Security Requirements Specification in Process-aware Information Systems
Service-oriented Architectures deliver a flexible infrastructure to allow independently developed software com-ponents to communicate in a seamless manner. In the scope of organisational workflows, SOA provides a suitable foundation to execute business processes as an orchestration of multiple independent services. In order to secure services, requirements are usually defined on a technical level, rather than on an organisational level that would provide a comprehensive view on the participants, the assets and their relationships regarding security.
In this paper, we present a compilation of security requirements for Service-oriented Architectures and propose an approach to express these security requirements at the business process layer. An enhancement for BPMN is introduced to model these security requirements and illustrated in an example process that is deployed on a cross-organisational SOA infrastructure. Our aim is to facilitate the generation of security configurations on a technical level based on the modelled requirements. For this purpose, we foster a model-driven approach that is described as a suitable approach for future development.
KeywordsBusiness Process Security Requirement Security Protocol Business Process Model Security Goal
Unable to display preview. Download preview PDF.
- C. Alexander, S. Ishikawa, M. Silverstein, M. Jacobsen, I. Fiksdahl-King, and S. Angel: A Pattern Lanuage: Towns – Buildings – Construction. In: Oxford University Press, 1977.Google Scholar
- D. Basin, J. Doser, and T. Lodderstedt: Model Driven Security for Process-Oriented Systems. In: SAC-MAT ’03: Proceedings of the 8th ACM symposium on Access control models and technologies, 2003, pp. 100-109.Google Scholar
- J. Juerjens: UMLsec: Extending UML for Secure Systems Development. In UML ’02: Proceedings of the 5th International Conference on The Unified Modeling Language, 2002, pp. 412-425.Google Scholar
- A. Knoepfel, B.Groene and P.Tabeling: Fundamental Modeling Concepts. John Wiley & Sons Ltd, 2005.Google Scholar
- D. H. McKnight and N. L. Chervany: The meanings of trust. Technical Report, University of Minnesota, 1996. http://misrc.umn.edu/wpaper/Working-Papers/9604.pdf
- M. Menzel, C. Wolter, and C. Meinel: Towards the aggregation of security requirements in cross-organisational service compositions. In: Proc. 11th BIS, no. ISBN: 978-3-540-79396-3. Springer LNCS, Innsbruck, Austria, May 2008.Google Scholar
- M. Menzel, I. Thomas, and C. Meinel: Security requirements specification in service-oriented business process management. In: ARES, 2009.Google Scholar
- M. Menzel, and C. Meinel: A Security Meta-Model for Service-oriented Architectures. In: SCC, 2009.Google Scholar
- Microsoft Corp.: Microsofts Vision for an Identity Metasystem, May 2005.Google Scholar
- A. Rodríguez, E. Fernández-Medina, and M. Piattini: Towards a uml 2.0 extension for the modeling of security requirements in business processes. In: TrustBus, 2006, pp. 51-61.Google Scholar
- A. Rodríguez, E. Fernández-Medina: Towards cim to pim transformation: From secure business processes defined in bpmn to use-cases. In: BPM, 2007, pp. 408-115.Google Scholar
- M. Tatsubori, T Imamura, and Y. Nakamura. Best-practice patterns and tool support for configuring secure web services messaging. In ICWS, 2004, pp. 244-251.Google Scholar
- I. Thomas, M. Menzel, and C. Meinel: Using Quantified Trust Levels to Describe Authentication Re-quirements in Federated Identity Management. In SWS, 2008Google Scholar
- Wei-kuang Huang and V. Atluri: Secureflow: A secure web enabled workflow management system. In: ACM Workshop on Role-Based Access Control, 1999, pp. 83-94. http://citeseer.ist.psu.edu/huang99secureflow.html
- C. Wolter, M. Menzel, A. Schaad, P. Miseldine, and C. Meinel: Model-driven business process security requireme specification. In: Journal of Systems Architecture Special Issue on Secure Web Services, 2008.Google Scholar
- J. Yoder and J. Barcalow: Architectural patterns for enabling application security. In: PLoP, 1997.Google Scholar