Abstract
A workflow is resilient when the unavailability of some users does not force to choose between a violation of the security policy or an early termination of the workflow. Although checking for the resiliency of a workflow is a well-studied problem, solutions usually only provide a binary answer to the problem, leaving a workflow designer with little help when the workflow is not resilient. We propose in this paper to provide instead a measure of quantitative resiliency, indicating how much a workflow is likely to terminate for a given security policy and a given user availability model. We define this notion by encoding the resiliency problem as a decision problem, reducing the finding of an optimal user-task assignment to that of solving a Markov Decision Process. We illustrate the flexibility of our encoding by considering different measures of resiliency, and we empirically analyse them, showing the existence of a trade-off between multiple aspects such as success rate, expected termination step and computation time, thus providing a toolbox that could help a workflow designer to improve or fix a workflow.
Keywords
References
: Workflow handbook, pp. 243–293. John Wiley & Sons, Inc., New York (1997)
Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1), 65–104 (1999)
Botha, R., Eloff, J.H.P.: Separation of duties for access control enforcement in workflow environments. IBM Systems Journal 40(3), 666–682 (2001)
Kohler, M., Liesegang, C., Schaad, A.: Classification model for access control constraints. In: IEEE International Performance, Computing, and Communications Conference, IPCCC 2007, pp. 410–417 (April 2007)
Crampton, J.: A reference monitor for workflow systems with constrained task execution. In: Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies, SACMAT 2005, pp. 38–47. ACM, New York (2005)
Wang, Q., Li, N.: Satisfiability and resiliency in workflow authorization systems. ACM Trans. Inf. Syst. Secur. 13(4), 40:1–40:35 (2010)
Kumar, A., van der Aalst, W.M.P., Verbeek, E.M.W.: Dynamic work distribution in workflow management systems: How to balance quality and performance. J. Manage. Inf. Syst. 18(3), 157–193 (2002)
Basin, D., Burri, S.J., Karjoth, G.: Obstruction-free authorization enforcement: Aligning security with business objectives. In: Proceedings of the 2011 IEEE 24th Computer Security Foundations Symposium, CSF 2011, pp. 99–113. IEEE Computer Society, Washington, DC (2011)
Kohler, M., Schaad, A.: Avoiding policy-based deadlocks in business processes. In: Third International Conference on Availability, Reliability and Security, ARES 2008, pp. 709–716 (2008)
Crampton, J., Gutin, G., Yeo, A.: On the parameterized complexity of the workflow satisfiability problem. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 857–868. ACM, New York (2012)
Crampton, J., Gutin, G.: Constraint expressions and workflow satisfiability. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, SACMAT 2013, pp. 73–84. ACM, New York (2013)
Khan, A.A., Fong, P.W.L.: Satisfiability and feasibility in a relationship-based workflow authorization model. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 109–126. Springer, Heidelberg (2012)
Tan, K., Crampton, J., Gunter, C.: The consistency of task-based authorization constraints in workflow. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop, pp. 155–169 (June 2004)
National Quality Board: How to ensure the right people, with the right skills, are in the right place at the right time @ONLINE (2013)
Lowalekar, M., Tiwari, R.K., Karlapalem, K.: Security policy satisfiability and failure resilience in workflows. In: Matyáš, V., Fischer-Hübner, S., Cvrček, D., Švenda, P. (eds.) The Future of Identity. IFIP AICT, vol. 298, pp. 197–210. Springer, Heidelberg (2009)
Basin, D., Burri, S.J., Karjoth, G.: Optimal workflow-aware authorizations. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT 2012, pp. 93–102. ACM, New York (2012)
Wainer, J., Barthelmess, P., Kumar, A.: W-rbac - a workflow security model incorporating controlled overriding of constraints. International Journal of Cooperative Information Systems 12, 2003 (2003)
Bakkali, H.E.: Enhancing workflow systems resiliency by using delegation and priority concepts. Journal of Digital Information Management 11(4), 267–276 (2013)
Mace, J., van Moorsel, A., Watson, P.: The case for dynamic security solutions in public cloud workflow deployments. In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W), pp. 111–116 (June 2011)
Watson, P.: A multi-level security model for partitioning workflows over federated clouds. Journal of Cloud Computing 1(1), 1–15 (2012)
Bellman, R.: A markovian decision process. Indiana Univ. Math. J. 6, 679–684 (1957)
Martinelli, F., Morisset, C.: Quantitative access control with partially-observable markov decision processes. In: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, CODASPY 2012, pp. 169–180. ACM, New York (2012)
Cassandra, A.R.: Optimal policies for partially observable markov decision processes. Technical report, Brown University, Providence, RI, USA (1994)
Crampton, J., Gutin, G., Yeo, A.: On the parameterized complexity and kernelization of the workflow satisfiability problem. ACM Trans. Inf. Syst. Secur. 16(1), 4 (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Mace, J.C., Morisset, C., van Moorsel, A. (2014). Quantitative Workflow Resiliency. In: Kutyłowski, M., Vaidya, J. (eds) Computer Security - ESORICS 2014. ESORICS 2014. Lecture Notes in Computer Science, vol 8712. Springer, Cham. https://doi.org/10.1007/978-3-319-11203-9_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-11203-9_20
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11202-2
Online ISBN: 978-3-319-11203-9
eBook Packages: Computer ScienceComputer Science (R0)