Skip to Content

In this blog entry, we continue our presentation of the benefits that the EU MASTER project brings to companies in the area of compliance. In particular, we explain the methodology and translation process from constraints and control objectives that are defined at an high-level of abstraction towards languages used to configure runtime components in the MASTER architecture.

 

In our previous blogposting about MASTER, we have seen that the runtime components in the MASTER architecture such as the event stream processor and the data warehouse use languages such as XQuery 1.1 [1], respectively SQL [2]. Although these languages are not hard to use for database users, these are not trivial to use for compliance or risk experts. Therefore, the MASTER approach allows compliance experts to use a Graphical Workbench to model a Control Model and to specify Control Objectives.

 

At the highest level, organizations are driven by objectives. In MASTER, we make a distinction between Control Objectives and business objectives. While business objectives are value-generating goals, control objectives are not necessarily value generating but they have to be compliant with legislations, regulations and best practices. A Control or a Control Activity specifies the means to achieve a Control Objective. Examples of control activities are: a virus scanner, a firewall, access control enforcement, segregation of duty enforcement etcetera. A combination of one or more Control Processes describe how a Control Activity has to be implemented. Similar to a business process, a control process can be composed of other control processes. A non-decomposable step (atomic action) in a control process is called a Control Task.

 

In the MASTER approach, compliance experts are responsible for modeling Control Models and Control Objectives.

1. A Control Model describes a Control Process and describes which actions the MASTER runtime infrastructure should perform. A Control Process interacts with the business process and its implementation (the target system) for the following purposes:

                        a. ensure that constraints or control objectives are satisfied and

b. produce evidence that can be consumed by the MASTER monitoring runtime infrastructure.

Control Processes are modeled using the M-Calculus language, which is a superset of Milner’s Pi-Calculus [3].

2. Control Objectives are specified in an assertion specification language called PSL (based on temporal logics) [4]. This approach allows the verification of a Control Process against Control Objectives using model-checking techniques.

 

Compliance experts are using a Graphical Workbench which is based on process calculi and temporal logics while runtime components in the MASTER architecture are configured using query languages such as SQL and XQuery.

This entails a gap between what is modeled by the compliance experts at an abstract level and what should be conducted by the actual implementation of the compliance assessment and enforcement tool.

 

In order to solve the gap and to achieve an end-to-end solution, a translation is required from Control Process modeled as process calculi and Control Objectives expressed in temporal logics towards query languages that can be used with databases and event stream processors. Our research team at SAP Research France is investigating to which extent it is possible to perform this translation automatically. We expect that this research will result in a compiler that solves this abstraction gap.

 

In future articles on SDN about the MASTER project we will describe in more detail, among other things the automated translation from process calculi to XQuery 1.1. Moreover, we will also go more into the details of the source and target languages of the translation.

 

The research and development is a joint effort between SAP Research France; Systems Group, ETH Zurich and the Security Group, University of Kaiserslautern.

 

For further information please contact:
Theodoor Scholte (theodoor.scholte@sap.com)

Emmanuel Pigout (emanuel.pigout@sap.com)

Philip Miseldine (philip.miseldine@sap.com)

Hoon Wei Lim (hoon.wei.lim@sap.com)

 

References

[1] Don Chamberlin, Jonathan Robie (2008): XQuery 1.1 W3C Working Draft 3 December 2008.

[2] E.F. Codd (1990): The relational model for database management: version 2, Addison-Wesley Longman Publishing Co., Inc.

[3] Robin Milner (1993): The Polyadic π-Calculus: A Tutorial. Logic and Algebra of Specification.

[4] Accellera (2004): Property Specification Language Reference Manual.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply