Abstract
This paper reports on approaches and tool support for security and compliance analysis of executable business processes, so-called workflows, employed in the GESINE project. Specifically, focusing on the business layer and the corresponding workflow entities along the business process management lifecycle (i. e., workflow model, instance and event log), the techniques reported on in this paper cover the design time, run time and audit time analysis. Their goal is to verify the adherence to security requirements, such as the four-eyes principle and separation and binding of duties. Altogether, the complementary techniques described in this paper enable a holistic approach to ensure the security of workflows.
Zusammenfassung
Dieser Artikel stellt Ansätze und Tools zur Sicherheitsanalyse von ausführbaren Geschäftsprozessen, sogenannten Workflows, die im Projekt GESINE untersucht und eingesetzt werden, vor. Ein spezieller Fokus wird dabei auf der Business-Ebene und die damit entlang des BPM-Lebenszyklus verbundenen Workflow-Artefakte gelegt (d. h. Modell-, Instanz- und Event-Logs). Die hier vorgestellten Techniken decken Designzeit, Laufzeit und log-basierte Analysen ab. Ziel ist die Einhaltung sicherheitsbezogener Anforderungen an Workflows, wie etwa das Vier-Augen-Prinzip, nachzuweisen. Es wird aufgezeigt, dass die vorgestellten Techniken komplementär zueinander sind und die gemeinsame Nutzung daher zu einer ganzheitlicheren Betrachtungsweise von Sicherheitsanforderungen auf der Ebene von Workflows führt.
About the authors
Dr. Frank Böhr studied applied computer science at TU Kaiserslautern, worked at Fraunhofer IESE and graduated with a scholarship from the "Klaus Tschira Graduate School on the Architecture of Highly Reliable Software Systems". Currently he is a lecturer at the Albert-Ludwig-University Freiburg. His research in terests are dealing with privacy, security, business processes and testing.
Institute of Computer Science and Social Studies, Friedrichstr. 50, 79098 Freiburg im Breisgau, Germany, Tel.: +49-(0)761-203-4928, Fax: +49-(0)761-203-4929
Linh Thao Ly works at AristaFlow GmbH, a company providing innovative business process management and workflow software and services. AristaFlow was founded in 2008 as a spin-off of a homonymous research project on adaptive workflow technologies. Linh Thao Ly obtained a diploma in computer science of the University of Ulm where she re cently defended her doctoral thesis on business process compliance.
AristaFlow GmbH, Marlene-Dietrich-Str. 5, 89231 Neu-Ulm, Germany, Tel.: +49-(0)731-98588-600, Fax: +49-(0)731-98588-511
Prof. Dr. Dr. h.c. Günter Müller received his education in Mannheim, Duisburg and Vienna. He got his PHD in semantics of information structures and worked as a post-doc with IBM in Almaden. In Germany he helped to define the OSI model and was the director of the IBM Networking Research Center. The issue of security and privacy in the internet age made him accept an offer at the University of Freiburg. He is a consultant on security to companies and administrative bodies.
Institute of Computer Science and Social Studies, Friedrichstr. 50, 79098 Freiburg im Breisgau, Germany, Tel.: +49-(0)761-203-4964, Fax: +49-(0)761-203-4929
© 2013 by Walter de Gruyter Berlin Boston
