nach oben

Business & Information Systems Engineering

Erschienen in:

01.06.2011 | Research Paper

Automated Certification for Compliant Cloud-based Business Processes

verfasst von: Dr. Rafael Accorsi, Dipl.-Inf. Lutz Lowis, Yoshinori Sato

Erschienen in: Business & Information Systems Engineering | Ausgabe 3/2011

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

A key problem in the deployment of large-scale, reliable cloud computing concerns the difficulty to certify the compliance of business processes operating in the cloud. Standard audit procedures such as SAS-70 and SAS-117 are hard to conduct for cloud-based processes. The paper proposes a novel approach to certify the compliance of business processes with regulatory requirements. The approach translates process models into their corresponding Petri net representations and checks them against requirements also expressed in this formalism. Being based on Petri nets, the approach provides well-founded evidence on adherence and, in case of noncompliance, indicates the possible vulnerabilities.

Vorheriger Artikel Secure and Sustainable Benchmarking in Clouds

Nächster Artikel Isolation in Cloud Computing and Privacy-Enhancing Technologies

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

WIRTSCHAFTSINFORMATIK

WI – WIRTSCHAFTSINFORMATIK – ist das Kommunikations-, Präsentations- und Diskussionsforum für alle Wirtschaftsinformatiker im deutschsprachigen Raum. Über 30 Herausgeber garantieren das hohe redaktionelle Niveau und den praktischen Nutzen für den Leser.

Jetzt informieren

Business & Information Systems Engineering

BISE (Business & Information Systems Engineering) is an international scholarly and double-blind peer-reviewed journal that publishes scientific research on the effective and efficient design and utilization of information systems by individuals, groups, enterprises, and society for the improvement of social welfare.

Jetzt informieren

Wirtschaftsinformatik & Management

Texte auf dem Stand der wissenschaftlichen Forschung, für Praktiker verständlich aufbereitet. Diese Idee ist die Basis von „Wirtschaftsinformatik & Management“ kurz WuM. So soll der Wissenstransfer von Universität zu Unternehmen gefördert werden.

Jetzt informieren

Accorsi R, Wonnemann C (2011) Strong non-leak guarantees for workflow models. ACM, SAC, pp. 308–314

Atluri V, Chun SA, Mazzoleni P (2001) A Chinese wall security model for decentralized workflow systems. ACM conference on computer and communications security. ACM, New York, pp 48–57

BDSG (2009) Bundesdatenschutzgesetz. German Federal Ministry of Justice

Breaux TD, Antón AI (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Software Eng 34(1):5–20 CrossRef

Breaux TD (2009) Legal requirements acquisition for the specification of legally compliant information systems. PhD thesis, North Carolina State University

Cabanillas C, Resinas M, Ruiz-Cortés A (2010) Hints on how to face business process compliance. In: Resinas M, Ruiz-Cortés A, Pastor JA, Sancho MR (eds) Proc JISBD 4, pp 26–32

Chow R, Golle P, Jakobsson M, Shi E, Staddon J, Masuoka R, Molina J (2009) Controlling data in the cloud: outsourcing computation without outsourcing control. In: Proc 2009 ACM workshop on cloud computing security. ACM, New York, pp 85–90 CrossRef

COMPAS (2008) Compliance-driven models, languages, and architectures for services. EU FP7 Project 215175, deliverable 2.1 “State of the art in the field of compliance languages”

CSA (2009) Security guidance for critical areas of focus in cloud computing. Cloud Security Alliance. http://www.cloudsecurityalliance.org/. Accessed 2010-06-29

CSA (2010) Top threats to cloud computing. Cloud Security Alliance. http://www.cloudsecurityalliance.org/. Accessed 2010-06-29

Curtis B, Kellner MI, Over J (1992) Process modeling. Comm ACM 35(9):75–90 CrossRef

Dijkman R, Dumas M, Ouyang C (2008) Semantics and analysis of business process models in BPMN. Information & Software Technology 50(12):1281–1294 CrossRef

Ehrig M, Koschmider A, Oberweis A (2007) Measuring similarity between semantic business process models. ACS CRPIT 67:71–80

Etro F (2009) The economic impact of cloud computing on business creation, employment and output in Europe. Review of Business and Economics 54(2):179–218

European Commission (1995) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

ENISA (2009) Cloud computing—benefits, risks and recommendations for information security. European Network Information and Security Agency

Ghose A, Koliadis G (2007) Auditing business process compliance. Springer LNCS 4749:168–180

GLB (1999) Gramm-Leach-Bliley Act. In: Congress of the USA

Governatori G, Hoffmann J, Sadiq SW, Weber I (2009) Detecting regulatory compliance for business process models through semantic annotations. Springer LNBPI 14:5–17

Hayes B (2009) Cloud computing. Comm ACM 51(7):9–11 CrossRef

HIPAA (1996) Health insurance portability and accountability act. In: Congress of the USA

Höhn S (2009) Model-based reasoning on the achievement of business goals. In: ACM symposium on applied computing. ACM, New York, pp 1589–1593

Huang H, Kirchner H (2009) Component-based security policy design with colored Petri nets. Springer LNCS 5700:21–42

IIG (2010) BW2PN: BPEL+WSDL to Petri net transformation. Software tool developed at the University of Freiburg, IIG Telematics. http://www.telematik.uni-freiburg.de/comcert/. Accessed 2010-06-29

Katt B, Zhang X, Hafner M (2009) Towards a usage control policy specification with Petri nets. Springer LNCS 5871:905–912

Lampson B (1973) A note on the confinement problem. Commun ACM 16(10):613–615 CrossRef

Liu Y, Müller S, Xu K (2007) A static compliance-checking approach framework for business process models. IBM System Journal 46(2):335–361 CrossRef

Liu R, Kumar A (2005) An analysis and taxonomy of unstructured workflows. Springer LNCS 3649:268–284

Lohmann N, Verbeek E, Dijkman RM (2009) Petri net transformations for business processes—A survey. Springer LNCS 5460:46–63

Lowis L, Accorsi R (2010) Vulnerability analysis in SOA-based business processes. IEEE Transactions on Services Computing (in press)

Meda HS, Sen AK, Bagchi A (2010) On detecting data flow errors in workflows. Journal of Data and Information Quality 2(1):1–31 CrossRef

Monakova G, Kopp O, Leymann F, Moser S, Schäfers K (2009) Verifying business rules using a SMT solver for BPEL processes. GI LNI 147:81–94

Murata T (1989) Petri nets: properties, analysis and applications. Proc IEEE 77(4):541–580 CrossRef

Organisation for Economic Co-Operation and Development (OECD) (1980) OECD guidelines on the protection of privacy and transborder flows of personal data

Oryx (2010) The Oryx project. http://bpt.hpi.uni-potsdam.de/Oryx/WebHome. Accessed 2010-06-29

Ouyang C, Verbeek E, van der Aalst WMP, Breutel S, Dumas M, ter Hofstede AHM (2005) WofBPEL: a tool for automated analysis of BPEL processes. Springer LNCS 3826:484–489

Park J, Sandhu R (2004) The UCONABC usage control model. ACM Transactions on Information and System Security 7:128–174 CrossRef

Pretschner A, Hilty M, Basin D (2006) Distributed usage control. Comm ACM 49:39–44 CrossRef

Sadiq S, Governatori G, Namiri K (2007) Modeling control objectives for business process compliance. Business process management. Springer LNCS 4714:149–164

Saha D (2008) A hitchhiker’s guide to galaxy a.k.a. Netweaver business process modelling. http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/10947. Accessed 2010-06-29

Schneider F (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3(1):30–50 CrossRef

SOX (2002) Sarbanes-Oxley act. In: Congress of the USA

Stohr EA, Zhao JL (2001) Workflow automation: overview and research issues. Information Systems Frontiers 3(3):281–296 CrossRef

Svirskas A, Courbis C, Molva R, Bedžinskas J (2007) Compliance proofs for collaborative interactions using aspect-oriented approach. IEEE Congress on Services 1:33–40 CrossRef

TMG (2009) Telemediengesetz. German Federal Ministry of Justice

Trčka N, van der Aalst WMP, Sidorova N (2009) Data-flow anti-patterns: discovering data-flow errors in workflows. Springer LNCS 5565:425–439

van der Aalst WMP (1998) The application of Petri nets to workflow management. Journal of Circuits, Systems, and Computers 8(1):21–66 CrossRef

van der Aalst WMP (2003) Challenges in business process management: verification of business processing using Petri nets. Bulletin of the EATCS 80:174–199

van Dongen BF, Jansen-Vullers MH, Verbeek HMW, van der Aalst WMP (2007) Verification of the SAP reference models using EPC reduction, state-space analysis, and invariants. Computers in Industry 58(6):578–601 CrossRef

Wagner G (2002) How to design a general rule markup language. GI LNI 14:19–37

Wong PYH, Gibbons J (2008) Verifying business process compatibility. In: International conference on quality software. IEEE, pp 126–131 CrossRef

Titel: Automated Certification for Compliant Cloud-based Business Processes
verfasst von: Dr. Rafael Accorsi
Dipl.-Inf. Lutz Lowis
Yoshinori Sato
Publikationsdatum: 01.06.2011
Verlag: SP Gabler Verlag
Erschienen in: Business & Information Systems Engineering / Ausgabe 3/2011
Print ISSN: 2363-7005
Elektronische ISSN: 1867-0202
DOI: https://doi.org/10.1007/s12599-011-0155-7

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

WIRTSCHAFTSINFORMATIK

Business & Information Systems Engineering

Wirtschaftsinformatik & Management

Weitere Artikel der Ausgabe 3/2011

Changes in the Editorial Board

Interview with Mr. Charley K. Watanabe on “Cloud Computing in Japan – The Role of the Japanese Government”

BISE – Call for Papers Issue 5/2012

Sustainable Cloud Computing

Secure and Sustainable Benchmarking in Clouds

Inter-Cloud Computing