SecureBPMN

Brucker, Achim D.; Hang, Isabelle; Lückemeyer, Gero; Ruparel, Raj

doi:10.1145/2295136.2295160

Cited by 73 publications

(9 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We see these techniques and standards as complementary to our work, as they can be used for the implementation of our abstract specifications. BPMN extensions to annotate business process diagrams with security annotations can be found in [6,26,33]. Closest to the security requirements considered by us comes the notation proposed in [33] that supports both the annotation of activities with separation of duty constraints and the annotation of documents and process lanes with confidentiality and integrity classifications or clearances, respectively.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Possibilistic Information Flow Control for Workflow Management Systems

Bauereiss¹,

Hutter²

2014

Electron. Proc. Theor. Comput. Sci.

View full text Add to dashboard Cite

In workflows and business processes, there are often security requirements on both the data, i.e. confidentiality and integrity, and the process, e.g. separation of duty. Graphical notations exist for specifying both workflows and associated security requirements. We present an approach for formally verifying that a workflow satisfies such security requirements. For this purpose, we define the semantics of a workflow as a state-event system and formalise security properties in a trace-based way, i.e. on an abstract level without depending on details of enforcement mechanisms such as Role-Based Access Control (RBAC). This formal model then allows us to build upon well-known verification techniques for information flow control. We describe how a compositional verification methodology for possibilistic information flow can be adapted to verify that a specification of a distributed workflow management system satisfies security requirements on both data and processes.

show abstract

Section: Related Workmentioning

confidence: 99%

“…constraints on the flow of information. Several proposals to extend BPMN with graphical notations for both kinds of security requirements exist [6,26,33].…”

Section: Introductionmentioning

confidence: 99%

Possibilistic Information Flow Control for Workflow Management Systems

Bauereiss¹,

Hutter²

2014

Electron. Proc. Theor. Comput. Sci.

View full text Add to dashboard Cite

show abstract

“…Overall, SecureBPMN [12] enables the specification of security properties at a fine granular level. For example, separation of duty and binding of duty can restrict individual permissions (e. g., completing a task requires two clerks or one manager ) rather than restricting the whole task.…”

Section: Secure Business Processes: An Examplementioning

confidence: 99%

“…While there are works, e. g., [12,28], that use process level security specifications for generating configurations for access control infrastructures such as XACML [21], we are not aware of any works that allow for checking process level security and compliance properties on the actual implementations of user interfaces or services. In the following, we present an approach that allows for checking the conformance of source code artifacts to process level requirement specifications.…”

Section: Secure Business Processes: An Examplementioning

confidence: 99%

See 1 more Smart Citation

Secure and Compliant Implementation of Business Process-Driven Systems

Brucker

Hang

2013

Business Process Management Workshops

Self Cite

View full text Add to dashboard Cite

Abstract. Today's businesses are inherently process-driven. Consequently, the use of business-process driven systems, usually implemented on top of service-oriented or cloud-based infrastructures, is increasing. At the same time, the demand on the security, privacy, and compliance of such systems is increasing as well. As a result, the costs-with respect to computational effort at runtime as well as financial costs-for operating business-process driven systems increase steadily. In this paper, we present a method for statically checking the security and conformance of the system implementation, e. g., on the source code level, to requirements specified on the business process level. As the compliance is statically guaranteed-already at design-time-this method reduces the number of run-time checks for ensuring the security and compliance and, thus, improves the runtime performances. Moreover, it reduces the costs of system audits, as there is no need for analyzing the generated log files for validating the compliance to the properties that are already statically guaranteed.

show abstract

Security policy monitoring of BPMN‐based service compositions

Asim

Yautsiukhin

Brucker

et al. 2018

J Software Evolu Process

Self Cite

View full text Add to dashboard Cite

Service composition is a key concept of Service‐Oriented Architecture that allows for combining loosely coupled services that are offered and operated by different service providers. Such environments are expected to dynamically respond to changes that may occur at runtime, including changes in the environment and individual services themselves. Therefore, it is crucial to monitor these loosely coupled services throughout their lifetime. In this paper, we present a novel framework for monitoring services at runtime and ensuring that services behave as they have promised. In particular, we focus on monitoring non‐functional properties that are specified within an agreed security contract. The novelty of our work is based on the way in which monitoring information can be combined from multiple dynamic services to automate the monitoring of business processes and proactively report compliance violations. The framework enables monitoring of both atomic and composite services and provides a user friendly interface for specifying the monitoring policy. We provide an information service case study using a real composite service to demonstrate how we achieve compliance monitoring. The transformation of security policy into monitoring rules, which is done automatically, makes our framework more flexible and accurate than existing techniques.

show abstract

SecureBPMN

Cited by 73 publications

References 5 publications

Possibilistic Information Flow Control for Workflow Management Systems

Possibilistic Information Flow Control for Workflow Management Systems

Secure and Compliant Implementation of Business Process-Driven Systems

Security policy monitoring of BPMN‐based service compositions

Contact Info

Product

Resources

About