Security Requirements Specification in Process-aware Information Systems

  • Michael Menzel
  • Ivonne Thomas
  • Benjamin Schüler
  • Maxim Schnjakin
  • Christoph Meinel


Service-oriented Architectures deliver a flexible infrastructure to allow independently developed software com-ponents to communicate in a seamless manner. In the scope of organisational workflows, SOA provides a suitable foundation to execute business processes as an orchestration of multiple independent services. In order to secure services, requirements are usually defined on a technical level, rather than on an organisational level that would provide a comprehensive view on the participants, the assets and their relationships regarding security.

In this paper, we present a compilation of security requirements for Service-oriented Architectures and propose an approach to express these security requirements at the business process layer. An enhancement for BPMN is introduced to model these security requirements and illustrated in an example process that is deployed on a cross-organisational SOA infrastructure. Our aim is to facilitate the generation of security configurations on a technical level based on the modelled requirements. For this purpose, we foster a model-driven approach that is described as a suitable approach for future development.


Business Process Security Requirement Security Protocol Business Process Model Security Goal 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. C. Alexander, S. Ishikawa, M. Silverstein, M. Jacobsen, I. Fiksdahl-King, and S. Angel: A Pattern Lanuage: Towns – Buildings – Construction. In: Oxford University Press, 1977.Google Scholar
  2. D. Basin, J. Doser, and T. Lodderstedt: Model Driven Security for Process-Oriented Systems. In: SAC-MAT ’03: Proceedings of the 8th ACM symposium on Access control models and technologies, 2003, pp. 100-109.Google Scholar
  3. R. Crook, D. C. Ince, and B. Nuseibeh. Modelling access policies using roles in requirements engineering. Information & Software Technology,vol. 45, no. 14, pp. 979-991, 2003.CrossRefGoogle Scholar
  4. J. Juerjens: UMLsec: Extending UML for Secure Systems Development. In UML ’02: Proceedings of the 5th International Conference on The Unified Modeling Language, 2002, pp. 412-425.Google Scholar
  5. A. Knoepfel, B.Groene and P.Tabeling: Fundamental Modeling Concepts. John Wiley & Sons Ltd, 2005.Google Scholar
  6. J. H. Lambert, R. K. Jennings, and N. N. Joshi: Integration of risk identification with business process models. In: Syst. Eng., vol. 9, no. 3, pp. 187-198, 2006.CrossRefGoogle Scholar
  7. D. H. McKnight and N. L. Chervany: The meanings of trust. Technical Report, University of Minnesota, 1996.
  8. M. Menzel, C. Wolter, and C. Meinel: Towards the aggregation of security requirements in cross-organisational service compositions. In: Proc. 11th BIS, no. ISBN: 978-3-540-79396-3. Springer LNCS, Innsbruck, Austria, May 2008.Google Scholar
  9. M. Menzel, I. Thomas, and C. Meinel: Security requirements specification in service-oriented business process management. In: ARES, 2009.Google Scholar
  10. M. Menzel, and C. Meinel: A Security Meta-Model for Service-oriented Architectures. In: SCC, 2009.Google Scholar
  11. Microsoft Corp.: Microsofts Vision for an Identity Metasystem, May 2005.Google Scholar
  12. A. Rodríguez, E. Fernández-Medina, and M. Piattini: Towards a uml 2.0 extension for the modeling of security requirements in business processes. In: TrustBus, 2006, pp. 51-61.Google Scholar
  13. A. Rodríguez, E. Fernández-Medina: Towards cim to pim transformation: From secure business processes defined in bpmn to use-cases. In: BPM, 2007, pp. 408-115.Google Scholar
  14. M. Tatsubori, T Imamura, and Y. Nakamura. Best-practice patterns and tool support for configuring secure web services messaging. In ICWS, 2004, pp. 244-251.Google Scholar
  15. I. Thomas, M. Menzel, and C. Meinel: Using Quantified Trust Levels to Describe Authentication Re-quirements in Federated Identity Management. In SWS, 2008Google Scholar
  16. Wei-kuang Huang and V. Atluri: Secureflow: A secure web enabled workflow management system. In: ACM Workshop on Role-Based Access Control, 1999, pp. 83-94.
  17. C. Wolter, M. Menzel, A. Schaad, P. Miseldine, and C. Meinel: Model-driven business process security requireme specification. In: Journal of Systems Architecture Special Issue on Secure Web Services, 2008.Google Scholar
  18. J. Yoder and J. Barcalow: Architectural patterns for enabling application security. In: PLoP, 1997.Google Scholar

Copyright information

© Vieweg+Teubner | GWV Fachverlage GmbH 2010

Authors and Affiliations

  • Michael Menzel
  • Ivonne Thomas
  • Benjamin Schüler
  • Maxim Schnjakin
  • Christoph Meinel

There are no affiliations available

Personalised recommendations