Skip to main content
SpringerLink
Log in

Privacy-Aware Workflow Management

  • Chapter
Business Process Management

Part of the book series: Studies in Computational Intelligence ((SCI,volume 444))

Abstract

Information security policies play an important role in achieving information security. Confidentiality, Integrity, and Availability are classic information security goals attained by enforcing appropriate security policies. Workflow Management Systems (WfMSs) also benefit from inclusion of these policies to maintain the security of business-critical data. However, in typical WfMSs these policies are designed to enforce the organisation’s security requirements but do not consider those of other stakeholders. Privacy is an important security requirement that concerns the subject of data held by an organisation. WfMSs often process sensitive data about individuals and institutions who demand that their data is properly protected, but WfMSs fail to recognise and enforce privacy policies. In this paper, we illustrate existing WfMS privacy weaknesses and introduce WfMS extensions required to enforce data privacy. We have implemented these extensions in the YAWL system and present a case scenario to demonstrate how it can enforce a subject’s privacy policy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Enhydra Shark: Open source workflow, http://shark.ow2.org/doc/1.1/index.html (accessed August 20, 2009)

  2. jBPM user guide, http://docs.jboss.com/jbpm/v4.0/userguide (accessed August 20, 2009)

  3. ruote: Open source Ruby workflow engine, http://openwferu.rubyforge.org/documentation.html (accessed August 20, 2009)

  4. TIBCO BPM resource center, http://www.tibco.com/solutions/bpm/default.jsp (accessed August 28, 2009)

  5. Alhaqbani, B., Fidge, C.J.: Access Control Requirements for Processing Electronic Health Records. In: ter Hofstede, A.H.M., Benatallah, B., Paik, H.-Y. (eds.) BPM Workshops 2007. LNCS, vol. 4928, pp. 371–382. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  6. Anderson, A.H.: A comparison of two privacy policy languages: EPAL and XACML. In: Proceedings of the 3rd ACM Workshop on Secure Web Services, Alexandria, USA, November 3, pp. 53–60. ACM Press, New York (2006)

    Chapter  Google Scholar 

  7. Atluri, V., Warner, J.: Security for workflow systems. In: Gertz, M., Jajodia, S. (eds.) Handbook of Database Security: Application and Trends, pp. 213–230. Springer (2008)

    Google Scholar 

  8. Bertino, E., Buccafurri, F., Rullo, P.: An Authorization Model and Its Formal Semantics. In: Quisquater, J.-J., Deswarte, Y., Meadows, C., Gollmann, D. (eds.) ESORICS 1998. LNCS, vol. 1485, pp. 127–142. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  9. Bertino, E., Ferrari, E., Alturi, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2(3), 65–104 (1999)

    Article  Google Scholar 

  10. Cao, J., Chen, J., Zhao, H., Li, M.: A policy-based authorization model for workflow-enabled dynamic process management. Journal of Network and Computer Applications 32(2), 412–422 (2009)

    Article  Google Scholar 

  11. Casati, F., Casanto, S., Fugini, M.: Managing workflow authorization constraints through active database technology. Information Systems Frontiers 3(3), 319–338 (2001)

    Article  Google Scholar 

  12. Chhanabhai, P., Holt, A.: Consumers are ready to accept the transition to online and electronic records if they can be assured of the security measures. Medscape General Medicine 9(1), 8 (2007)

    Google Scholar 

  13. Haplin, T.: Information Modeling and Relational Databases: From Conceptual Analysis to Logical Design. Morgan Kaufmann Publishers (2001)

    Google Scholar 

  14. IBM. WebSphere business modeler, version 6.2.0, http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r2mx/index.jsp?topic=/com.ibm.btools.modeler.advanced.help.doc/doc/concepts/modelelements/processdiagram.html (accessed August 25, 2009)

  15. Jiang, H., Lu, S.: Access Control for Workflow Environment: The RTFW Model. In: Shen, W., Luo, J., Lin, Z., Barthès, J.-P.A., Hao, Q. (eds.) CSCWD. LNCS, vol. 4402, pp. 619–626. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  16. Meier, E.: Medical privacy and its value for patients. Seminars in Oncology Nursing 18(2), 105–108 (2002)

    Article  MathSciNet  Google Scholar 

  17. Oh, S., Park, S.: Task-role-based access control model. Information Systems 28(6), 533–562 (2003)

    Article  MATH  Google Scholar 

  18. Russell, N., ter Hofstede, A.H.M., Edmond, D., van der Aalst, W.M.P.: Workflow Data Patterns: Identification, Representation and Tool Support. In: Delcambre, L.M.L., Kop, C., Mayr, H.C., Mylopoulos, J., Pastor, Ó. (eds.) ER 2005. LNCS, vol. 3716, pp. 353–368. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  19. Russell, N., van der Aalst, W.M.P., ter Hofstede, A.H.M., Edmond, D.: Workflow Resource Patterns: Identification, Representation and Tool Support. In: Pastor, Ó., Falcão e Cunha, J. (eds.) CAiSE 2005. LNCS, vol. 3520, pp. 216–232. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  20. Sadan, B.: Patient data confidentiality and patient rights. International Journal of Medical Informatics 62, 41–49 (2001)

    Article  Google Scholar 

  21. Safian, S.C.: The Complete Diagnosis Coding Book. McGraw Hill Higher Education (2009)

    Google Scholar 

  22. Sandhu, R.S., Samarati, P.: Access control: Principles and practice. IEEE Communications Magazine 32(9), 40–48 (1994)

    Article  Google Scholar 

  23. ter Hofstede, A.H.M., van der Aalst, W.M.P., Adams, M., Russell, N. (eds.): Modern Business Process Automation: YAWL and its Support Environment. Springer, Heidelberg (2009)

    Google Scholar 

  24. Thomas, R., Sandhu, R.: Task-based authorization controls (TBAC): A family of models for active and enterprise-oriented autorization management. In: Lin, T.Y., Qian, S. (eds.) Proceedings of the IFIP TC11 WG11.3 11th International Conference on Database Security XI: Status and Prospects (DBSec 1997), Lake Tahoe, California, USA, August 10-13. IFIP, vol. 113, pp. 166–181. Chapman & Hall (1997)

    Google Scholar 

  25. Wave-Front. FLOWer 3: Designers guide (2004)

    Google Scholar 

  26. Westin, A.: Privacy and Freedom. The Bodley Head Ltd. (1970)

    Google Scholar 

  27. Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirements specification. Journal of Systems Architecture 55, 211–223 (2009)

    Article  Google Scholar 

  28. Xu, J., Liu, C., Zhao, X.: Resource Allocation vs. Business Process Improvement: How They Impact on Each Other. In: Dumas, M., Reichert, M., Shan, M.-C. (eds.) BPM 2008. LNCS, vol. 5240, pp. 228–243. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  29. Yao, L., Kong, X., Xu, Z.: A task-role based access control model with multi-constraints. In: Kim, J., et al. (eds.) Proceedings of 4th International Conference on Networked Computing and Advanced Information Management (NCM 2008), Gyeongju, Korea, September 2-4, vol. 1, pp. 137–143. IEEE (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Queensland University of Technology, Brisbane, Australia

    Bandar Alhaqbani, Michael Adams, Colin J. Fidge & Arthur H. M. ter Hofstede

Authors
  1. Bandar Alhaqbani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Adams
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Colin J. Fidge
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Arthur H. M. ter Hofstede
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bandar Alhaqbani .

Editor information

Editors and Affiliations

  1. , Department of Financial and Management, University of the Aegean, Fostini Street 31, Chios, 82100, Greece

    Michael Glykas

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Alhaqbani, B., Adams, M., Fidge, C.J., ter Hofstede, A.H.M. (2013). Privacy-Aware Workflow Management. In: Glykas, M. (eds) Business Process Management. Studies in Computational Intelligence, vol 444. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28409-0_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-28409-0_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-28408-3

  • Online ISBN: 978-3-642-28409-0

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation