Modeling Support for Confidentiality and Integrity of Object Flows in Activity Models

  • Bernhard Hoisl
  • Mark Strembeck
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 87)

Abstract

While the demand for an integrated modeling support of business processes and corresponding security properties has been repeatedly identified in research and practice, standard modeling languages do not provide native language constructs to model process-related security properties. In this paper, we are especially concerned with confidentiality and integrity of object flows. In particular, we present an UML extension called SecureObjectFlows to model confidentiality and integrity of object flows in activity models. Moreover, we discuss the semantics of secure object flows with respect to control nodes and provide a formal definition of the corresponding semantics via the Object Constraint Language (OCL).

Keywords

Activity Models Modeling Security Properties Process Modeling UML 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Damianides, M.: How does SOX change IT? Journal of Corporate Accounting & Finance 15(6) (2004)Google Scholar
  2. 2.
    Mishra, S., Weistroffer, H.R.: A Framework for Integrating Sarbanes-Oxley Compliance into the Systems Development Process. Communications of the Association for Information Systems (CAIS) 20(1) (2007)Google Scholar
  3. 3.
    National Institute of Standards and Technology: An Introduction to Computer Security: The NIST Handbook. Special Publication 800-12 (1995), http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
  4. 4.
    National Institute of Standards and Technology: Recommended Security Controls for Federal Information Systems and Organizations. NIST Special Publication 800-53, Revision 3 (2009), http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
  5. 5.
    Botha, R.A., Eloff, J.H.P.: Separation of Duties for Access Control Enforcement in Workflow Environments. IBM Systems Journal 40(3) (2001)Google Scholar
  6. 6.
    Wainer, J., Barthelmes, P., Kumar, A.: W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints. International Journal of Cooperative Information Systems (IJCIS) 12(4) (December 2003)Google Scholar
  7. 7.
    Object Management Group: Business Process Model and Notation (BPMN) - Version 2.0 - Beta 2 (2010), http://www.omg.org/spec/BPMN/2.0/Beta2/PDF
  8. 8.
    Object Management Group: OMG Unified Modeling Language (OMG UML), Superstructure - Version 2.3 (2010), http://www.omg.org/spec/UML/2.3/Superstructure/PDF/
  9. 9.
    Axenath, B., Kindler, E., Rubin, V.: AMFIBIA: A Meta-Model for the Integration of Business Process Modelling Aspects. In: Leymann, F., Reisig, W., Thatte, S.R., van der Aalst, W. (eds.) The Role of Business Processes in Service Oriented Architectures. Dagstuhl Seminar Proceedings, vol. 06291 (2006)Google Scholar
  10. 10.
    Zdun, U.: Patterns of Component and Language Integration. In: Manolescu, D., Voelter, M., Noble, J. (eds.) Pattern Languages of Program Design 5 (2006)Google Scholar
  11. 11.
    Object Management Group: Object Constraint Language - Version 2.2 (2010), http://www.omg.org/spec/OCL/2.2/PDF
  12. 12.
    Committee on National Security Systems: National Information Assurance (IA) - Glossary (2010), http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf
  13. 13.
    National Security Agency: Information Assurance Technical Framework (2000), http://handle.dtic.mil/100.2/ADA393328
  14. 14.
    Sandhu, R.S.: On Five Definitions of Data Integrity. In: Proceedings of the IFIP WG11.3 Working Conference on Database Security VII (1993)Google Scholar
  15. 15.
    Jensen, M., Feja, S.: A Security Modeling Approach for Web-Service-based Business Processes. In: 2009 16th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems, pp. 340–347. IEEE, Los Alamitos (2009)CrossRefGoogle Scholar
  16. 16.
    Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)Google Scholar
  17. 17.
    Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security: From UML Models to Access Control Infrastructures. ACM Transactions on Software Engineering and Methodology (TOSEM) 15(1) (January 2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Bernhard Hoisl
    • 1
    • 2
  • Mark Strembeck
    • 1
    • 2
  1. 1.Institute for Information Systems and New MediaVienna University of Economics and Business (WU Vienna)Austria
  2. 2.Secure Business Austria (SBA) Research CenterAustria

Personalised recommendations