Skip to Content

MASTER project – Compliance Facilitator

The business of the future will be characterized by highly dynamic service-oriented architectures where outsourcing and distributed management constitute the norm rather than the exception. It will infer regulations and business standards into an increasing complexity in security and trust requirements. Best-effort security will no longer be accepted. Business entities will have to provide certified assurance services to customers and expect assured services from contractors in order to manage the associated business and technology risk.


The MASTER European research project aims at providing methodologies and infrastructures which:

  • Facilitate the monitoring, enforcement, and audit of quantifiable indicators on the security of a business process;
  • Provide manageable assurance of the security levels, trust levels and regulatory compliance of highly dynamic service- oriented architecture in centralized, distributed (multi-domain), and outsourcing contexts.


In order to reach those goals MASTER has organized its work into 3 set activities (Conceptual Model, Design-time and Run-time) represented in the following logical diagram:


Among those activities, our team at SAP research France is mainly involved in three following sub-activities:

  • Monitoring infrastructure: we are specifying the monitoring policies as well as the components and infrastructures that are necessary to enforce them. A monitoring policy is a set of statements describing events to be observed, or measurements to be performed based on these observations. For instance, IT Control Objectives for SOX suggest “that procedures exist and are followed to maintain the effectiveness of authentication and access mechanisms”. Part of such a procedure in case of a password-based authentication mechanism is to implement a control that requires “regular password changes”. The general requirement of “password changes” is transformed into a set of more detailed policies based on observable events and the actual system infrastructure to monitor, such as notification of actual password change operations within a certain timeframe or the lack thereof.
  • Security Requirements Translation: in which we are working on the concepts necessary for mapping high-level to low-level mandatory control processes. Thus, the integration of the security requirements can occur on several layers, ranging from organizational models to business processes to system transactions to objects and services.
  • Security, Trust & Privacy for business based on SOA: in which we investigate a set of means to protect the confidentiality and privacy of events that occur in foreign domains, for instance, at outsourced services. Different approaches are investigated, including event abstraction, pseudonymization, secure computing, and controlled communication channels (i.e., the use of particular Trusted Third Parties providing access to critical events). We particularly emphasize on secure computing, it is the strongest technique available, but needs to be balanced with respect to the communication load required.


In this project we are collaborating with distinguished panel of industrial and university partners:

ATOS Origin; Universita` di Trento; Engineering Ingegneria Informatica S.p.A.; British Telecom; ETH; University of Stuttgart; LERO; ANECT; Deloitte; IBM; CESCE; Fondazione San Rafaele; Stiftelsen SINTEF

For further information please visit the website ( and contact:


Emmanuel Pigout (

Dr Hoon Wei Lim (

Dr Philip Miseldine (

Theodoor Scholte (

You must be Logged on to comment or reply to a post.
  • Hi Emmanuel,

    sounds like a very interesting project. I had seen a presentation on it some years ago at ETHZ. Being a practitioner in the field I was wondering how the business user is going to interact with this highly complex system. Will he be specifying policies? What if his policy is in conflict with another policy? Do you resolve at design time or runtime? I wonder because my clients seem to be already challenged by simple questions: What HR privacy requirements do you have in country XY? The system usability will be the make or break.


    • Hi Gregory,

      Thank you for your interest.
      In a future post I will explain how MASTER will help business user in defining the control processes needed for their conformity. Using a MASTER methodology for compliance we will help the customer to derive and to express from their business objectives the necessary control for their business process. Once those control defined, we will automatically deploy those controls (using internal policies) in the run-time environment.
      Then, the run-time environement will monitor, assess and enforce those controls while the customer business process is running.

      Hope it is little clearer …but watch for my next posts to get more uptodate.

      Best regards,