Business rules and regulations from regulatory standards such as SOX 404 [ 1 ] control the operation of many business processes and thus constrain the development and usage of IT systems that support those processes, which include Web Service(WS)-based SOA systems. While many business rules and regulations must be translated into functional requirements for such software systems, others can be translated into quality requirements, such as those concerning security, availability and manageability. These requirements can be formulated as high-level quality objectives, e.g., “Customer data must be kept confidential” and realized using various means of IT management and governance.

To ensure that WS-based SOA systems are interoperable and dependable, various industry standards have been proposed to support the specification and management of quality aspects of WS such as those about security, reliable messaging, and transactions. In general, these standards are about system-level * This work is supported by the Australian Research Council and CA Labs. † The author would like to thank Ingo Muller for his valuable comments for this paper mechanisms used to achieve some non-functional qualities. Example mechanisms in security are role-based access control and message encryption and signing. The WS Policy framework (WS-Policy) [ 2 ] is a standard that supports the specification of quality properties for Web Services and service systems. Such standards, however, focus on describing low-level technical details for governing service interactions, rather than on specifying high-level, business-oriented requirements.

One of the issues that needs to be addressed is how to align the high-level, business-oriented quality objectives with the system-level realization mechanisms offered by WS standards such as WS-Policy. Currently, the high-level quality objectives are often identified by practitioners such as business analysts or IT compliance officers who often do not have an in-depth understanding of all the system-level realization mechanisms for such quality objectives. It is the system developers who are responsible for realising them. This realisation process is rather ad hoc and it is thus difficult to ensure that a system fully possesses all the required properties. As such, a contribution of great value would be a systematic process and related techniques that can derive the system-level realization from the business-level requirements and can verify that the realization actually fulfils the requirements.

Once we have come up with a set of design-time system-level realization mechanisms for the quality objectives, a step further is to address the issue of how to guarantee that the realization mechanisms are actually fulfilled when the system is in operation. Being able to select the appropriate quality aspects to monitor and being able to map the monitored events to the original requirements would increase the chance of identifying and resolving non-conformance. An adaptation mechanism which can analyse the quality non-conformance and derive a set of changes to be performed is needed to ensure that the requirements are always respected.

Related Work. While SOA governance is a very active research field, many of the issues identified above have not been addressed in full. Firstly, even though there exist a number of policy frameworks and languages with associated refinement and management techniques such as Ponder [ 3 ] and KAoS [ 4 ], none of them are readily applicable for specifying SOA. In particular, most of the existing frameworks fall short in enabling the specification of business requirements and the refinement of them into system-level policies. More details can be found in our review paper in [ 5 ].

There have been a number of attempts to apply model-driven architecture (MDA) techniques for the modelling and translation of SOA qualities into system-level realization mechanisms such as [ 6 ] or [ 7 ]. In such work, quality properties of services and applications are modelled in platform-independent manners which are then transformed into platform-dependent codes and configurations for middle-wares to realize these qualities. However the entities being modelled are technical entities, representing technical concepts like filter, connector, services, and proxies, not business-oriented entities. This not only limits the participation of business analysts and IT compliance officers in the modelling process but also makes it hard to align the models with the original business requirements.

It is also seen that even though there are different approaches for WS management, the support for business-oriented management is not adequate. Current research work in the field of runtime service management focuses more on the system-level management. Various techniques have been proposed for the specification of service properties and the monitoring and management of them such as in WSLA [ 8 ], SLANG [ 9 ], and WSMN [ 10 ]. However, little has been done to allow for the management of services from a business perspective even though the importance of business-oriented service management has been acknowledged such as in [ 11 ]. The main focus of work in this area has been on specifying and enforcing service SLA. We are unaware of any work that attempts to incorporate other business aspects such as compliance to standards, rules and regulations.

Research objectives. The main objectives and primary contributions of this thesis are as follow 1) We define a general framework for the specification of highlevel quality requirements for systems and present a mechanism to refine them to system-level realization mechanisms 2) We provide an approach for policy-based service registration and discovery with algorithms and techniques for detecting noncompliance of services to organizations’ quality requirements and for verifying service-client quality requirement compatibility 3) We aim to provide a novel monitoring mechanism that can map service runtime interactions back to the original business requirements in an intuitive manner. For this objective, we consider the use of techniques such as Finite State Automata for modelling the requirements and Bayesian network for failure analysis 4) We aim to define techniques and algorithms for generating actions that can be performed to guarantee compliance to quality requirements. We consider applying techniques in the field of Autonomic computing for this. For all of these, our focus is on the alignment of business requirements and SOA systems and we use security as the example domain for our approach. 2

The approach. We propose the High-level Objective-based Policy for Enterprises (HOPE) framework which is aimed at addressing the above research problems via policy-based design and management. As presented in Figure 1, with HOPE, we specify quality requirements (which are driven by original business rules and regulations) in the form of business-level policies which will then be formulated as quality objectives applicable on business entities. The objectives are then refined into system-level Web Services policy for Web Services-based applications. Such policies are used to regulate runtime service interactions and provide information for adaptation in case of policy non-compliance.

Central to the approach is a service registry which acts as a facility for the management of policy lifecycle including the modelling, analysis and design, creation, usage, update, removal of policies; and maintain the association of highlevel business policies, quality objectives, and system-level policies. The registry provides a point of reference for various design time and runtime management operators such as WS-Monitor and WS-Enforcer to retrieve policyrelated information and store the relevant data that they collect.

Our approach employs policy-based management which has the advantages of being able to dynamically update the behaviour of a managed system according to the changing context requirements without having to modify the implementation of the managed system. Also, the declarative specification of rules and regulations in the form of policy statements are more concise, intuitive and simpler to verify than procedural code. Furthermore, service registries hold service metadata and are characterized by rich metadata management and rich query capabilities. As policy is one important type of SOA metadata, service registries’ capabilities can be extended for policy-based management. Validation of the approach. To validate the work we use a business case study together with research prototyping. We design a business case scenario and examine a database of global rules and regulations from the Unified Compliance Framework (http://www.unifiedcompliance.com/) to identify applicable business requirements. We then, from such rules and regulations, using our approach to derive business policies and use such policies to validate our refinement, monitoring and adaptation techniques. A prototype for HOPE is also being built and once the tool is ready, we plan to present it to a group of developers and business analysts for validation.

During the past 18 months, I have worked on addressing a number of research issues, aligning with research objectives (1) and (2) presented above. Details are as follows.

Quality-oriented business policy specification and refinement. We investigated the research issue of quality-driven business policy specification and refinement of SOA Systems in [ 12 ]. In this work, we proposed a framework (Figure 2) that supports the specification of business level quality-oriented policies and their refinement into policies at the system/service level.

As can be seen in Figure 2, in our approach, quality-oriented business requirements (quality requirements) are expressed as quality objectives applied to business entities which are modelled in application entity model. These objectives are then refined or translated into system-level WS-Policy statements. The refinement relies on an application-specific business entity model and application-independent domain quality models, for which we created the meta-models. We illustrated the approach with a Mortgage loan approval business case study to demonstrate the policy specification and refinement for qualities in the security domain and have implemented a proof of concept prototype. R e q u ire m e n ts M o d e llin g /

D e s ig n Im p le m e n ta tio n

F u n c t io n a l R e q u ir e m e n t s m o d e ll e d a s A p p lic a t io n m o d e ls

U M L , E R D ia g r a m s ...

i m p l e m e n t e d a s W e b S e r v ic e s ,

B P E L C o m p o s it io n s m o d e lle d a s

A p p lic a t io n

E n t ity M o d e l m a p p e d t o + A n n o t a t io n A p p lie d o n

Q u a lit y R e q u ir e m e n t s m o d e ll e d a s r e a li z e d a s W S - * Q u a lit y M o d e ls + W S

P o lic y d e riv e

Q u a lit y A p p lie d o n O b je c t iv e s

D o m a in Q u a lit y M o d e ls

Policy-based service registration and discovery. Another research issue that we have identified and addressed was the issue of policy-based registration and discovery [ 13 ]. In [ 13 ], we argued that (1) ensuring service qualities (specified in the form of WS polices) are consistent with organizations’ regulations and (2) matching service and client policies for effective service discovery are issues yet to be addressed. We thus presented a new approach (Figure 3) that allows for the automatic verification and matching of policies, using a service registry. The registry serves as a policy storage and management facility, a policy checkpoint during service publication, and as a policy matchmaker during service discovery. We extended WSPolicy with a policy conformance algorithm for policy verification at service publication time and used WS-Policy Intersection for policy matching at service discovery time. We have developed a policy information model and the policy processing capabilities for the registry. A prototype has also been implemented. We have presented in this paper a discussion about the limitations of current approaches in business-oriented design and management of qualities for SOA systems and outlined a framework for addressing this issue. Our approach is aimed at aligning business-oriented rules and requirements with system-level management via a mechanism that allows for the specification of quality-oriented business rules and regulations and the refinement of them into system-level quality. We also provide a general mechanism that utilizes a service registry for quality-based service registration and discovery. Our future work is on monitoring techniques that can relate monitored service interactions to the original high-level business requirements and a business-oriented adaptation mechanism for overcoming non-compliance.