Skip to main content
SpringerLink
Log in

Modeling and Verifying Security Policies in Business Processes

  • Conference paper
Enterprise, Business-Process and Information Systems Modeling (BPMDS 2014, EMMSAD 2014)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 175))

Abstract

Modern information systems are large-sized and comprise multiple heterogeneous and autonomous components. Autonomy enables decentralization, but it also implies that components providers are free to change, retire, or introduce new components. This is a threat to security, and calls for a continuous verification process to ensure compliance with security policies. Existing verification frameworks either have limited expressiveness—thereby inhibiting the specification of real-world requirements—, or rely on formal languages that are hardly employable for modeling and verifying large systems. In this paper, we overcome the limitations of existing approaches by proposing a framework that enables: (1) specifying information systems in SecBPMN, a security-oriented extension of BPMN; (2) expressing security policies through SecBPMN-Q, a query language for representing security policies; and (3) verifying SecBPMN-Q against SecBPMN specifications via an implemented query engine. We report on the applicability of our approach via a case study about air traffic management.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. An introduction to the business model for information security. Technical report, ISACA (2009), http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/An-Introduction-to-the-Business-Model-for-Information-Security.aspx

  2. Federal Aviation Administration. SWIM ATM case study, http://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/techops/atc_comms_services/swim/ (last visited March 2014)

  3. Awad, A.: BPMN-Q: A language to query business processes. In: EMISA, St. Goar, Germany. LNI, vol. P-119, pp. 115–128. GI (2007)

    Google Scholar 

  4. Awad, A.: A compliance management framework for business process models. PhD thesis (2010)

    Google Scholar 

  5. Beeri, C., Eyal, A., Kamenkovich, S., Milo, T.: Querying business processes with BP-QL. Information Systems 33(6), 477–507 (2008)

    Article  Google Scholar 

  6. Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: Modeling and Enforcing Access Control Requirements in Business Processes. In: Proc. of SACMAT 2012, pp. 123–126 (2012)

    Google Scholar 

  7. Cherdantseva, Y., Hilton, J.: A reference model of information assurance and security. In: Eighth International Conference on ARES, pp. 546–555 (September 2013)

    Google Scholar 

  8. Deutch, D., Milo, T.: Querying structural and behavioral properties of business processes. In: Arenas, M., Schwartzbach, M.I. (eds.) DBPL 2007. LNCS, vol. 4797, pp. 169–185. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  9. Ferraiolo, D.F., Cugini, J.A., Richard Kuhn, D.R.: Role-based access control (rbac): Features and motivations (1995)

    Google Scholar 

  10. Firesmith, D.: Specifying reusable security requirements. JOT 3(1), 61–75 (2004)

    Article  Google Scholar 

  11. Ghose, A., Koliadis, G.: Auditing business process compliance. In: Krämer, B.J., Lin, K.-J., Narasimhan, P. (eds.) ICSOC 2007. LNCS, vol. 4749, pp. 169–180. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  12. Josang, A., Ismail, R., Boyd, C.: A survey of trust and reputation systems for online service provision. Decision Support Systems 43(2), 618–644 (2007)

    Article  Google Scholar 

  13. Jürjens, J.: Umlsec: Extending uml for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  14. Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation. In: Proc. of ARES, pp. 262–267 (2013)

    Google Scholar 

  15. Leitner, M., Rinderle-Ma, S.: A systematic review on security in process-aware information systems - constitution, challenges, and future directions. Inf. Softw. Technol. 56(3), 273–293 (2014)

    Article  Google Scholar 

  16. Leitner, M., Schefer-Wenzl, S., Rinderle-Ma, S., Strembeck, M.: An experimental study on the design and modeling of security concepts in business processes. In: Proc. of PoEM, pp. 236–250 (2013)

    Google Scholar 

  17. Liu, Y., Müller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Syst. J. 46(2), 335–361 (2007)

    Article  Google Scholar 

  18. McCumber, J.: Information systems security: A comprehensive model. In: Proceeding of the 14th National Computer Security Conference, NIST Baltimore, MD (1991)

    Google Scholar 

  19. Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in serviceoriented business process management. In: Proc of ARES 2009, pp. 41–48 (2009)

    Google Scholar 

  20. Monakova, G., Brucker, A.D., Schaad, A.: Security and safety of assets in business processes. In: Applied Computing, vol. 27, pp. 1667–1673. ACM, USA (2012)

    Google Scholar 

  21. Moody, D.: The physics of notations: Toward a scientific basis for constructing visual notations in software engineering. IEEE Trans. Softw. Eng. 35, 756–779 (2009)

    Article  Google Scholar 

  22. OASIS. Web Services Business Process Execution Language, http://docs.oasis-open.org/wsbpel/2.0/wsbpel-v2.0.html (April 2007)

  23. O.: BPMN 2.0, http://www.omg.org/spec/BPMN/2.0 (January 2011)

  24. Parker, D.: Our excessively simplistic information security model and how to fix it. ISSA Journal, 12–21 (2010)

    Google Scholar 

  25. Parker, D.B.: Fighting computer crime - a new framework for protecting information. Wiley (1998)

    Google Scholar 

  26. Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE Trans. on Information and Systems 90(4), 745–752 (2007)

    Article  Google Scholar 

  27. Rushby, J.: Using model checking to help discover mode confusions and other automation surprises. Reliability Engineering and System Safety 75, 167–177 (2002)

    Article  Google Scholar 

  28. Sadiq, W., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 149–164. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  29. Saleem, M., Jaafar, J., Hassan, M.: A domain- specific language for modelling security objectives in a business process models of soa applications. AISS 4(1), 353–362 (2012)

    Article  Google Scholar 

  30. Salnitri, M., Dalpiaz, F., Giorgini, P.: Aligning service-oriented architectures with security requirements. In: Meersman, R., et al. (eds.) OTM 2012, Part I. LNCS, vol. 7565, pp. 232–249. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  31. Samarati, P., di Vimercati, S.C.: Access control: Policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  32. Schmidt, R., Bartsch, C., Oberhauser, R.: Ontology-based representation of compliance requirements for service processes. In: Proc. of CEUR 2007 (2007)

    Google Scholar 

  33. Sommerville, I., Cliff, D., Calinescu, R., Keen, J., Kelly, T., Kwiatkowska, M., Mcdermid, J., Paige, R.: Large-scale complex it systems. Commun. ACM 55(7), 71–77 (2012)

    Article  Google Scholar 

  34. Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. JSA 55(4), 211–223 (2009)

    Google Scholar 

  35. Yip, F., Wong, A.K.Y., Parameswaran, N., Ray, P.: Rules and ontology in compliance management. In: In Proc. of EDOC, pp. 435–435 (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Trento, Italy

    Mattia Salnitri & Paolo Giorgini

  2. Utrecht University, The Netherlands

    Fabiano Dalpiaz

Authors
  1. Mattia Salnitri
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fabiano Dalpiaz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Paolo Giorgini
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. DSV Stockholm University, Stockholm, Sweden

    Ilia Bider

  2. Public Research Centre Henri Tudor, Luxembourg

    Khaled Gaaloul

  3. Norwegian University of Science and Technology (NTNU), Sem Sælandsvei 7-9, N-7030, Trondheim, Norway

    John Krogstie

  4. Université de Paris 1 Panthéon - Sorbonne, Paris, France

    Selmin Nurcan

  5. Public Research Centre Henri Tudor, Luexemboug

    Henderik A. Proper

  6. Munich University of Applied Sciences, Munich, Germany

    Rainer Schmidt

  7. University of Haifa, Haifa, Israel

    Pnina Soffer

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Salnitri, M., Dalpiaz, F., Giorgini, P. (2014). Modeling and Verifying Security Policies in Business Processes. In: Bider, I., et al. Enterprise, Business-Process and Information Systems Modeling. BPMDS EMMSAD 2014 2014. Lecture Notes in Business Information Processing, vol 175. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43745-2_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-43745-2_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-43744-5

  • Online ISBN: 978-3-662-43745-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation