Compliance in service-oriented architectures: A model-driven and view-based approach

ContextEnsuring software systems conforming to multiple sources of relevant policies, laws, and regulations is significant because the consequences of infringement can be serious. Unfortunately, this goal is hardly achievable due to the divergence and frequent changes of compliance sources and the differences in perception and expertise of the involved stakeholders. In the long run, these issues lead to problems regarding complexity, understandability, maintainability, and reusability of compliance concerns.ObjectiveIn this article, we present a model-driven and view-based approach for addressing problems related to compliance concerns.MethodCompliance concerns are represented using separate view models. This is achieved using domain-specific languages (DSLs) that enable non-technical and technical experts to formulate only the excerpts of the system according to their expertise and domain knowledge. The compliance implementations, reports, and documentation can be automatically generated from the models. The applicability of our approach has been validated using an industrial case study.ResultsOur approach supports stakeholders in dealing with the divergence of multiple compliance sources. The compliance controls and relevant reports and documentation are generated from the models and hence become traceable, understandable, and reusable. Because the generated artifacts are associated with the models, the compliance information won’t be lost as the system evolves. DSLs and view models convey compliance concerns to each stakeholder in a view that is most appropriate for his/her current work task.ConclusionsOur approach lays a solid foundation for ensuring conformance to relevant laws and regulations. This approach, on the one hand, aims at addressing the variety of expertise and domain knowledge of stakeholders. On the other hand, it also aims at ensuring the explicit links between compliance sources and the corresponding implementations, reports, and documents for conducting many important tasks such as root cause analysis, auditing, and governance.