Abstract
The Aniketos Secure Composition Framework supports the specification of secure and trustworthy composition plans in term of BPMN. The diversity of security and trust properties that is supported by the Aniketos framework allows, on the one hand, for expressing a large number of security and compliance requirements. On the other hand, the resulting expressiveness results in the risk that high-level compliance requirements (e.g., separation of duty) are not implemented by low-level security means (e.g., role-based access control configurations).
In this chapter, we present the Composition Security Validation Module (CSVM). The CSVM provides a service for checking the compliance of secure and trustworthy composition plans to the service designer. As proof-of-concept we created a prototype in which the CSVM module is deployed on the SAP NetWeaver Cloud and two CSVM Connectors are built supporting two well-known BPMN tools: SAP NetWeaver BPM and Activiti Designer.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
van der Aalst, W.M.P., Dumas, M., Gottschalk, F., ter Hofstede, A.H.M., La Rosa, M., Mendling, J.: Correctness-preserving configuration of business process models. In: Fiadeiro, J.L., Inverardi, P. (eds.) FASE 2008. LNCS, vol. 4961, pp. 46–61. Springer, Heidelberg (2008)
Armando, A., Carbone, R., Compagna, L.: LTL Model Checking for Security Protocols. Journal of Applied Non-Classical Logics 19(4), 403–429 (2009)
Arsac, W., Compagna, L., Kaluvuri, S.P., Ponta, S.E.: Security validation tool for business processes. In: Breu, R., Crampton, J., Lobo, J. (eds.) SACMAT, pp. 143–144. ACM (2011a)
Arsac, W., Compagna, L., Pellegrino, G., Ponta, S.E.: Security Validation of Business Processes via Model-Checking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 29–42. Springer, Heidelberg (2011)
Brucker, A.D., Hang, I.: Secure and compliant implementation of business process-driven systems. In: La Rosa, M., Soffer, P. (eds.) PM 2012 Workshops. LNBIP, vol. 132, pp. 662–674. Springer, Heidelberg (2012)
Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: Modeling and enforcing access control requirements in business processes. In: ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 123–126. ACM Press (2012), doi: 10.1145/2295136.2295160
Brucker, A.D., Malmignati, F., Merabti, M., Shi, Q., Zhou, B.: A framework for secure service composition. In: International Conference on Information Privacy, Security, Risk and Trust (PASSAT), pp. 647–652. IEEE Computer Society (2013), doi:10.1109/SocialCom.2013.97
Compagna, L., Guilleminot, P., Brucker, A.D.: Business process compliance via security validation as a service. In: Oriol, M., Penix, J. (eds.) IEEE Sixth International Conference on Software Testing, Verification and Validation (ICST), pp. 455–462. IEEE Computer Society (2013) doi: 978-1-4673-5961-0
Dijkman, R.M., Dumas, M., Ouyang, C.: Semantics and analysis of business process models in BPMN. Information & Software Technology 50(12), 1281–1294 (2008), doi:10.1016/j.infsof.2008.02.006
Mülle, J., von Stackelberg, S., Böhm, K.: A security language for BPMN process models. Tech. rep., University Karlsruhe, KIT (2011)
OMG: Business Process Modeling Notation, BPMN (2011), http://www.omg.org/spec/BPMN/2.0
Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE - Trans. Inf. Syst. E90-D, 745–752 (2007), doi:10.1093/ietisy/e90-d.4.745
Salnitri, M., Dalpiaz, F., Giorgini, P.: Modeling and verifying security policies in business processes. In: Bider, I., Gaaloul, K., Krogstie, J., Nurcan, S., Proper, H.A., Schmidt, R., Soffer, P. (eds.) BPMDS 2014 and EMMSAD 2014. LNBIP, vol. 175, pp. 200–214. Springer, Heidelberg (2014)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)
Wolter, C., Meinel, C.: An approach to capture authorisation requirements in business processes. Requir. Eng. 15(4), 359–373 (2010), doi:10.1007/s00766-010-0103-y
Wolter, C., Schaad, A.: Modeling of task-based authorization constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 64–79. Springer, Heidelberg (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Brucker, A.D., Compagna, L., Guilleminot, P. (2014). Compliance Validation of Secure Service Compositions. In: Brucker, A.D., Dalpiaz, F., Giorgini, P., Meland, P.H., Rios, E. (eds) Secure and Trustworthy Service Composition. Lecture Notes in Computer Science, vol 8900. Springer, Cham. https://doi.org/10.1007/978-3-319-13518-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-13518-2_10
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13517-5
Online ISBN: 978-3-319-13518-2
eBook Packages: Computer ScienceComputer Science (R0)