Abstract
Service-oriented Architectures deliver a flexible infrastructure to allow independently developed software com-ponents to communicate in a seamless manner. In the scope of organisational workflows, SOA provides a suitable foundation to execute business processes as an orchestration of multiple independent services. In order to secure services, requirements are usually defined on a technical level, rather than on an organisational level that would provide a comprehensive view on the participants, the assets and their relationships regarding security.
In this paper, we present a compilation of security requirements for Service-oriented Architectures and propose an approach to express these security requirements at the business process layer. An enhancement for BPMN is introduced to model these security requirements and illustrated in an example process that is deployed on a cross-organisational SOA infrastructure. Our aim is to facilitate the generation of security configurations on a technical level based on the modelled requirements. For this purpose, we foster a model-driven approach that is described as a suitable approach for future development.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
C. Alexander, S. Ishikawa, M. Silverstein, M. Jacobsen, I. Fiksdahl-King, and S. Angel: A Pattern Lanuage: Towns – Buildings – Construction. In: Oxford University Press, 1977.
D. Basin, J. Doser, and T. Lodderstedt: Model Driven Security for Process-Oriented Systems. In: SAC-MAT ’03: Proceedings of the 8th ACM symposium on Access control models and technologies, 2003, pp. 100-109.
R. Crook, D. C. Ince, and B. Nuseibeh. Modelling access policies using roles in requirements engineering. Information & Software Technology,vol. 45, no. 14, pp. 979-991, 2003.
J. Juerjens: UMLsec: Extending UML for Secure Systems Development. In UML ’02: Proceedings of the 5th International Conference on The Unified Modeling Language, 2002, pp. 412-425.
A. Knoepfel, B.Groene and P.Tabeling: Fundamental Modeling Concepts. John Wiley & Sons Ltd, 2005.
J. H. Lambert, R. K. Jennings, and N. N. Joshi: Integration of risk identification with business process models. In: Syst. Eng., vol. 9, no. 3, pp. 187-198, 2006.
D. H. McKnight and N. L. Chervany: The meanings of trust. Technical Report, University of Minnesota, 1996. http://misrc.umn.edu/wpaper/Working-Papers/9604.pdf
M. Menzel, C. Wolter, and C. Meinel: Towards the aggregation of security requirements in cross-organisational service compositions. In: Proc. 11th BIS, no. ISBN: 978-3-540-79396-3. Springer LNCS, Innsbruck, Austria, May 2008.
M. Menzel, I. Thomas, and C. Meinel: Security requirements specification in service-oriented business process management. In: ARES, 2009.
M. Menzel, and C. Meinel: A Security Meta-Model for Service-oriented Architectures. In: SCC, 2009.
Microsoft Corp.: Microsofts Vision for an Identity Metasystem, May 2005.
A. RodrÃguez, E. Fernández-Medina, and M. Piattini: Towards a uml 2.0 extension for the modeling of security requirements in business processes. In: TrustBus, 2006, pp. 51-61.
A. RodrÃguez, E. Fernández-Medina: Towards cim to pim transformation: From secure business processes defined in bpmn to use-cases. In: BPM, 2007, pp. 408-115.
M. Tatsubori, T Imamura, and Y. Nakamura. Best-practice patterns and tool support for configuring secure web services messaging. In ICWS, 2004, pp. 244-251.
I. Thomas, M. Menzel, and C. Meinel: Using Quantified Trust Levels to Describe Authentication Re-quirements in Federated Identity Management. In SWS, 2008
Wei-kuang Huang and V. Atluri: Secureflow: A secure web enabled workflow management system. In: ACM Workshop on Role-Based Access Control, 1999, pp. 83-94. http://citeseer.ist.psu.edu/huang99secureflow.html
C. Wolter, M. Menzel, A. Schaad, P. Miseldine, and C. Meinel: Model-driven business process security requireme specification. In: Journal of Systems Architecture Special Issue on Secure Web Services, 2008.
J. Yoder and J. Barcalow: Architectural patterns for enabling application security. In: PLoP, 1997.
Editor information
Rights and permissions
Copyright information
© 2010 Vieweg+Teubner | GWV Fachverlage GmbH
About this chapter
Cite this chapter
Menzel, M., Thomas, I., Schüler, B., Schnjakin, M., Meinel, C. (2010). Security Requirements Specification in Process-aware Information Systems. In: Pohlmann, N., Reimer, H., Schneider, W. (eds) ISSE 2009 Securing Electronic Business Processes. Vieweg+Teubner. https://doi.org/10.1007/978-3-8348-9363-5_14
Download citation
DOI: https://doi.org/10.1007/978-3-8348-9363-5_14
Publisher Name: Vieweg+Teubner
Print ISBN: 978-3-8348-0958-2
Online ISBN: 978-3-8348-9363-5
eBook Packages: Computer ScienceComputer Science (R0)