Using SecureBPMN for Modelling Security-Aware Service Compositions

  • Achim D. Brucker
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8900)


Today, many systems are built by orchestrating existing services, custom developed services, as well as interaction with users. These orchestrations, also called composition plans, are often described using high-level modelling languages that allow for simplifying 1) the implementation of systems by using generic execution engines and 2) the adaption of deployed systems to changing business needs. Thus, composition plans play an important role for both communicating business requirements between domain experts and system experts, and serving as a basis for the system implementation.

At the same time, ICT systems need to fulfil an increasing number of security and compliance requirements. Thus, there is a demand for integrating security and compliance requirements into composition plans.

We present SecureBPMN, a language for modelling security properties that can easily be integrated into languages used for describing service orchestrations. Moreover, we integrate SecureBPMN into BPMN and, thus, present a common language for describing service orchestration (in terms of business process models) together with their security and compliance requirements.


SecureBPMN BPMN Access Control Confidentiality 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aktug, I., Naliuka, K.: Conspec - a formal language for policy specification. Sci. Comput. Program. 74(1-2), 2–12 (2008), doi:10.1016/j.scico.2008.09.004CrossRefzbMATHMathSciNetGoogle Scholar
  2. 2.
    Altuhhova, O., Matulevicius, R., Ahmed, N.: Towards definition of secure business processes. In: Bajec, M., Eder, J. (eds.) CAiSE Workshops. LNBIP, vol. 112, pp. 1–15. Springer, Heidelberg (2012)Google Scholar
  3. 3.
    American National Standard for Information Technology – Role Based Access Control. ANSI, New York (February 2004) ANSI INCITS 359-2004Google Scholar
  4. 4.
    Basel Committee on Banking Supervision. Basel III: A global regulatory framework for more resilient banks and banking systems. Technical report, Bank for International Settlements, Basel, Switzerland (2010)Google Scholar
  5. 5.
    Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Information and Software Technology 51(5), 815–831 (2009), Special Issue on Model-Driven Development for Secure Information Systems, doi:10.1016/j.infsof.2008.05.011, ISSN 0950-5849Google Scholar
  6. 6.
    Basin, D., Burri, S.J., Karjoth, G.: Separation of duties as a service. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 423–429. ACM Press (2011), doi:10.1145/1966913.1966972, ISBN 978-1-4503-0564-8Google Scholar
  7. 7.
    Basin, D.A., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology 15(1), 39–91 (2006), doi:10.1145/1125808.1125810, ISSN 1049-331X.Google Scholar
  8. 8.
    Brucker, A.D.: Integrating security aspects into business process models. it - Information Technology 55(6), 239–246 (2013), doi:10.1524/itit.2013.2004, ISSN 2196-7032Google Scholar
  9. 9.
    Brucker, A.D., Doser, J.: Metamodel-based UML notations for domain-specific languages. In: Favre, J.M., Gasevic, D., Lämmel, R., Winter, A. (eds.) 4th International Workshop on Software Language Engineering, ATEM 2007 (October 2007)Google Scholar
  10. 10.
    Brucker, A.D., Hang, I.: Secure and compliant implementation of business process-driven systems. In: Rosa, M.L., Soffer, P. (eds.) Data Base Design Techniques 1978. LNBIP, vol. 132, pp. 662–674. Springer, Heidelberg (1982)CrossRefGoogle Scholar
  11. 11.
    Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: Carminati, B., Joshi, J. (eds.) ACM SACMAT, pp. 197–206. ACM Press (2009), doi:10.1145/1542207.1542239, ISBN 978-1-60558-537-6Google Scholar
  12. 12.
    Brucker, A.D., Doser, J., Wolff, B.: A model transformation semantics and analysis methodology for secureUML. In: Wang, J., Whittle, J., Harel, D., Reggio, G. (eds.) MoDELS 2006. LNCS, vol. 4199, pp. 306–320. Springer, Heidelberg (2006), An extended version of this paper is available as ETH Technical Report, no. 524Google Scholar
  13. 13.
    Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: Modeling and enforcing access control requirements in business processes. In: ACM SACMAT, pp. 123–126. ACM Press (2012), doi:10.1145/2295136.2295160, ISBN 978-1-4503-1295-0Google Scholar
  14. 14.
    Cherdantseva, Y., Hilton, J.: A reference model of information assurance amp;amp; security. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp. 546–555 (September 2013), doi:10.1109/ARES.2013.72Google Scholar
  15. 15.
    HIPAA. Health Insurance Portability and Accountability Act of 1996 (1996),
  16. 16.
    Jürjens, J., Rumm, R.: Model-based security analysis of the german health card architecture. Methods Inf. Med. 47(5), 26–1270 (2008) ISSN 0026-1270Google Scholar
  17. 17.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–540. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    Mülle, J., von Stackelberg, S., Böhm, K.: A security language for BPMN process models. Technical report, University Karlsruhe, KIT (2011),
  19. 19.
    OASIS. eXtensible Access Control Markup Language (XACML), version 2.0 (2005a),
  20. 20.
    OASIS. Web services business process execution language (BPEL), version 2.0 (April 2007), url Scholar
  21. 21.
    Object Management Group. Business process model and notation (BPMN), version 2.0 (January 2011), Available as OMG document formal/2011-01-03Google Scholar
  22. 22.
    Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE - Trans. Inf. Syst. E90-D, 745–752 (2007), doi:10.1093/ietisy/e90-d.4.745, ISSN 0916-8532Google Scholar
  23. 23.
    Salnitri, M., Dalpiaz, F., Giorgini, P.: Modeling and verifying security policies in business processes. In: Bider, I., Gaaloul, K., Krogstie, J., Nurcan, S., Proper, H.A., Schmidt, R., Soffer, P. (eds.) BMMDS/EMMSAD. LNBIP, vol. 175, pp. 200–214. Springer, Heidelberg (2014)Google Scholar
  24. 24.
    Wolter, C., Schaad, A.: Modeling of task-based authorization constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 64–79. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Achim D. Brucker
    • 1
  1. 1.SAP SEKarlsruheGermany

Personalised recommendations