies for business compliance in SOAs should
Tackling the compliance from multiple perspectives at multiple levels of abstractionTaking into account for the constant needs for changes of laws regulations, policies, etc., to ensure incremental complianceEngaging relevant stakeholders (business/domain experts, technical experts) by providing appropriate tooling and methods
![Page 33: Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach](https://reader034.fdocuments.us/reader034/viewer/2022042714/554f6dc3b4c905bb178b4f9c/html5/thumbnails/33.jpg)
33 software architecture group
Many thanks for your attention!
Uwe Zdun
Software Architecture GroupDepartment of Distributed and Multimedia SystemsUniversity of Viennahttp://cs.univie.ac.at/swa