Model based enforcement of software compliance

1 . A method for enforcing a model deployment specification for a software application in execution in a virtualised computing environment, the method comprising: retrieving a compliance characteristic for the application, the compliance characteristic having associated a compliance criterion; receiving a model deployment specification for the compliance characteristic, the model deployment specification including an identification of a set of model resources being selected to, when instantiated, satisfy the compliance criterion; identifying a set of instantiated resources as resources instantiated for execution of the application; in response to a determination that the set of model resources includes an identification of resources outside the set of instantiated resources as absent resources, modifying the set of instantiated resources by instantiating the absent resources for execution of the application such that the absent resources are included in the set of instantiated resources. 2 . The method of claim 1 wherein the compliance criterion is based on a formal parameter and the compliance criterion defines a set of resource states as compliant resource states for the set of instantiated resources, and the method further comprising: selecting a software component for providing an actual parameter corresponding to the formal parameter, the actual parameter being based on data concerning one or more resources in the set of instantiated resources; evaluating the compliance criterion using the actual parameter to determine a state of the set of instantiated resources; in response to a second determination that a state of the set of instantiated resources is outside the set of compliant resource states, modifying the set of instantiated resources to provide a modified set of instantiated resources having associated resources with a state belonging to the set of compliant resource states. 3 . The method of claim 2 wherein the selection of the software component is based on an identification of one or more data items that the software component is operable to provide. 4 . The method of any of claim 2 further comprising: modifying the model deployment specification in accordance with the set of instantiated resources modified in response to the second determination. 5 . The method of claim 1 further comprising, in response to a determination that the set of instantiated resources is changed, repeating at least the identifying and modifying steps. 6 . The method of claim 1 wherein each resource in each of the sets of model resources and instantiated resources includes one or more of: an identification of a software component; an identification of a dataflow; a configuration of a software component; and a configuration of a dataflow. 7 . The method of claim 6 wherein at least one of the absent resources includes a configuration of a software component, and wherein instantiating the at least one absent resource includes modifying a configuration of a software component in the instantiated set of resources. 8 . Apparatus for enforcing a model deployment specification for a software application in execution in a virtualised computing environment, the apparatus comprising: a compliance assessor adapted to retrieve a compliance characteristic for the application, the compliance characteristic having associated a compliance criterion; a model based enforcement adapted to receive a model deployment specification for the compliance characteristic, the model deployment specification including an identification of a set of model resources being selected to, when instantiated, satisfy the compliance criterion; an absent resource identifier adapted to identify a set of instantiated resources as resources instantiated for execution of the application, the absent resource identifier being further adapted to determine if a set of model resources identifies resources outside the set of instantiated resources as absent resources; and an instantiated resource modifier adapted to modify the set of instantiated resources by instantiating the absent resources for execution of the application such that the absent resources are included in the set of instantiated resources. 9 . The apparatus of claim 8 wherein the compliance criterion is based on a formal parameter and the compliance criterion defines a set of resource states as compliant resource states for the set of instantiated resources, and the apparatus further comprising: a selector adapted to select a software component for providing an actual parameter corresponding to the formal parameter, the actual parameter being based on data concerning one or more resources in the set of instantiated resources; an evaluator adapted to evaluate the compliance criterion using the actual parameter to determine a state of the set of instantiated resources; a compliance determiner adapted to determine if a state of the set of instantiated resources is outside the set of compliant resource states; an application modifier adapted to modify the set of instantiated resources to provide a modified set of instantiated resources having associated resources with a state belonging to the set of compliant resource states. 10 . The apparatus of claim 9 wherein the selection of the software component is based on an identification of one or more data items that the software component is operable to provide. 11 . The apparatus of claim 9 further comprising: a model deployment specification modifier adapted to modify the model deployment specification in accordance with the set of instantiated resources modified in response to the second determination. 12 . The apparatus of claim 8 wherein each resource in each of the sets of model resources and instantiated resources includes one or more of: an identification of a software component; an identification of a dataflow; a configuration of a software component; and a configuration of a dataflow. 13 . The apparatus of claim 12 wherein at least one of the absent resources includes a configuration of a software component, and wherein instantiating the at least one absent resource includes modifying a configuration of a software component in the instantiated set of resources. 14 . A computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the steps of a method as claimed in claim 1 .