Achieving Life-Cycle Compliance of Service-Oriented Architectures: Open Issues and Challenges

  • Theodoor Scholte
  • Engin Kirda
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5939)


The introduction of regulations such as the Sarbanes-Oxley act requires companies to ensure that appropriate controls are implemented in their business applications. Implementing and validating compliance measures in ‘agile’ companies is time consuming, costly, error-prone and a maintenance-intensive task. This paper presents an approach towards dynamically adapting a Service Oriented Architecture (SOA) such that business applications remain compliant. In order to ensure compliance, a compliance checking mechanism for the SOA is needed. Upon detection of a threat/violation, the components of a business application are adapted using aspect-oriented programming (AOP). In this paper, we discuss the fundamental problems and we give an architectural description of our approach.


Business Process Management Compliance Management Compliance Checking Service-Oriented Architectures Aspect-Oriented Programming Risk Assessment Risk Mitigation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agrawal, R., Johnson, C., Kiernan, J., Leymann, F.: Taming compliance with sarbanes-oxley internal controls using database technology. In: ICDE 2006: Proceedings of the 22nd International Conference on Data Engineering, Washington, DC, USA, p. 92. IEEE Computer Society Press, Los Alamitos (2006)Google Scholar
  2. 2.
    Alberti, M., Chesani, F., Gavanelli, M., Lamma, E., Mello, P., Montali, M., Storari, S., Torroni, P.: Computational logic for run-time verification of web services choreographies: Exploiting the ocs-si tool. In: Bravetti, M., Núñez, M., Zavattaro, G. (eds.) WS-FM 2006. LNCS, vol. 4184, pp. 58–72. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Arbab, F., Kokash, N., Meng, S.: Towards using reo for compliance-aware business process modeling. In: Margaria, T., Steffen, B. (eds.) ISoLA. Communications in Computer and Information Science, vol. 17, pp. 108–123. Springer, Heidelberg (2008)Google Scholar
  4. 4.
    Austin, C.: J2se 5.0 in a nutshellGoogle Scholar
  5. 5.
    International Accounting Standards Board. International accounting standard 1: Presentation of financial statementsGoogle Scholar
  6. 6.
    Canal, C., Murillo, J.M., Poizat, P.: Software adaptation 14(13), 2107–2109 (2008)Google Scholar
  7. 7.
    European Commission. Markets in financial instruments directiveGoogle Scholar
  8. 8.
    United States Congress. Health insurance portability and accountability act of (1996)Google Scholar
  9. 9.
    EU FP7 MASTER Consortium. Managing assurance, security and trust for services,
  10. 10.
    Creswell, J.: Citigroup agrees to pay 2 billion in enron scandal. The New York Times (June 2005)Google Scholar
  11. 11.
    Dadam, P., Reichert, M.: The adept project: A decade of research and development for robust and flexible process support - challenges and achievements. Computer Science - Research and Development (23), 81–97 (2009)Google Scholar
  12. 12.
    Dash, E.: Parmalat sues citigroup over transactions. The New York Times (July 2004)Google Scholar
  13. 13.
    Davulcu, H., Kifer, M., Ramakrishnan, C.R., Ramakrishnan, I.V.: Logic based modeling and analysis of workflows. In: PODS 1998: Proceedings of the seventeenth ACM SIGACT-SIGMOD-SIGART symposium on Principles of database systems, pp. 25–33. ACM, New York (1998)CrossRefGoogle Scholar
  14. 14.
    Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. Technical report, Amherst, MA, USA (1998)Google Scholar
  15. 15.
    El Kharbili, M., Stein, S., Markovic, I., Pulvermüller, E.: Towards a framework for semantic business process compliance management. In: Proceedings of the First International Workshop on Governance, Risk and Compliance (GRCIS), Montpellier, France, June 17 (2008)Google Scholar
  16. 16.
    Foster, H., Uchitel, S., Magee, J., Kramer, J.: Model-based analysis of obligations in web service choreography. In: AICT-ICIW 2006: Proceedings of the Advanced Int’l Conference on Telecommunications and Int’l Conference on Internet and Web Applications and Services, Washington, DC, USA, p. 149. IEEE Computer Society Press, Los Alamitos (2006)CrossRefGoogle Scholar
  17. 17.
    Gouvernement Francais. La loi de sÉcuritÉ financiÉreGoogle Scholar
  18. 18.
    Giaglis, G.M.: A taxonomy of business process modeling and information systems modeling techniques. International Journal of Flexible Manufacturing Systems 13(2), 209–228 (2001)CrossRefGoogle Scholar
  19. 19.
    Giblin, C., Liu, A.Y., Müller, S., Pfitzmann, B., Zhou, X.: Regulations expressed as logical models (realm). Technical Report RZ 3616, IBM Research, Zurich (July 2005)Google Scholar
  20. 20.
    Giblin, C., Müller, S., Pfitzmann, B.: From regulatory policies to event monitoring rules: Towards model-driven compliance automation. Technical Report RZ 3662, IBM Research (2006)Google Scholar
  21. 21.
    Commissie Corporate Governance. De nederlandse corporate governance code: Beginselen van deugdelijk ondernemingsbestuur en best practice bepalingenGoogle Scholar
  22. 22.
    Governatori, G., Milosevic, Z., Sadiq, S.: Compliance checking between business processes and business contracts. In: EDOC 2006: Proceedings of the 10th IEEE International Enterprise Distributed Object Computing Conference, Washington, DC, USA, pp. 221–232. IEEE Computer Society Press, Los Alamitos (2006)CrossRefGoogle Scholar
  23. 23.
    Ter Hofstede, A.H.M., Weske, M.: Business process management: A survey. In: van der Aalst, W.M.P., ter Hofstede, A.H.M., Weske, M. (eds.) BPM 2003. LNCS, vol. 2678, pp. 1–12. Springer, Heidelberg (2003)Google Scholar
  24. 24.
    Kiczales, G., Hilsdale, E., Hugunin, J., Kersten, M., Palm, J., Griswold, W.G.: An overview of aspectJ. In: Knudsen, J.L. (ed.) ECOOP 2001. LNCS, vol. 2072, pp. 327–353. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  25. 25.
    Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C., Lopes, C.V., Loingtier, J.-M., Irwin, J.: Aspect-oriented programming. In: Aksit, M., Matsuoka, S. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  26. 26.
    Lang, U., Schreiner, R.: Managing business compliance using model-driven security management. In: Proceeedings of ISSE 2008 Securing Electronic Business Processes (2008)Google Scholar
  27. 27.
    Liu, Y., Müller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Syst. J. 46(2), 335–361 (2007)Google Scholar
  28. 28.
    Ly, L.T., Göser, K., Rinderle-Ma, S., Dadam, P.: Compliance of semantic constraints - a requirements analysis for process management systems. In: Proc. 1st Int’l Workshop on Governance, Risk and Compliance - Applications in Information Systems (GRCIS 2008), Montpellier, France (2008)Google Scholar
  29. 29.
    Ly, L.T., Rinderle, S., Dadam, P.: Integration and verification of semantic constraints in adaptive process management systems. Data Knowl. Eng. 64(1), 3–23 (2008)CrossRefGoogle Scholar
  30. 30.
    Namiri, K., Stojanovic, N.: A formal approach for internal controls compliance in business processes. In: Proceedings of the 8th Workshop on Business Process Modeling, Development, and Support, Trondheim, Norway (2007)Google Scholar
  31. 31.
    Namiri, K., Stojanovic, N.: Pattern-based design and validation of business process compliance. In: On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS, pp. 59–76. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  32. 32.
    OASIS. extensible access control markup language (xacml) version 2.0 (February 2005)Google Scholar
  33. 33.
    OASIS. Web services business process execution language (2007)Google Scholar
  34. 34.
    Basel Committee on Banking Supervision. International convergence of capital measurement and capital standards: A revised frameworkGoogle Scholar
  35. 35.
    Popovici, A., Gross, T., Alonso, G.: Dynamic weaving for aspect-oriented programming. In: AOSD 2002: Proceedings of the 1st international conference on Aspect-oriented software development, pp. 141–147. ACM, New York (2002)CrossRefGoogle Scholar
  36. 36.
    Sarbanes, P., Oxley, M.: Sarbanes-oxley act of 2002 (pub.l. 107-204, 116 stat. 745)Google Scholar
  37. 37.
    Sedera, W., Gable, G.G., Rosemann, M., Smyth, R.W.: A success model for business process modeling: findings from a multiple case study (2004)Google Scholar
  38. 38.
    Streitfeld, D., Morgenson, G.: Building flawed american dreams. The New York Times (October 2008)Google Scholar
  39. 39.
    Vasseur, A.: Dynamic aop and runtimeweaving for java - how does aspectwerkz address it? In: Workshop on Dynamic AOP (2004)Google Scholar
  40. 40.
    W3C. Web services choreography description language version 1.0Google Scholar
  41. 41.
    Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. Journal of Systems Architecture, 13 (2008)Google Scholar
  42. 42.
    Wolter, C., Schaad, A., Meinel, C.: A transformation approach for security enhanced business processes. In: Proc. SE 2008 of 26th IASTED International Multi-Conference (February 2008)Google Scholar
  43. 43.
    Yu, J., Manh, T.P., Han, J., Jin, Y., Han, Y., Wang, J.: Pattern based property specification and verification for service composition. In: Aberer, K., Peng, Z., Rundensteiner, E.A., Zhang, Y., Li, X. (eds.) WISE 2006. LNCS, vol. 4255, pp. 156–168. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  44. 44.
    Zachman, J.A.: A framework for information systems architecture. IBM Syst. J. 26(3), 276–292 (1987)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Theodoor Scholte
    • 1
  • Engin Kirda
    • 2
  1. 1.SAP ResearchMougins CedexFrance
  2. 2.Institut EurécomValbonneFrance

Personalised recommendations