Rules and Regulations Business Drivers for SOA-based Agile IT Presented by
advertisement
1 Rules and Regulations Business Drivers for SOA-based Agile IT Presented by Adrian Bowles, Ph.D. Program Director, Regulatory Compliance Object Management Group adrian@omg.org www.omg.org 1 2 Agenda Business Drivers for IT Agility – The Role for Rules Rules and Regulatory Compliance Rules and SOA – Technical Foundations – Business Drivers/Inhibitors Recommendations 2 3 Business Runs on Rules Suppliers PRODUCTS Customers PROCESSES RULES PEOPLE POLICIES Regulators 4 IT Enables Innovation & Agility Opportunity Exploitation Integration & Operation Construct Components and Aggregates Context Analysis Intelligence Identify Requirements Identify & Acquire Packages, Frameworks/ Components Application Development Integration, Execution, Refinement Identify & Model Current Processes Identify & Model Alternatives Evaluate Alternatives Opportunity Evaluation/Selection Opportunity Identification Design 5 Flexibility by Design Web Migration Applications Domain Components Horizontal Services 1-18 months 12-24 months Infrastructure Management Operating Systems 36-60 months Value Hardware Renewal Cycle 6 Characteristics of Change High Fashion Pricing Data Rate of Change Business Logic Infrastructure New Market Entry Culture Low Cost of Change High 7 The Fundamental Rule Choice Embedded Rules P1 P2 P3 P4 r1,r2,r3 r1,r6 r5 r1,r5,r7 P1 r1 r2 Rule Management P2 r3 r4 P3 r5 r6 P4 r7 Changing a rule should start a ripple effect throughout a system or systems Regulatory Compliance Costs IT $billions 8 The US passes over 4,000 new final rules annually Sarbanes-Oxley (SOX) impacts all US public firms at a typical cost to IT of $.5-1M annually. The UK Companies Act has similar intent, and more jurisdictions will enact governance regulations nationally and collectively. Basel II will cost over $15B globally A typical international bank may be governed by over 1000 regulations Different jurisdictions have conflicting rules – Ex. US vs EU fundamental differences in privacy assumptions And, the Rules keep changing! 9 Overlapping Intent & Requirements Security Privacy PIPEDA NORPDA SB 1386 Protecting Private Information USA PATRIOT GLBA HIPAA 21 CFR Part 11 Sarbanes-Oxley Basel II SEC Rules 17a-3/4 Protecting Critical Data/Infrastructure Ensuring Transparency & Validity Governance 10 Regulatory Impact by System IT Impact Storage and access control Email/IM Customer data (CRM) Partner Data Planning Data/ERP Financial Data Operational Data (ERP) Analyti cs/BI Workflo w Process management Infrastructure DBMS Networking Type of Regulation Priva cy Security Governance Environmental Trade/Tarif f 11 Automated IT Compliance Query: SIC/NAICS, Geography… C-GRID Global Regulatory Information Database IT Strategy & Operations IT Compliance Policies/Procedures Relevant Regulations Relevant Regulations Rules Requirements Updates Vendors Gap Analysis Rules Users Other Stake-holders Auditors Regulators Goal: Automated Detection of New Regulatory Requirements and Rule-Based Generation of Policies Service Oriented Architecture Basics An SOA is a business-oriented framework for application development that: – is based on open standards – maps business processes to coarse-grained software “services” ex. “credit check” vs “print” – Facilitates integration of these loosely-coupled services into platform-independent applications Loose coupling promotes agility by facilitating: – reuse, – asynchronous communications, and – distributed development/deployment 12 Leading Drivers for SOA Adoption Complexity of alternatives Focus on demonstrable ROI Maintenance costs of status quo Desire to – Build on top of legacy systems and data – Achieve widespread reuse – Achieve better IT/business alignment (IT following business rules and goals) – Rationalize/standardize meta-objectives, like enterprise security initiatives 13 Inhibitors to SOA Adoption Business – Inter-firm collaboration still has cultural hurdles, but that’s where the biggest SOA benefits will be found – SMB market tougher than large enterprise, which can benefit more from internal SOA projects (where complexity is a bigger factor) – Un-integrated departmental/divisional web services projects may erroneously give SOA a bad reputation – Up-front costs tied to business risk, currently an inhibitor to new initiatives Technical – Trade off between specificity and reusability makes it hard to justify initial efforts – Wariness of immature standards and products 14 What to Expect for the Rest of the Decade 15 Architecture – SOA as the de facto development approach, supported by increased use of modeling and simulation – Rules engines as the default approach to capturing, managing and disclosing policies for business agility and compliance Regulations – – – – More global concern for security and privacy More stringent enforcement as the state of the practice matures New geo-specific regulations, will gradually converge Focus on data and storage - retention/recovery/provably accurate – Improved & integrated dashboard and scorecard products 16 Summary of Recommendations Applications and Architecture – Isolate policy/rule processing to improve visibility and agility – Adopt SOA as the underlying approach to component development and communications Compliance – Factor requirements to leverage commonalities • Find common rules and manage them together • Eliminate redundancies in data, processes, and systems – Automate Security & Auditing efforts • Data, Procedures & Testing 16 17 Rules and Regulations Business Drivers for SOA-based Agile IT Presented by Adrian Bowles, Ph.D. Program Director, Regulatory Compliance Object Management Group adrian@omg.org www.omg.org 17
