Skip to main content
SpringerLink
Log in

Why Are Business Processes Not Secure?

  • Chapter
Book cover Number Theory and Cryptography

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 8260))

Abstract

Security is simple to understand but hard to ensure. In the times of Internet, this task has been becoming harder every day. To date, computer science has not solved how to prevent the misuse of business processes. While data objects can be protected, a process cannot. The reason is the security of a process depends not only on its individual accesses and can only be accessed upon the process’ termination or when cast into the context of other processes. Many unbelievable scandals encompassing sophisticated and powerful players, from Microsoft to Sony and credit card operators, from leakages in governments to cyber crime and war attacks could not be prevented despite heavy investment in security. The claim here is that the way in which computer science deals with security does not apply to processes. The key discipline in security is “cryptography”, where the “laureate” Prof. Buchmann got his distinction from. This paper is about how cryptography can be applied as a basis to automate security and give participants in a market an equal position and prevent fraud. To complicate the issue, the goal is security in business processes. The reason is obvious. If one makes mistakes or vulnerabilities are left uncovered, huge fraud incidents might happen, the stockowners rebel, the government complains and employees are, in the worst case, deprived from their pension. This is a real, sensitive issue, with unclear solutions, ambivalent in nature, but rigorous in punishment. The issue is not just to protect, but also to deter “bad things”, such as criminal intents. The option to judge people’s intentions is not an option for mankind; it is not an option though for computer science. We need to automate security and establish procedures that, upon the event of misuse, ascertain accountability.

The main goal and challenge of security in business processes is, on one hand, to provide well-founded guarantees regarding the adherence to security, privacy and regulatory compliance requirements and, on the other hand, to integrate the corresponding mechanisms into the business process management lifecycle. This paper introduces this research area, its current status and upcoming practical challenges.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Wolf, C., Harmon, P.: The state of business process management. BPTrends Report (2010), http://www.bptrends.com/

  2. Website, http://finance.fortune.cnn.com/2011/09/27/the-fine-line-between-bad-luck-and-rogue-trades/

  3. Epstein, J.: Security Lessons Learned from Société Générale. IEEE Security & Privacy 6(3), 80–82 (2008)

    Article  Google Scholar 

  4. Simmhan, Y., Barga, R.S.: Analysis of approaches for supporting the Open Provenance Model: A case study of the Trident workflow workbench. Future Generation Comp. Syst. 27(6), 790–796 (2011)

    Article  Google Scholar 

  5. Website, http://www.google.com/patents/US6009410

  6. Website, http://www.google.com/patents/WO2012166878A2?cl=en

  7. Saat, J., Franke, U., Lagerström, R., Ekstedt, M.: Enterprise Architecture Meta Models for IT/Business Alignment Situations. In: EDOC 2010, pp. 14–23. IEEE (2010)

    Google Scholar 

  8. Sandhu, R.S., Samarati, P.: Authetication, Access Control, and Audit. ACM Comput. Surv. 28(1), 241–243 (1996)

    Article  Google Scholar 

  9. Sandhu, R.S., Park, J.: Usage Control: A Vision for Next Generation Access Control. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) MMM-ACNS 2003. LNCS, vol. 2776, pp. 17–31. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  10. Accorsi, R., Lowis, L., Sato, Y.: Automated Certification for Compliant Cloud-based Business Processes. Business & Information Systems Engineering 3(3), 145–154 (2011)

    Article  Google Scholar 

  11. Ramezani, E., Fahland, D., van der Aalst, W.M.P.: Where Did I Misbehave? Diagnostic Information in Compliance Checking. In: Barros, A., Gal, A., Kindler, E. (eds.) BPM 2012. LNCS, vol. 7481, pp. 262–278. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  12. Brewer, D.F.C., Nash, M.J.: The Chinese Wall Security Policy. In: IEEE Symposium on Security and Privacy, pp. 206–214. IEEE (1989)

    Google Scholar 

  13. Botha, R.A., Eloff, J.H.P.: Separation of duties for access control enforcement in workflow environments. IBM Systems Journal 40(3), 666–682 (2001)

    Article  Google Scholar 

  14. Accorsi, R., Wonnemann, C.: Strong non-leak guarantees for workflow models. In: ACM Symp. Applied Computing, pp. 308–314 (2011)

    Google Scholar 

  15. Roscoe, A.W.: Intensional specifications of security protocols. In: Computer Security Foundations Workshop, pp. 28–38. IEEE (1996)

    Google Scholar 

  16. Weske, M.: Business Process Management - Concepts, Languages, Architectures. Springer (2012)

    Google Scholar 

  17. Basin, D., Burri, S., Karjoth, G.: Optimal workflow-aware authorizations. In: ACM Symp. Access Control Models and Technologies, pp. 93–102 (2012)

    Google Scholar 

  18. Wang, Q., Li, N.: Satisfiability and Resiliency in Workflow Authorization Systems. ACM Trans. Inf. Syst. Secur. 13(4), 40 (2010)

    Article  Google Scholar 

  19. Lowis, L., Accorsi, R.: Vulnerability Analysis in SOA-Based Business Processes. IEEE T. Services Computing 4(3), 230–242 (2011)

    Article  Google Scholar 

  20. Lowis, L., Accorsi, R.: On a Classification Approach for SOA Vulnerabilities. In: IEEE Computer Software and Applications Conf., pp. 439–444 (2009)

    Google Scholar 

  21. Lohmann, N., Verbeek, E., Dijkman, R.M.: Petri Net Transformations for Business Processes - A Survey. T. Petri Nets and Other Models of Concurrency 2, 46–63 (2009)

    Article  Google Scholar 

  22. Lehmann, A., Lohmann, N.: Modeling Wizard for Confidential Business Processes. In: La Rosa, M., Soffer, P. (eds.) BPM Workshops 2012. LNBIP, vol. 132, pp. 675–688. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  23. Accorsi, R., Wonnemann, C., Dochow, S.: SWAT: A Security Workflow Analysis Toolkit for Reliably Secure Process-aware Information Systems. In: Conference on Availability, Reliability and Security, pp. 692–697 (2011)

    Google Scholar 

  24. Accorsi, R., Höhn, S.: Towards a Framework for Process Rewriting. In: IFIP Symposium on Data-Driven Process Discovery and Analysis (to appear, 2013)

    Google Scholar 

  25. Fdhila, W., Rinderle-Ma, S., Reichert, M.: Change propagation in collaborative processes scenarios. In: CollaborateCom 2012, pp. 452–461. IEEE (2012)

    Google Scholar 

  26. Accorsi, R., Sato, Y., Kai, S.: Compliance monitor for early warning risk determination. Wirtschaftsinformatik 50(5), 375–382 (2008)

    Article  Google Scholar 

  27. Ni, Q., Bertino, E., Lobo, J.: Risk-based access control systems built on fuzzy inferences. In: ACM ASIACCS, pp. 250–260. ACM (2010)

    Google Scholar 

  28. Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: ACM Symp. Access Control Models and Technologies, pp. 197–206. ACM (2009)

    Google Scholar 

  29. Accorsi, R., Ullrich, M., Van der Aalst, W.M.P.: Process Mining. Informatik Spektrum 35(5), 354–359 (2012)

    Article  Google Scholar 

  30. Van der Aalst, W.M.P.: Process Mining - Discovery, Conformance and Enhancement of Business Processes. Springer (2011)

    Google Scholar 

  31. Accorsi, R., Stocker, T., Müller, G.: On the exploitation of process mining for security audits: the process discovery case. In: ACM Symp. Applied Computing, pp. 1462–1468 (2013)

    Google Scholar 

  32. Accorsi, R., Stocker, T.: Discovering Workflow Changes with Time-Based Trace Clustering. In: Aberer, K., Damiani, E., Dillon, T. (eds.) SIMPDA 2011. LNBIP, vol. 116, pp. 154–168. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  33. Accorsi, R., Wonnemann, C.: Auditing Workflow Executions against Dataflow Policies. In: Abramowicz, W., Tolksdorf, R. (eds.) BIS 2010. LNBIP, vol. 47, pp. 207–217. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  34. Accorsi, R., Wonnemann, C.: Detective Information Flow Analysis for Business Processes. In: Business Process and Services Computing, pp. 223–224. GI (2009)

    Google Scholar 

  35. Accorsi, R., Stocker, T.: On the exploitation of process mining for security audits: the conformance checking case. In: ACM Symp. Applied Computing, pp. 1709–1716. ACM (2012)

    Google Scholar 

  36. Accorsi, R.: Automated Privacy Audits to Complement the Notion of Control for Identity Management. In: Conference on Identity Management, pp. 39–48 (2007)

    Google Scholar 

  37. Accorsi, R., Stocker, T.: Automated Privacy Audits Based on Pruning of Log Data. In: Enterprise Distributed Object Computing Conference, pp. 175–182 (2008)

    Google Scholar 

  38. DoD, Trusted computer security evaluation criteria (1983), Website: http://csrc.nist.gov/publications/histroy/dod85.pdf

  39. ISO/IEC, ISO/IEC Information Security Management System 27001 (2005), Website: http://www.27000.org/iso-27001.htm

  40. Gallegos, F., Senft, S.: Information Technology Control and Audit. Auerbach Publications (2004)

    Google Scholar 

  41. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In: ACM Conference on Computer and Communications Security, pp. 199–212. ACM (2009)

    Google Scholar 

  42. Pearce, M., Zeadally, S., Hunt, R.: Virtualization: Issues, security threats, and solutions. ACM Comput. Surv. 45(2), 17:1–17:39 (2013)

    Google Scholar 

  43. Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: A reality today, a challenge tomorrow. In: IEEE Symposium on Security and Privacy, pp. 191–206. IEEE (2010)

    Google Scholar 

  44. Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Network and Computer Applications 34(1), 1–11 (2011)

    Article  Google Scholar 

  45. Shabtai, A., Elovici, Y., Rokach, L.: A survey of data leakage detection and prevention solutions. Springer (2012)

    Google Scholar 

  46. Busi, N., Gorrieri, R.: Structural non-interference in elementary and trace nets. Mathematical Structures in Computer Science 19(6), 1065–1090 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  47. Accorsi, R., Lehmann, A.: Automatic Information Flow Analysis of Business Process Models. In: Barros, A., Gal, A., Kindler, E. (eds.) BPM 2012. LNCS, vol. 7481, pp. 172–187. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  48. Accorsi, R., Wonnemann, C.: Forensic Leak Detection for Business Process Models. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics VII. IFIP AICT, vol. 361, pp. 101–103. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  49. Accorsi, R., Wonnemann, C.: Static Information Flow Analysis of Workflow Models. ISSS/BPSC 2010: 194-205 (2010)

    Google Scholar 

  50. Accorsi, R., Wonnemann, C.: InDico: Information Flow Analysis of Business Processes for Confidentiality Requirements. In: ERCIM Workshop on Security and Trust Management, pp. 194–209 (2010)

    Google Scholar 

  51. Houy, C., Fettke, P., Loos, P., Van der Aalst, W.M.P., Krogstie, J.: Business Process Management in the Large. Business & Information Systems Engineering 3(6), 385–388 (2011)

    Article  Google Scholar 

  52. Khoury, R., Tawbi, N.: Corrective Enforcement: A New Paradigm of Security Policy Enforcement by Monitors. ACM Trans. Inf. Syst. Secur. 15(2), 10 (2012)

    Article  Google Scholar 

  53. Accorsi, R.: Business Process as a Service: Chances for Remote Auditing. In: IEEE International Computer Software and Applications Conference, pp. 398–403 (2011)

    Google Scholar 

  54. Stocker, T., Accorsi, R.: Security-aware Synthesis of Process Event logs. In: Workshop on Enterprise Modelling and Information Systems Architectures (to appear, 2013)

    Google Scholar 

  55. Koslowski, T.G., Zimmermann, C.: A Detective Approach to Process-centered Information Infrastructure Resilience. In: ERCIM Workshop on Security and Trust Management (to appear, 2013)

    Google Scholar 

  56. Accorsi, R.: Sicherheit im Prozessmanagement. Zeitschrift für Datenrecht und Informationssicherheit (to appear)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Telematics, University of Freiburg, Germany

    Günter Müller & Rafael Accorsi

Authors
  1. Günter Müller
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rafael Accorsi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Technische Universität Darmstadt & CASED, Mornewegstraße 30, 64293, Darmstadt, Germany

    Marc Fischlin

  2. Technische Universität Darmstadt & CASED, Mornewegstraße 32, 64293, Darmstadt, Germany

    Stefan Katzenbeisser

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Müller, G., Accorsi, R. (2013). Why Are Business Processes Not Secure?. In: Fischlin, M., Katzenbeisser, S. (eds) Number Theory and Cryptography. Lecture Notes in Computer Science, vol 8260. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-42001-6_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-42001-6_17

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-42000-9

  • Online ISBN: 978-3-642-42001-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation