Abstract
Modern information systems are large-sized and comprise multiple heterogeneous and autonomous components. Autonomy enables decentralization, but it also implies that components providers are free to change, retire, or introduce new components. This is a threat to security, and calls for a continuous verification process to ensure compliance with security policies. Existing verification frameworks either have limited expressiveness—thereby inhibiting the specification of real-world requirements—, or rely on formal languages that are hardly employable for modeling and verifying large systems. In this paper, we overcome the limitations of existing approaches by proposing a framework that enables: (1) specifying information systems in SecBPMN, a security-oriented extension of BPMN; (2) expressing security policies through SecBPMN-Q, a query language for representing security policies; and (3) verifying SecBPMN-Q against SecBPMN specifications via an implemented query engine. We report on the applicability of our approach via a case study about air traffic management.
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
An introduction to the business model for information security. Technical report, ISACA (2009), http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/An-Introduction-to-the-Business-Model-for-Information-Security.aspx
Federal Aviation Administration. SWIM ATM case study, http://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/techops/atc_comms_services/swim/ (last visited March 2014)
Awad, A.: BPMN-Q: A language to query business processes. In: EMISA, St. Goar, Germany. LNI, vol. P-119, pp. 115–128. GI (2007)
Awad, A.: A compliance management framework for business process models. PhD thesis (2010)
Beeri, C., Eyal, A., Kamenkovich, S., Milo, T.: Querying business processes with BP-QL. Information Systems 33(6), 477–507 (2008)
Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: Modeling and Enforcing Access Control Requirements in Business Processes. In: Proc. of SACMAT 2012, pp. 123–126 (2012)
Cherdantseva, Y., Hilton, J.: A reference model of information assurance and security. In: Eighth International Conference on ARES, pp. 546–555 (September 2013)
Deutch, D., Milo, T.: Querying structural and behavioral properties of business processes. In: Arenas, M., Schwartzbach, M.I. (eds.) DBPL 2007. LNCS, vol. 4797, pp. 169–185. Springer, Heidelberg (2007)
Ferraiolo, D.F., Cugini, J.A., Richard Kuhn, D.R.: Role-based access control (rbac): Features and motivations (1995)
Firesmith, D.: Specifying reusable security requirements. JOT 3(1), 61–75 (2004)
Ghose, A., Koliadis, G.: Auditing business process compliance. In: Krämer, B.J., Lin, K.-J., Narasimhan, P. (eds.) ICSOC 2007. LNCS, vol. 4749, pp. 169–180. Springer, Heidelberg (2007)
Josang, A., Ismail, R., Boyd, C.: A survey of trust and reputation systems for online service provision. Decision Support Systems 43(2), 618–644 (2007)
Jürjens, J.: Umlsec: Extending uml for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)
Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation. In: Proc. of ARES, pp. 262–267 (2013)
Leitner, M., Rinderle-Ma, S.: A systematic review on security in process-aware information systems - constitution, challenges, and future directions. Inf. Softw. Technol. 56(3), 273–293 (2014)
Leitner, M., Schefer-Wenzl, S., Rinderle-Ma, S., Strembeck, M.: An experimental study on the design and modeling of security concepts in business processes. In: Proc. of PoEM, pp. 236–250 (2013)
Liu, Y., Müller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Syst. J. 46(2), 335–361 (2007)
McCumber, J.: Information systems security: A comprehensive model. In: Proceeding of the 14th National Computer Security Conference, NIST Baltimore, MD (1991)
Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in serviceoriented business process management. In: Proc of ARES 2009, pp. 41–48 (2009)
Monakova, G., Brucker, A.D., Schaad, A.: Security and safety of assets in business processes. In: Applied Computing, vol. 27, pp. 1667–1673. ACM, USA (2012)
Moody, D.: The physics of notations: Toward a scientific basis for constructing visual notations in software engineering. IEEE Trans. Softw. Eng. 35, 756–779 (2009)
OASIS. Web Services Business Process Execution Language, http://docs.oasis-open.org/wsbpel/2.0/wsbpel-v2.0.html (April 2007)
O.: BPMN 2.0, http://www.omg.org/spec/BPMN/2.0 (January 2011)
Parker, D.: Our excessively simplistic information security model and how to fix it. ISSA Journal, 12–21 (2010)
Parker, D.B.: Fighting computer crime - a new framework for protecting information. Wiley (1998)
Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE Trans. on Information and Systems 90(4), 745–752 (2007)
Rushby, J.: Using model checking to help discover mode confusions and other automation surprises. Reliability Engineering and System Safety 75, 167–177 (2002)
Sadiq, W., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 149–164. Springer, Heidelberg (2007)
Saleem, M., Jaafar, J., Hassan, M.: A domain- specific language for modelling security objectives in a business process models of soa applications. AISS 4(1), 353–362 (2012)
Salnitri, M., Dalpiaz, F., Giorgini, P.: Aligning service-oriented architectures with security requirements. In: Meersman, R., et al. (eds.) OTM 2012, Part I. LNCS, vol. 7565, pp. 232–249. Springer, Heidelberg (2012)
Samarati, P., di Vimercati, S.C.: Access control: Policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001)
Schmidt, R., Bartsch, C., Oberhauser, R.: Ontology-based representation of compliance requirements for service processes. In: Proc. of CEUR 2007 (2007)
Sommerville, I., Cliff, D., Calinescu, R., Keen, J., Kelly, T., Kwiatkowska, M., Mcdermid, J., Paige, R.: Large-scale complex it systems. Commun. ACM 55(7), 71–77 (2012)
Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. JSA 55(4), 211–223 (2009)
Yip, F., Wong, A.K.Y., Parameswaran, N., Ray, P.: Rules and ontology in compliance management. In: In Proc. of EDOC, pp. 435–435 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Salnitri, M., Dalpiaz, F., Giorgini, P. (2014). Modeling and Verifying Security Policies in Business Processes. In: Bider, I., et al. Enterprise, Business-Process and Information Systems Modeling. BPMDS EMMSAD 2014 2014. Lecture Notes in Business Information Processing, vol 175. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43745-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-662-43745-2_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-43744-5
Online ISBN: 978-3-662-43745-2
eBook Packages: Computer ScienceComputer Science (R0)