Abstract
Information security policies play an important role in achieving information security. Confidentiality, Integrity, and Availability are classic information security goals attained by enforcing appropriate security policies. Workflow Management Systems (WfMSs) also benefit from inclusion of these policies to maintain the security of business-critical data. However, in typical WfMSs these policies are designed to enforce the organisation’s security requirements but do not consider those of other stakeholders. Privacy is an important security requirement that concerns the subject of data held by an organisation. WfMSs often process sensitive data about individuals and institutions who demand that their data is properly protected, but WfMSs fail to recognise and enforce privacy policies. In this paper, we illustrate existing WfMS privacy weaknesses and introduce WfMS extensions required to enforce data privacy. We have implemented these extensions in the YAWL system and present a case scenario to demonstrate how it can enforce a subject’s privacy policy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Enhydra Shark: Open source workflow, http://shark.ow2.org/doc/1.1/index.html (accessed August 20, 2009)
jBPM user guide, http://docs.jboss.com/jbpm/v4.0/userguide (accessed August 20, 2009)
ruote: Open source Ruby workflow engine, http://openwferu.rubyforge.org/documentation.html (accessed August 20, 2009)
TIBCO BPM resource center, http://www.tibco.com/solutions/bpm/default.jsp (accessed August 28, 2009)
Alhaqbani, B., Fidge, C.J.: Access Control Requirements for Processing Electronic Health Records. In: ter Hofstede, A.H.M., Benatallah, B., Paik, H.-Y. (eds.) BPM Workshops 2007. LNCS, vol. 4928, pp. 371–382. Springer, Heidelberg (2008)
Anderson, A.H.: A comparison of two privacy policy languages: EPAL and XACML. In: Proceedings of the 3rd ACM Workshop on Secure Web Services, Alexandria, USA, November 3, pp. 53–60. ACM Press, New York (2006)
Atluri, V., Warner, J.: Security for workflow systems. In: Gertz, M., Jajodia, S. (eds.) Handbook of Database Security: Application and Trends, pp. 213–230. Springer (2008)
Bertino, E., Buccafurri, F., Rullo, P.: An Authorization Model and Its Formal Semantics. In: Quisquater, J.-J., Deswarte, Y., Meadows, C., Gollmann, D. (eds.) ESORICS 1998. LNCS, vol. 1485, pp. 127–142. Springer, Heidelberg (1998)
Bertino, E., Ferrari, E., Alturi, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2(3), 65–104 (1999)
Cao, J., Chen, J., Zhao, H., Li, M.: A policy-based authorization model for workflow-enabled dynamic process management. Journal of Network and Computer Applications 32(2), 412–422 (2009)
Casati, F., Casanto, S., Fugini, M.: Managing workflow authorization constraints through active database technology. Information Systems Frontiers 3(3), 319–338 (2001)
Chhanabhai, P., Holt, A.: Consumers are ready to accept the transition to online and electronic records if they can be assured of the security measures. Medscape General Medicine 9(1), 8 (2007)
Haplin, T.: Information Modeling and Relational Databases: From Conceptual Analysis to Logical Design. Morgan Kaufmann Publishers (2001)
IBM. WebSphere business modeler, version 6.2.0, http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r2mx/index.jsp?topic=/com.ibm.btools.modeler.advanced.help.doc/doc/concepts/modelelements/processdiagram.html (accessed August 25, 2009)
Jiang, H., Lu, S.: Access Control for Workflow Environment: The RTFW Model. In: Shen, W., Luo, J., Lin, Z., Barthès, J.-P.A., Hao, Q. (eds.) CSCWD. LNCS, vol. 4402, pp. 619–626. Springer, Heidelberg (2007)
Meier, E.: Medical privacy and its value for patients. Seminars in Oncology Nursing 18(2), 105–108 (2002)
Oh, S., Park, S.: Task-role-based access control model. Information Systems 28(6), 533–562 (2003)
Russell, N., ter Hofstede, A.H.M., Edmond, D., van der Aalst, W.M.P.: Workflow Data Patterns: Identification, Representation and Tool Support. In: Delcambre, L.M.L., Kop, C., Mayr, H.C., Mylopoulos, J., Pastor, Ó. (eds.) ER 2005. LNCS, vol. 3716, pp. 353–368. Springer, Heidelberg (2005)
Russell, N., van der Aalst, W.M.P., ter Hofstede, A.H.M., Edmond, D.: Workflow Resource Patterns: Identification, Representation and Tool Support. In: Pastor, Ó., Falcão e Cunha, J. (eds.) CAiSE 2005. LNCS, vol. 3520, pp. 216–232. Springer, Heidelberg (2005)
Sadan, B.: Patient data confidentiality and patient rights. International Journal of Medical Informatics 62, 41–49 (2001)
Safian, S.C.: The Complete Diagnosis Coding Book. McGraw Hill Higher Education (2009)
Sandhu, R.S., Samarati, P.: Access control: Principles and practice. IEEE Communications Magazine 32(9), 40–48 (1994)
ter Hofstede, A.H.M., van der Aalst, W.M.P., Adams, M., Russell, N. (eds.): Modern Business Process Automation: YAWL and its Support Environment. Springer, Heidelberg (2009)
Thomas, R., Sandhu, R.: Task-based authorization controls (TBAC): A family of models for active and enterprise-oriented autorization management. In: Lin, T.Y., Qian, S. (eds.) Proceedings of the IFIP TC11 WG11.3 11th International Conference on Database Security XI: Status and Prospects (DBSec 1997), Lake Tahoe, California, USA, August 10-13. IFIP, vol. 113, pp. 166–181. Chapman & Hall (1997)
Wave-Front. FLOWer 3: Designers guide (2004)
Westin, A.: Privacy and Freedom. The Bodley Head Ltd. (1970)
Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirements specification. Journal of Systems Architecture 55, 211–223 (2009)
Xu, J., Liu, C., Zhao, X.: Resource Allocation vs. Business Process Improvement: How They Impact on Each Other. In: Dumas, M., Reichert, M., Shan, M.-C. (eds.) BPM 2008. LNCS, vol. 5240, pp. 228–243. Springer, Heidelberg (2008)
Yao, L., Kong, X., Xu, Z.: A task-role based access control model with multi-constraints. In: Kim, J., et al. (eds.) Proceedings of 4th International Conference on Networked Computing and Advanced Information Management (NCM 2008), Gyeongju, Korea, September 2-4, vol. 1, pp. 137–143. IEEE (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Alhaqbani, B., Adams, M., Fidge, C.J., ter Hofstede, A.H.M. (2013). Privacy-Aware Workflow Management. In: Glykas, M. (eds) Business Process Management. Studies in Computational Intelligence, vol 444. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28409-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-28409-0_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28408-3
Online ISBN: 978-3-642-28409-0
eBook Packages: EngineeringEngineering (R0)