Abstract
Today’s businesses are inherently process-driven. Conseque- ntly, the use of business-process driven systems, usually implemented on top of service-oriented or cloud-based infrastructures, is increasing. At the same time, the demand on the security, privacy, and compliance of such systems is increasing as well. As a result, the costs—with respect to computational effort at runtime as well as financial costs—for operating business-process driven systems increase steadily.
In this paper, we present a method for statically checking the security and conformance of the system implementation, e.g., on the source code level, to requirements specified on the business process level. As the compliance is statically guaranteed—already at design-time—this method reduces the number of run-time checks for ensuring the security and compliance and, thus, improves the runtime performances. Moreover, it reduces the costs of system audits, as there is no need for analyzing the generated log files for validating the compliance to the properties that are already statically guaranteed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
American National Standard for Information Technology – Role Based Access Control. ANSI, New York (2004) ANSI INCITS 359-2004
van der Aalst, W., de Medeiros, A.: Process mining and security: Detecting anomalous process executions and checking process conformance. ENTCS 121, 3–21 (2005), doi:10.1016/j.entcs.2004.10.013
van der Aalst, W.M.P., Dumas, M., Gottschalk, F., ter Hofstede, A.H.M., La Rosa, M., Mendling, J.: Correctness-Preserving Configuration of Business Process Models. In: Fiadeiro, J.L., Inverardi, P. (eds.) FASE 2008. LNCS, vol. 4961, pp. 46–61. Springer, Heidelberg (2008)
Accorsi, R., Wonnemann, C.: InDico: Information Flow Analysis of Business Processes for Confidentiality Requirements. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 194–209. Springer, Heidelberg (2011)
Arsac, W., Compagna, L., Pellegrino, G., Ponta, S.E.: Security Validation of Business Processes via Model-Checking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 29–42. Springer, Heidelberg (2011)
Basel Committee on Banking Supervision: Basel III: A global regulatory framework for more resilient banks and banking systems. Tech. rep., Bank for International Settlements, Basel, Switzerland (2010), http://www.bis.org/publ/bcbs189.pdf
Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Information and Software Technology 51(5), 815–831 (2009), doi:10.1016/j.infsof.2008.05.011; Special Issue on Model-Driven Development for Secure Information Systems
Basin, D.A., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology 15(1), 39–91 (2006), doi:10.1145/1125808.1125810
Brucker, A.D., Brügger, L., Kearney, P., Wolff, B.: An approach to modular and testable security models of real-world health-care applications. In: ACM SACMAT, pp. 133–142. ACM Press, New York (2011), doi:10.1145/1998441.1998461
Brucker, A.D., Doser, J.: Metamodel-based UML notations for domain-specific languages. In: Favre, J.M., Gasevic, D., Lämmel, R., Winter, A. (eds.) 4th International Workshop on Software Language Engineering (ATEM 2007) (2007)
Brucker, A.D., Doser, J., Wolff, B.: A Model Transformation Semantics and Analysis Methodology for SecureUML. In: Wang, J., Whittle, J., Harel, D., Reggio, G. (eds.) MoDELS 2006. LNCS, vol. 4199, pp. 306–320. Springer, Heidelberg (2006)
Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: Modeling and enforcing access control requirements in business processes. In: ACM SACMAT. ACM Press (2012), doi:10.1145/2295136.2295160
Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: Carminati, B., Joshi, J. (eds.) ACM SACMAT, pp. 197–206. ACM Press (2009), doi:10.1145/1542207.1542239
Dijkman, R.M., Dumas, M., Ouyang, C.: Semantics and analysis of business process models in BPMN. Information & Software Technology 50(12), 1281–1294 (2008), doi:10.1016/j.infsof.2008.02.006
HIPAA: Health Insurance Portability and Accountability Act of 1996 (1996), http://www.cms.hhs.gov/HIPAAGenInfo/
Jürjens, J., Rumm, R.: Model-based security analysis of the german health card architecture. Methods Inf. Med. 47(5), 409–416 (2008)
Kohler, M., Brucker, A.D., Schaad, A.: Proactive Caching: Generating caching heuristics for business process environments. In: International Conference on Computational Science and Engineering (CSE), vol. 3, pp. 207–304. IEEE Computer Society (2009), doi:10.1109/CSE.2009.177
Lodderstedt, T., Basin, D.A., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
Miseldine, P.: Automated XACML policy reconfiguration for evaluation optimisation. In: Win, B.D., Lee, S.W., Monga, M. (eds.) SESS, pp. 1–8. ACM (2008), doi:10.1145/1370905.1370906
Mülle, J., von Stackelberg, S., Böhm, K.: A security language for BPMN process models. Tech. rep., University Karlsruhe, KIT (2011)
OASIS: eXtensible Access Control Markup Language (XACML), version 2.0 (2005), http://docs.oasis-open.org/xacml/2.0/XACML-2.0-OS-NORMATIVE.zip
Object Management Group: Business process model and notation (BPMN), version 2.0 (2011), Available as OMG document formal/2011-01-03
Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE - Trans. Inf. Syst. E90-D, 745–752 (2007), doi:10.1093/ietisy/e90-d.4.745
Sohr, K., Ahn, G.J., Gogolla, M., Migge, L.: Specification and Validation of Authorisation Constraints Using UML and OCL. In: De Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 64–79. Springer, Heidelberg (2005)
Wolter, C., Meinel, C.: An approach to capture authorisation requirements in business processes. Requir. Eng. 15(4), 359–373 (2010), doi:10.1007/s00766-010-0103-y
Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. Journal of Systems Architecture 55(4), 211–223 (2009), doi:10.1016/j.sysarc.2008.10.002; Secure Service-Oriented Architectures (Special Issue on Secure SOA)
Wolter, C., Schaad, A.: Modeling of Task-Based Authorization Constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 64–79. Springer, Heidelberg (2007)
Wolter, C., Schaad, A., Meinel, C.: Deriving XACML Policies from Business Process Models. In: Weske, M., Hacid, M.-S., Godart, C. (eds.) WISE 2007 Workshops. LNCS, vol. 4832, pp. 142–153. Springer, Heidelberg (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Brucker, A.D., Hang, I. (2013). Secure and Compliant Implementation of Business Process-Driven Systems. In: La Rosa, M., Soffer, P. (eds) Business Process Management Workshops. BPM 2012. Lecture Notes in Business Information Processing, vol 132. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36285-9_66
Download citation
DOI: https://doi.org/10.1007/978-3-642-36285-9_66
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36284-2
Online ISBN: 978-3-642-36285-9
eBook Packages: Computer ScienceComputer Science (R0)