News Stay informed about the latest enterprise technology news and product updates.

SOA meets regulatory compliance

An analyst firm puts a priority on creating services that help enterprises comply with industry regulations like Sarbanes-Oxley and HIPAA.

Like any other aspect of IT, the time has arrived for managers and development teams to get proactive, especially in heavily regulated industries like health care and financial services.

Analyst firm RedMonk Inc., of Bath, Maine, recently advised enterprises to take service-oriented architectures a step forward and begin architecting services with regulatory compliance in mind. In its report, RedMonk said companies need to distill common services from regulations that may apply in a given industry and architect those services once and reuse them across an enterprise.


Access control, analytics, archive/backup, auditing, collaboration, conflict resolution, destruction, disposition management, indexing, information integration, monitoring, notarization, policy engine, process registry, retention, retrieval, tagging, version control and workflow.

"By breaking down the barriers between disparate compliance requirements and distilling out a core set of services, organizations can organize their thinking around compliance-specific services; implementing them according to their own unique needs," wrote report authors James Governor and Stephen O'Grady.

Peter Underwood, vice president of software development for Wall Street Access, a New York brokerage, said compliance can effectively be balanced with an existing service-oriented architecture.

"SOA massively simplifies compliance," Underwood said. Wall Street Access has to comply with Securities and Exchange Commission regulations at nearly every level of its business. Audits are mandated at each of those levels, and particular services have to be architected with compliance in mind.

"Injecting compliance components into an SOA makes immense sense," Underwood said. "It saves a tremendous amount of time and expense. You don't, however, have an SOA of compliance services."

RedMonk may be trying to signal a change in that thinking. IT shops too often address compliance projects in silos, which lead to redundancy and complexity, RedMonk said. The analysts advise IT shops to merge implementation teams working with the Health Insurance Portability and Accountability Act , the Sarbanes-Oxley Act, BASEL II projects and others and avoid giving in to individual regulatory demands when architecting services.

"Rather than implementing monolithic applications designed to tackle a single regulatory challenge, enterprises should implement a flexible and dynamic architecture that consumes compliance services as required," the report said.


Read about these two financial institutions' success with Web services and SOA:

Web services, SOA solves broker's integration problems

Web services bring efficiencies to regional bank

The benefits of an SOA extend to these compliance-oriented architectures, including fewer redundant purchases, which result in lower licensing fees, greater productivity from service reuse, quicker time to market for services, better management and a flexible architecture that adapts to constantly changing regulations.

RedMonk adds that a compliance-oriented architecture brings IT and business goals in line. It also soothes integration challenges down the line and ends "departmental fiefdoms."

However, a recent survey conducted by London-based Economist Intelligence Unit Ltd., discovered that only 27% of C-level executives seek out the input of IT when it comes to compliance projects. Compounding the problem is the impending November deadline for SOA compliance, which will result in a bevy of point apps that will not interoperate with the rest of an IT architecture, RedMonk warns.

C-level reluctance to include IT is foolhardy, since as RedMonk points out, compliance is a fundamental strength of IT and because most software and systems conform to some set of business objectives.

Compliance-oriented architectures, meanwhile, are specialized SOAs that support many compliance requirements.

"SOA is simply a tool for addressing technical problems," according to the report. "It yields value only through imbuing the architecture with specific business requirements manifested as services."

RedMonk predicts more SOAs will address specific business needs, but it deems the most important will be those that address regulatory compliance.

FEEDBACK: What is your compliance strategy as it relates to an SOA?
Send your feedback to the news team.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.