Secure and Compliant Implementation of Business Process-Driven Systems

  • Achim D. Brucker
  • Isabelle Hang
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 132)


Today’s businesses are inherently process-driven. Conseque- ntly, the use of business-process driven systems, usually implemented on top of service-oriented or cloud-based infrastructures, is increasing. At the same time, the demand on the security, privacy, and compliance of such systems is increasing as well. As a result, the costs—with respect to computational effort at runtime as well as financial costs—for operating business-process driven systems increase steadily.

In this paper, we present a method for statically checking the security and conformance of the system implementation, e.g., on the source code level, to requirements specified on the business process level. As the compliance is statically guaranteed—already at design-time—this method reduces the number of run-time checks for ensuring the security and compliance and, thus, improves the runtime performances. Moreover, it reduces the costs of system audits, as there is no need for analyzing the generated log files for validating the compliance to the properties that are already statically guaranteed.


business process security secure service tasks bpmn static program analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    American National Standard for Information Technology – Role Based Access Control. ANSI, New York (2004) ANSI INCITS 359-2004Google Scholar
  2. 2.
    van der Aalst, W., de Medeiros, A.: Process mining and security: Detecting anomalous process executions and checking process conformance. ENTCS 121, 3–21 (2005), doi:10.1016/j.entcs.2004.10.013Google Scholar
  3. 3.
    van der Aalst, W.M.P., Dumas, M., Gottschalk, F., ter Hofstede, A.H.M., La Rosa, M., Mendling, J.: Correctness-Preserving Configuration of Business Process Models. In: Fiadeiro, J.L., Inverardi, P. (eds.) FASE 2008. LNCS, vol. 4961, pp. 46–61. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. 4.
    Accorsi, R., Wonnemann, C.: InDico: Information Flow Analysis of Business Processes for Confidentiality Requirements. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 194–209. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  5. 5.
    Arsac, W., Compagna, L., Pellegrino, G., Ponta, S.E.: Security Validation of Business Processes via Model-Checking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 29–42. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Basel Committee on Banking Supervision: Basel III: A global regulatory framework for more resilient banks and banking systems. Tech. rep., Bank for International Settlements, Basel, Switzerland (2010),
  7. 7.
    Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Information and Software Technology 51(5), 815–831 (2009), doi:10.1016/j.infsof.2008.05.011; Special Issue on Model-Driven Development for Secure Information SystemsCrossRefGoogle Scholar
  8. 8.
    Basin, D.A., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology 15(1), 39–91 (2006), doi:10.1145/1125808.1125810CrossRefGoogle Scholar
  9. 9.
    Brucker, A.D., Brügger, L., Kearney, P., Wolff, B.: An approach to modular and testable security models of real-world health-care applications. In: ACM SACMAT, pp. 133–142. ACM Press, New York (2011), doi:10.1145/1998441.1998461Google Scholar
  10. 10.
    Brucker, A.D., Doser, J.: Metamodel-based UML notations for domain-specific languages. In: Favre, J.M., Gasevic, D., Lämmel, R., Winter, A. (eds.) 4th International Workshop on Software Language Engineering (ATEM 2007) (2007)Google Scholar
  11. 11.
    Brucker, A.D., Doser, J., Wolff, B.: A Model Transformation Semantics and Analysis Methodology for SecureUML. In: Wang, J., Whittle, J., Harel, D., Reggio, G. (eds.) MoDELS 2006. LNCS, vol. 4199, pp. 306–320. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: Modeling and enforcing access control requirements in business processes. In: ACM SACMAT. ACM Press (2012), doi:10.1145/2295136.2295160Google Scholar
  13. 13.
    Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: Carminati, B., Joshi, J. (eds.) ACM SACMAT, pp. 197–206. ACM Press (2009), doi:10.1145/1542207.1542239Google Scholar
  14. 14.
    Dijkman, R.M., Dumas, M., Ouyang, C.: Semantics and analysis of business process models in BPMN. Information & Software Technology 50(12), 1281–1294 (2008), doi:10.1016/j.infsof.2008.02.006CrossRefGoogle Scholar
  15. 15.
    HIPAA: Health Insurance Portability and Accountability Act of 1996 (1996),
  16. 16.
    Jürjens, J., Rumm, R.: Model-based security analysis of the german health card architecture. Methods Inf. Med. 47(5), 409–416 (2008)Google Scholar
  17. 17.
    Kohler, M., Brucker, A.D., Schaad, A.: Proactive Caching: Generating caching heuristics for business process environments. In: International Conference on Computational Science and Engineering (CSE), vol. 3, pp. 207–304. IEEE Computer Society (2009), doi:10.1109/CSE.2009.177Google Scholar
  18. 18.
    Lodderstedt, T., Basin, D.A., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  19. 19.
    Miseldine, P.: Automated XACML policy reconfiguration for evaluation optimisation. In: Win, B.D., Lee, S.W., Monga, M. (eds.) SESS, pp. 1–8. ACM (2008), doi:10.1145/1370905.1370906Google Scholar
  20. 20.
    Mülle, J., von Stackelberg, S., Böhm, K.: A security language for BPMN process models. Tech. rep., University Karlsruhe, KIT (2011)Google Scholar
  21. 21.
    OASIS: eXtensible Access Control Markup Language (XACML), version 2.0 (2005),
  22. 22.
    Object Management Group: Business process model and notation (BPMN), version 2.0 (2011), Available as OMG document formal/2011-01-03Google Scholar
  23. 23.
    Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE - Trans. Inf. Syst. E90-D, 745–752 (2007), doi:10.1093/ietisy/e90-d.4.745Google Scholar
  24. 24.
    Sohr, K., Ahn, G.J., Gogolla, M., Migge, L.: Specification and Validation of Authorisation Constraints Using UML and OCL. In: De Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 64–79. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Wolter, C., Meinel, C.: An approach to capture authorisation requirements in business processes. Requir. Eng. 15(4), 359–373 (2010), doi:10.1007/s00766-010-0103-yCrossRefGoogle Scholar
  26. 26.
    Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. Journal of Systems Architecture 55(4), 211–223 (2009), doi:10.1016/j.sysarc.2008.10.002; Secure Service-Oriented Architectures (Special Issue on Secure SOA)CrossRefGoogle Scholar
  27. 27.
    Wolter, C., Schaad, A.: Modeling of Task-Based Authorization Constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 64–79. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  28. 28.
    Wolter, C., Schaad, A., Meinel, C.: Deriving XACML Policies from Business Process Models. In: Weske, M., Hacid, M.-S., Godart, C. (eds.) WISE 2007 Workshops. LNCS, vol. 4832, pp. 142–153. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Achim D. Brucker
    • 1
  • Isabelle Hang
    • 1
  1. 1.SAP AG, SAP ResearchKarlsruheGermany

Personalised recommendations