nach oben

Software and Systems Modeling

Erschienen in:

26.10.2015 | Theme Section Paper

Designing secure business processes with SecBPMN

verfasst von: Mattia Salnitri, Fabiano Dalpiaz, Paolo Giorgini

Erschienen in: Software and Systems Modeling | Ausgabe 3/2017

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Modern information systems are increasingly large and consist of an interplay of technical components and social actors (humans and organizations). Such interplay threatens the security of the overall system and calls for verification techniques that enable determining compliance with security policies. Existing verification frameworks either have a limited expressiveness that inhibits the specification of real-world requirements or rely on formal languages that are difficult to use for most analysts. In this paper, we overcome the limitations of existing approaches by presenting the SecBPMN framework. Our proposal includes: (1) the SecBPMN-ml modeling language, a security-oriented extension of BPMN for specifying composite information systems; (2) the SecBPMN-Q query language for representing security policies; and (3) a query engine that enables checking SecBPMN-Q policies against SecBPMN-ml specifications. We evaluate our approach by studying its understandability and perceived complexity with experts, running scalability analysis of the query engine, and through an application to a large case study concerning air traffic management.

Vorheriger Artikel A visual language for modeling multiple perspectives of business process compliance rules

Nächster Artikel A case study about the improvement of business process models driven by indicators

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

The System Wide Information Management (SWIM) [15] is a next-generation communication system for the secure exchange of information among ATM decision makers.

The low-level (software and hardware) functions that implement the controls imposed by the policy [50].

www.aniketos.eu.

Atluri, V., Huang, W.: An extended Petri net model for supporting workflows in a multilevel secure environment. In: Samarati, P., Sandhu, R. (eds.) Database Security X: Status and Prospects, pp. 199–216. Chapman and Hall, london (1996)

Awad, A.: BPMN-Q: a language to query business processes. In: EMISA, vol. P-119, pp. 115–128 (2007)

Awad, A.: A Compliance Management Framework for Business Process Models. Ph.D. thesis (2010)

Basili, V.R., Caldiera, G., Rombach, D.H.: The Goal Question Metric Approach. Wiley, New York (1994)

Beeri, C., Eyal, A., Kamenkovich, S., Milo, T.: Querying business processes with BP-QL. Inf. Syst. 33(6), 477–507 (2008)CrossRef

Blanc, X., Mougenot, A., Mounier, I., Mens, T.: Incremental detection of model inconsistencies based on model operations. In: Proceedings of the CAiSE, pp. 32–46 (2009)

Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: modeling and enforcing access control requirements in business processes. In: Proceedings of the SACMAT, pp. 123–126 (2012)

Cherdantseva, Y., Hilton, J.: A reference model of information assurance and security. In: Proceedings of the ARES, pp. 546–555 (2013)

Clocksin, W., Mellish, C.: Programming in PROLOG. Springer, Berlin (2003)CrossRefMATH

10.

Dalpiaz, F., Giorgini, P., Mylopoulos, J.: Adaptive socio-technical systems: a requirements-driven approach. Requir. Eng. 18(1), 1–24 (2013)CrossRef

11.

Delfmann, P., Dietrich, H., Havel, J., Steinhorst, M.: A language-independent model query tool. In: Proceedings of the DESRIST, pp. 453–457 (2014)

12.

Deutch, D., Milo, T.: Querying structural and behavioral properties of business processes. In: Proceedings of the DPL, pp. 169–185 (2007)

13.

Dumas, M., Hofstede, A.H.M.: UML activity diagrams as a workflow specification language. In: Proceedings of the UML, pp. 76–90 (2001)

14.

Emerson, E.A., Halpern, J.Y.: Decision procedures and expressiveness in the temporal logic of branching time. In: Proc. of STOC, pp. 169–180 (1982)

15.

Federal Aviation Administration: SWIM ATM Case Study, last visited March 2014. http://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/techops/atc_comms_services/swim/ (2014)

16.

Ferraiolo, D., Cugini, J., Richard Kuhn, D.: Role-Based Access Control (RBAC): Features and Motivations In: Proceedings of 11th annual computer security application conference, pp. 241–248 (1995)

17.

Firesmith, D.: Specifying reusable security requirements. J. Object Technol. 3(1), 61–75 (2004)CrossRef

18.

Ghose, A., Koliadis, G.: Auditing business process compliance. In: Proceedings of the ISOC, pp. 169–180 (2007)

19.

Gruhn, V., Laue, R.: A heuristic method for detecting problems in business process models. Bus. Process Manag. J. 16(5), 806–821 (2010)CrossRef

20.

Hofstede, A., Ouyang, C., La Rosa, M., Song, L., Wang, J., Polyvyanyy, A.: APQL: a process-model query language. In: Proceedings of the Asia-Pacific Business Process Management, vol. 159, pp. 23–38 (2013)

21.

ISACA: An Introduction to the Business Model for Information Security. Technical report (2009). http://www.isaca.org/Knowledge-Center/Research/Documents/Introduction-to-the-Business-Model-for-Information-Security_res_Eng_0109.pdf

22.

Josang, A., Ismail, R., Boyd, C.: A survey of trust and reputation systems for online service provision. Decis. Support Syst. 43(2), 618–644 (2007)CrossRef

23.

Jurjens, J.: UMLsec: extending UML for secure systems development. In: Proceedings of the UML, pp. 412–425 (2002)

24.

Kharbili, M.E., de Medeiros, A.K.A., Stein, S., van der Aalst, W.M.P.: Business process compliance checking: current state and future challenges. In: Loos, P., Nttgens, M., Turowski, K., Werth, D. (eds.) MobIS, LNI, vol. 141, pp. 107–113. GI (2008)

25.

Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation. In: Proceedings of the ARES, pp. 262–267 (2013)

26.

Leitner, M., Rinderle-Ma, S.: A systematic review on security in process-aware information systems—constitution, challenges, and future directions. Inf. Softw. Technol. 56(3), 273–293 (2014)

27.

Leitner, M., Schefer-Wenzl, S., Rinderle-Ma, S., Strembeck, M.: An experimental study on the design and modeling of security concepts in business processes. In: Proceedings of the PoEM, pp. 236–250 (2013)

28.

Li, J., Mirkovic, J., Wang, M., Reiher, P., Zhang, L.: SAVE: source address validity enforcement protocol. In: Proceedings of the INFOCOM, vol. 3, pp. 1557–1566 (2002)

29.

Li, N., Tripunitara, M.V., Bizri, Z.: On mutually exclusive roles and separation-of-duty. ACM Trans. Inf. Syst. Secur. 10(2), 5 (2007)CrossRef

30.

Liu, Y., Müller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Syst. J. 46(2), 335–361 (2007)CrossRef

31.

Mason, M.: Sample size and saturation in PhD studies using qualitative interviews. Forum Qual. Soc. Res. 11(3), 190–197 (2010)

32.

McCumber, J.: Information systems security: a comprehensive model. In: Proceedings of the NCSC (1991)

33.

Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: Proceedings of the ARES, pp. 41–48 (2009)

34.

Monakova, G., Brucker, A.D., Schaad, A.: Security and safety of assets in business processes. Appl. Comput. 27, 1667–1673 (2012)

35.

Moody, D.: The physics of notations: toward a scientific basis for constructing visual notations in software engineering. IEEE Trans. Softw. Eng. 35, 756–779 (2009)CrossRef

36.

OASIS: Web Services Business Process Execution Language. http://docs.oasis-open.org/wsbpel/2.0/wsbpel-v2.0.html (2007)

37.

OASIS: eXtensible Access Control Markup Language (XACML)Version 3.0. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html (2013)

38.

OMG: BPMN 2.0. http://www.omg.org/spec/BPMN/2.0 (2011)

39.

OMG: Unified Modeling Language (UML), Infrastructure, V2.1.2. Technical report (2007). http://www.omg.org/spec/UML/2.1.2/Infrastructure/PDF

40.

Parker, D.: Our excessively simplistic information security model and how to fix it. ISSA J. 8(7), 12–21 (2010)

41.

Parker, D.B.: Fighting Computer Crime—A New Framework for Protecting Information. Wiley, New York (1998)

42.

Peffers, K., Tuunanen, T., Rothenberger, M., Chatterjee, S.: A design science research methodology for information systems research. J. Manag. Inf. Syst. 24(3), 45–77 (2007)CrossRef

43.

Rasmussen, J.L., Singh, M.: Designing a security system by means of coloured Petri nets. In: Proceedings of the ICATPN, pp. 400–419 (1996)

44.

Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE Trans. Inf. Syst. 90(4), 745–752 (2007)CrossRef

45.

Sadiq, S., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance. In: Proceedings of the BPM, pp. 149–164 (2007)

46.

Saleem, M., Jaafar, J., Hassan, M.: A domain-specific language for modelling security objectives in a business process models of SOA applications. Adv. Inf. Sci. Serv. Sci. 4(1), 353–362 (2012)

47.

Salnitri, M., Dalpiaz, F., Giorgini, P.: Aligning service-oriented architectures with security requirements. In: Proc. of OTM, pp. 232–249 (2012)

48.

Salnitri, M., Dalpiaz, F., Giorgini, P.: Modeling and verifying security policies in business processes. In Proceedings of the BPMDS, pp. 200–214 (2014)

49.

Salnitri, M., Giorgini, P.: Modeling and verification of ATM security policies with SecBPMN. In: Proceedings of the SHPCS (2014)

50.

Samarati, P., Vimercati, S.: Access control: policies, models, and mechanisms. In: FOSAD, vol. 2171, pp. 137–196 (2001)

51.

Schmidt, R., Bartsch, C., Oberhauser, R.: Ontology-based representation of compliance requirements for service processes. In: Proceedings of the CEUR (2007)

52.

SecBPMN Website: SecBPMN Website, last visited Sept 2014. http://www.secbpmn.disi.unitn.it (2014)

53.

Simon, R., Zurko, M.: Separation of duty in role-based environments. In: Proceedings of the CSFW, pp. 183–194 (1997)

54.

Sommerville, I., Cliff, D., Calinescu, R., Keen, J., Kelly, T., Kwiatkowska, M., Mcdermid, J., Paige, R.: Large-scale complex IT systems. Commun. ACM 55(7), 71–77 (2012)CrossRef

55.

Störrle, H.: VMQL: a visual language for ad-hoc model querying. J. Vis. Lang. Comput. 22, 3–29 (2011)CrossRef

56.

The Apache Software Foundation: Apache Rampart website, last visited Aug 2014. http://axis.apache.org/axis2/java/rampart/ (2014)

57.

van der Aalst, W.M.P.: Formalization and verification of event-driven process chains. Inf. Softw. Technol. 41(10), 639–650 (1999)CrossRef

58.

Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslèn, A.: Experimentation in Software Engineering: An Introduction. Kluwer Academic, Boston, MA (2000)

59.

Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. J. Syst. Archit. 55(4), 211–223 (2009)CrossRef

60.

Wolter, C., Schaad, A.: Modeling of task-based authorization constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) Business Process Management. Lecture Notes in Computer Science, vol. 4714, pp. 64–79. Springer, Berlin (2007)

Titel: Designing secure business processes with SecBPMN
verfasst von: Mattia Salnitri
Fabiano Dalpiaz
Paolo Giorgini
Publikationsdatum: 26.10.2015
Verlag: Springer Berlin Heidelberg
Erschienen in: Software and Systems Modeling / Ausgabe 3/2017
Print ISSN: 1619-1366
Elektronische ISSN: 1619-1374
DOI: https://doi.org/10.1007/s10270-015-0499-4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 3/2017

Logic formulas in models

Supporting aspect orientation in business process management

Theme section of BPMDS’2014: the human perspective in business processes

Design notations for secure software: a systematic literature review

A visual language for modeling multiple perspectives of business process compliance rules

A fractal enterprise model and its application for business development