Abstract
Security is simple to understand but hard to ensure. In the times of Internet, this task has been becoming harder every day. To date, computer science has not solved how to prevent the misuse of business processes. While data objects can be protected, a process cannot. The reason is the security of a process depends not only on its individual accesses and can only be accessed upon the process’ termination or when cast into the context of other processes. Many unbelievable scandals encompassing sophisticated and powerful players, from Microsoft to Sony and credit card operators, from leakages in governments to cyber crime and war attacks could not be prevented despite heavy investment in security. The claim here is that the way in which computer science deals with security does not apply to processes. The key discipline in security is “cryptography”, where the “laureate” Prof. Buchmann got his distinction from. This paper is about how cryptography can be applied as a basis to automate security and give participants in a market an equal position and prevent fraud. To complicate the issue, the goal is security in business processes. The reason is obvious. If one makes mistakes or vulnerabilities are left uncovered, huge fraud incidents might happen, the stockowners rebel, the government complains and employees are, in the worst case, deprived from their pension. This is a real, sensitive issue, with unclear solutions, ambivalent in nature, but rigorous in punishment. The issue is not just to protect, but also to deter “bad things”, such as criminal intents. The option to judge people’s intentions is not an option for mankind; it is not an option though for computer science. We need to automate security and establish procedures that, upon the event of misuse, ascertain accountability.
The main goal and challenge of security in business processes is, on one hand, to provide well-founded guarantees regarding the adherence to security, privacy and regulatory compliance requirements and, on the other hand, to integrate the corresponding mechanisms into the business process management lifecycle. This paper introduces this research area, its current status and upcoming practical challenges.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Wolf, C., Harmon, P.: The state of business process management. BPTrends Report (2010), http://www.bptrends.com/
Website, http://finance.fortune.cnn.com/2011/09/27/the-fine-line-between-bad-luck-and-rogue-trades/
Epstein, J.: Security Lessons Learned from Société Générale. IEEE Security & Privacy 6(3), 80–82 (2008)
Simmhan, Y., Barga, R.S.: Analysis of approaches for supporting the Open Provenance Model: A case study of the Trident workflow workbench. Future Generation Comp. Syst. 27(6), 790–796 (2011)
Saat, J., Franke, U., Lagerström, R., Ekstedt, M.: Enterprise Architecture Meta Models for IT/Business Alignment Situations. In: EDOC 2010, pp. 14–23. IEEE (2010)
Sandhu, R.S., Samarati, P.: Authetication, Access Control, and Audit. ACM Comput. Surv. 28(1), 241–243 (1996)
Sandhu, R.S., Park, J.: Usage Control: A Vision for Next Generation Access Control. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) MMM-ACNS 2003. LNCS, vol. 2776, pp. 17–31. Springer, Heidelberg (2003)
Accorsi, R., Lowis, L., Sato, Y.: Automated Certification for Compliant Cloud-based Business Processes. Business & Information Systems Engineering 3(3), 145–154 (2011)
Ramezani, E., Fahland, D., van der Aalst, W.M.P.: Where Did I Misbehave? Diagnostic Information in Compliance Checking. In: Barros, A., Gal, A., Kindler, E. (eds.) BPM 2012. LNCS, vol. 7481, pp. 262–278. Springer, Heidelberg (2012)
Brewer, D.F.C., Nash, M.J.: The Chinese Wall Security Policy. In: IEEE Symposium on Security and Privacy, pp. 206–214. IEEE (1989)
Botha, R.A., Eloff, J.H.P.: Separation of duties for access control enforcement in workflow environments. IBM Systems Journal 40(3), 666–682 (2001)
Accorsi, R., Wonnemann, C.: Strong non-leak guarantees for workflow models. In: ACM Symp. Applied Computing, pp. 308–314 (2011)
Roscoe, A.W.: Intensional specifications of security protocols. In: Computer Security Foundations Workshop, pp. 28–38. IEEE (1996)
Weske, M.: Business Process Management - Concepts, Languages, Architectures. Springer (2012)
Basin, D., Burri, S., Karjoth, G.: Optimal workflow-aware authorizations. In: ACM Symp. Access Control Models and Technologies, pp. 93–102 (2012)
Wang, Q., Li, N.: Satisfiability and Resiliency in Workflow Authorization Systems. ACM Trans. Inf. Syst. Secur. 13(4), 40 (2010)
Lowis, L., Accorsi, R.: Vulnerability Analysis in SOA-Based Business Processes. IEEE T. Services Computing 4(3), 230–242 (2011)
Lowis, L., Accorsi, R.: On a Classification Approach for SOA Vulnerabilities. In: IEEE Computer Software and Applications Conf., pp. 439–444 (2009)
Lohmann, N., Verbeek, E., Dijkman, R.M.: Petri Net Transformations for Business Processes - A Survey. T. Petri Nets and Other Models of Concurrency 2, 46–63 (2009)
Lehmann, A., Lohmann, N.: Modeling Wizard for Confidential Business Processes. In: La Rosa, M., Soffer, P. (eds.) BPM Workshops 2012. LNBIP, vol. 132, pp. 675–688. Springer, Heidelberg (2013)
Accorsi, R., Wonnemann, C., Dochow, S.: SWAT: A Security Workflow Analysis Toolkit for Reliably Secure Process-aware Information Systems. In: Conference on Availability, Reliability and Security, pp. 692–697 (2011)
Accorsi, R., Höhn, S.: Towards a Framework for Process Rewriting. In: IFIP Symposium on Data-Driven Process Discovery and Analysis (to appear, 2013)
Fdhila, W., Rinderle-Ma, S., Reichert, M.: Change propagation in collaborative processes scenarios. In: CollaborateCom 2012, pp. 452–461. IEEE (2012)
Accorsi, R., Sato, Y., Kai, S.: Compliance monitor for early warning risk determination. Wirtschaftsinformatik 50(5), 375–382 (2008)
Ni, Q., Bertino, E., Lobo, J.: Risk-based access control systems built on fuzzy inferences. In: ACM ASIACCS, pp. 250–260. ACM (2010)
Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: ACM Symp. Access Control Models and Technologies, pp. 197–206. ACM (2009)
Accorsi, R., Ullrich, M., Van der Aalst, W.M.P.: Process Mining. Informatik Spektrum 35(5), 354–359 (2012)
Van der Aalst, W.M.P.: Process Mining - Discovery, Conformance and Enhancement of Business Processes. Springer (2011)
Accorsi, R., Stocker, T., Müller, G.: On the exploitation of process mining for security audits: the process discovery case. In: ACM Symp. Applied Computing, pp. 1462–1468 (2013)
Accorsi, R., Stocker, T.: Discovering Workflow Changes with Time-Based Trace Clustering. In: Aberer, K., Damiani, E., Dillon, T. (eds.) SIMPDA 2011. LNBIP, vol. 116, pp. 154–168. Springer, Heidelberg (2012)
Accorsi, R., Wonnemann, C.: Auditing Workflow Executions against Dataflow Policies. In: Abramowicz, W., Tolksdorf, R. (eds.) BIS 2010. LNBIP, vol. 47, pp. 207–217. Springer, Heidelberg (2010)
Accorsi, R., Wonnemann, C.: Detective Information Flow Analysis for Business Processes. In: Business Process and Services Computing, pp. 223–224. GI (2009)
Accorsi, R., Stocker, T.: On the exploitation of process mining for security audits: the conformance checking case. In: ACM Symp. Applied Computing, pp. 1709–1716. ACM (2012)
Accorsi, R.: Automated Privacy Audits to Complement the Notion of Control for Identity Management. In: Conference on Identity Management, pp. 39–48 (2007)
Accorsi, R., Stocker, T.: Automated Privacy Audits Based on Pruning of Log Data. In: Enterprise Distributed Object Computing Conference, pp. 175–182 (2008)
DoD, Trusted computer security evaluation criteria (1983), Website: http://csrc.nist.gov/publications/histroy/dod85.pdf
ISO/IEC, ISO/IEC Information Security Management System 27001 (2005), Website: http://www.27000.org/iso-27001.htm
Gallegos, F., Senft, S.: Information Technology Control and Audit. Auerbach Publications (2004)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In: ACM Conference on Computer and Communications Security, pp. 199–212. ACM (2009)
Pearce, M., Zeadally, S., Hunt, R.: Virtualization: Issues, security threats, and solutions. ACM Comput. Surv. 45(2), 17:1–17:39 (2013)
Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: A reality today, a challenge tomorrow. In: IEEE Symposium on Security and Privacy, pp. 191–206. IEEE (2010)
Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Network and Computer Applications 34(1), 1–11 (2011)
Shabtai, A., Elovici, Y., Rokach, L.: A survey of data leakage detection and prevention solutions. Springer (2012)
Busi, N., Gorrieri, R.: Structural non-interference in elementary and trace nets. Mathematical Structures in Computer Science 19(6), 1065–1090 (2009)
Accorsi, R., Lehmann, A.: Automatic Information Flow Analysis of Business Process Models. In: Barros, A., Gal, A., Kindler, E. (eds.) BPM 2012. LNCS, vol. 7481, pp. 172–187. Springer, Heidelberg (2012)
Accorsi, R., Wonnemann, C.: Forensic Leak Detection for Business Process Models. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics VII. IFIP AICT, vol. 361, pp. 101–103. Springer, Heidelberg (2011)
Accorsi, R., Wonnemann, C.: Static Information Flow Analysis of Workflow Models. ISSS/BPSC 2010: 194-205 (2010)
Accorsi, R., Wonnemann, C.: InDico: Information Flow Analysis of Business Processes for Confidentiality Requirements. In: ERCIM Workshop on Security and Trust Management, pp. 194–209 (2010)
Houy, C., Fettke, P., Loos, P., Van der Aalst, W.M.P., Krogstie, J.: Business Process Management in the Large. Business & Information Systems Engineering 3(6), 385–388 (2011)
Khoury, R., Tawbi, N.: Corrective Enforcement: A New Paradigm of Security Policy Enforcement by Monitors. ACM Trans. Inf. Syst. Secur. 15(2), 10 (2012)
Accorsi, R.: Business Process as a Service: Chances for Remote Auditing. In: IEEE International Computer Software and Applications Conference, pp. 398–403 (2011)
Stocker, T., Accorsi, R.: Security-aware Synthesis of Process Event logs. In: Workshop on Enterprise Modelling and Information Systems Architectures (to appear, 2013)
Koslowski, T.G., Zimmermann, C.: A Detective Approach to Process-centered Information Infrastructure Resilience. In: ERCIM Workshop on Security and Trust Management (to appear, 2013)
Accorsi, R.: Sicherheit im Prozessmanagement. Zeitschrift für Datenrecht und Informationssicherheit (to appear)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Müller, G., Accorsi, R. (2013). Why Are Business Processes Not Secure?. In: Fischlin, M., Katzenbeisser, S. (eds) Number Theory and Cryptography. Lecture Notes in Computer Science, vol 8260. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-42001-6_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-42001-6_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-42000-9
Online ISBN: 978-3-642-42001-6
eBook Packages: Computer ScienceComputer Science (R0)