Skip to main content
Springer Nature Link
Log in

From Consumer Requirements to Policies in Secure Services

  • Chapter
Secure and Trustworthy Service Composition

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8900))

  • 479 Accesses

Abstract

Automatic translation of elicited consumer security requirements at high level (problem space) into application or service level security requirements (solution space) has been traditionally the Achilles’ heel of security requirements engineering. Such automated translation would result in significant failure and cost reduction in application development and maintenance, particularly in those complex applications based on compositions and choreographies of services. In this paper we present a framework which makes a step forward to solve this dilemma. The framework supports the engineering of composite service security and trust requirements directly derived from the organisational needs expressed for such service. The followed approach starts with the modelling of organisation actors’ objectives and commitments among these actors, and follows with the transformation of such commitments into security elements in the service business process specification and into a consumer security policy which the service will need to be compliant with.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Aktug, I., Naliuka, K.: ConSpec — a formal language for policy specification. Electronic Notes in Theoretical Computer Science 197(1), 45–58 (2008)

    Article  MathSciNet  Google Scholar 

  2. Aniketos Website, http://www.aniketos.eu

  3. Baxter, G., Sommerville, I.: Socio-technical systems: From design methods to systems engineering. Interacting with Computers 23(1), 4–17 (2011)

    Article  Google Scholar 

  4. Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: An agent-oriented software development methodology. Autonomous Agents and Multi-Agent Systems 8(3), 203–236 (2004)

    Article  Google Scholar 

  5. Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: Modeling and enforcing access control requirements in business processes. In: Proceedings of the 17th ACM symposium on Access Control Models and Technologies, pp. 123–126. ACM (June 2012)

    Google Scholar 

  6. Brucker, A.D., Malmignati, F., Merabti, M., Shi, Q., Zhou, B.: A Framework for Secure Service Composition. In: International Conference on Information Privacy, Security, Risk and Trust (PASSAT), pp. 1–6. IEEE (September 2013)

    Google Scholar 

  7. Dalpiaz, F., Paja, E., Giorgini, P.: Security requirements engineering via commitments. In: 2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST), pp. 1–8 (September 2011)

    Google Scholar 

  8. Dragoni, N., Massacci, F., Naliuka, K., Siahaan, I.: Security-by-contract: Toward a semantics for digital signatures on mobile code. In: López, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 297–312. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  9. Emery, F.E., Trist, E.L.: Socio-Technical Systems. Management Science, Models and Techniques 2, 83–97 (1960)

    Google Scholar 

  10. ENISA. Procure Secure: A guide to monitoring of security service levels in cloud contracts (April 2012), http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/procure-secure-a-guide-to-monitoring-of-security-service-levels-in-cloud-contracts (Cited on September 10, 2013)

  11. Erlingsson, U.: The inlined reference monitor approach to security policy enforcement. Cornell University (2003)

    Google Scholar 

  12. Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation. In: Proceedings of the 13th IEEE International Conference on Requirements Engineering, pp. 167–176. IEEE (August 2005)

    Google Scholar 

  13. Trist, E.L.: On socio-technical systems. Sociotechnical systems: A sourcebook, 43-57 (1978)

    Google Scholar 

  14. Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 41–48. IEEE (March 2009)

    Google Scholar 

  15. Mouratidis, H., Giorgini, P.: Secure tropos: A security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering 17(02), 285–309 (2007)

    Article  Google Scholar 

  16. Mulle, J., Stackelberg, S., Bohm, K.: A Security Language for BPMN Process Models. Karlsruhe Reports in Informatics (September 2011)

    Google Scholar 

  17. Noguero, A., Espinoza, H.: A generic executable framework for model-driven engineering. In: 2012 7th Iberian Conference on Information Systems and Technologies (CISTI), pp. 1–6. IEEE (June 2012)

    Google Scholar 

  18. OASIS, Reference Model for Service Oriented Architecture 1.0 (2009), http://docs.oasis-open.org/soa-rm/soa-ra/v1.0/soa-ra.pdf (cited September 12, 2013)

  19. OMG. Business Process Model and Notation (BPMN) Version 2.0 (2011), http://www.omg.org/spec/BPMN/2.0/ (Cited on September 10, 2013)

  20. Paja, E., Dalpiaz, F., Giorgini, P.: Identifying Conflicts in Security Requirements with STS-ml. University of Trento. Technical report (2012)

    Google Scholar 

  21. Paja, E., Dalpiaz, F., Poggianella, M., Roberti, P., Giorgini, P.: STS-Tool: Specifying and Reasoning over Socio-Technical Security Requirements. In: iStar 2013, pp. 131–133 (2013)

    Google Scholar 

  22. Rodríguez, A., Fernández-Medina, E., Piattini, M.: A bpmn extension for the modeling of security requirements in business processes. IEICE Transactions on Information and Systems 90(4), 745–752 (2007)

    Article  Google Scholar 

  23. Salnitri, M., Dalpiaz, F., Giorgini, P.: Aligning Service-Oriented Architectures with Security Requirements. In: Meersman, R., Panetto, H., Dillon, T., Rinderle-Ma, S., Dadam, P., Zhou, X., Pearson, S., Ferscha, A., Bergamaschi, S., Cruz, I.F. (eds.) OTM 2012, Part I. LNCS, vol. 7565, pp. 232–249. Springer, Heidelberg (2012)

    Google Scholar 

  24. Singh, M.P.: An ontology for commitments in multiagent systems. Artificial Intelligence and Law 7(1), 97–113 (1999)

    Article  Google Scholar 

  25. University of trento, STS-ml manual (2013), http://www.sts-tool.eu/doc/STS-ModelingLanguage_ver1.3.2.pdf (cited September 12, 2013)

  26. Wolter, C., Menzel, M., Meinel, C.: Modelling Security Goals in Business Processes. Modellierung 127, 201–216 (2008)

    Google Scholar 

  27. van Lamsweerde, A.: Requirements engineering in the year 00: a research perspective. In: Proceedings of the 22nd International Conference on Software Engineering, pp. 5–19 (2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. TECNALIA Research and Innovation, Parque Tecnológico de Bizkaia 700, Derio, Spain

    Erkuden Rios & Eider Iturbe

  2. SELEX, Selex ES S.p.A, A Finmeccanica Company, via Laurentina 760, 00143, Rome, Italy

    Francesco Malmignati & Michela D’Errico

  3. UNITN, University of Trento, via Belenzani 12, 38122, Trento, Italy

    Mattia Salnitri

Authors
  1. Erkuden Rios
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Francesco Malmignati
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Eider Iturbe
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michela D’Errico
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Mattia Salnitri
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. SAP SE, Vincenz-Priessnitz-Str. 1, 76131, Karlsruhe, Germany

    Achim D. Brucker

  2. Utrecht University, PO Box 80.089, 3508 TB, Utrecht, The Netherlands

    Fabiano Dalpiaz

  3. DISI, University of Trento, Via Sommarive 5, 38123, Povo, Trento, Italy

    Paolo Giorgini

  4. SINTEF ICT, Strindveien 4, 7465, Trondheim, Norway

    Per Håkon Meland

  5. Parque Tecnológico de Bizkaia, TECNALIA Research & Innovation, Edifício 202, 48170, Zamudio, Spain

    Erkuden Rios

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Rios, E., Malmignati, F., Iturbe, E., D’Errico, M., Salnitri, M. (2014). From Consumer Requirements to Policies in Secure Services. In: Brucker, A.D., Dalpiaz, F., Giorgini, P., Meland, P.H., Rios, E. (eds) Secure and Trustworthy Service Composition. Lecture Notes in Computer Science, vol 8900. Springer, Cham. https://doi.org/10.1007/978-3-319-13518-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-13518-2_6

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-13517-5

  • Online ISBN: 978-3-319-13518-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics