Security Policies in Adaptive Process-Aware Information Systems: Existing Approaches and Challenges

Enabling security is one of the key challenges in adaptive Process-Aware Information Systems (PAIS). Since automating business processes involves many participants, uses private and public data, and communicates with external services security becomes inevitable. In current systems, security is enforced by an access control model and supplementary constraints imposed on workflow activities. However, existing systems provide individual implementations for security policies (e.g. separation of duties) and leave out other constraints (e.g. inter-process constraints). What is missing is a systematic analysis of security policies in PAIS. Hence, in this paper, we display state of the art and provide a taxonomy of security policies in PAIS. Furthermore, a detailed analysis of research challenges and issues is presented. We will show that there are still shortcomings and identify important requirements for security in PAIS. We will also point out open questions related to specifying, modeling, and changing security policies which will provide a road map for future research.

[1]  Wil M. P. van der Aalst,et al.  A Declarative Approach for Flexible Business Processes Management , 2006, Business Process Management Workshops.

[2]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[3]  Akhil Kumar,et al.  DW-RBAC: A formal security model of delegation and revocation in workflow systems , 2007, Inf. Syst..

[4]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[5]  Günther Pernul,et al.  Supporting Compliance through Enhancing Internal Control Systems by Conceptual Business Process Security Modeling , 2010 .

[6]  Mark Strembeck,et al.  Generic Algorithms for Consistency Checking of Mutual-Exclusion and Binding Constraints in a Business Process Context , 2010, OTM Conferences.

[7]  Peter Herrmann,et al.  Security requirement analysis of business processes , 2006, Electron. Commer. Res..

[8]  Manfred Reichert,et al.  The ADEPT project: a decade of research and development for robust and flexible process support , 2009, Computer Science - Research and Development.

[9]  Stefanie Rinderle-Ma,et al.  Responsibility-driven Design and Development of Process-aware Security Policies , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[10]  Andreas Schaad,et al.  Modeling of Task-Based Authorization Constraints in BPMN , 2007, BPM.

[11]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[12]  Carlos Ribeiro,et al.  Verifying workflow processes against organization security policies , 1999, Proceedings. IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE'99).

[13]  Wil M. P. van der Aalst,et al.  Declarative workflows: Balancing between flexibility and support , 2009, Computer Science - Research and Development.

[14]  Stefanie Rinderle-Ma,et al.  IUPC: Identification and Unification of Process Constraints , 2011, ArXiv.

[15]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[16]  Stefanie Rinderle-Ma,et al.  On Evolving Organizational Models without Losing Control on Authorization Constraints in Web Service Orchestrations , 2010, 2010 IEEE 12th Conference on Commerce and Enterprise Computing.

[17]  Akhil Kumar,et al.  W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints , 2003, Int. J. Cooperative Inf. Syst..

[18]  Stefanie Rinderle-Ma,et al.  Balancing Flexibility and Security in Adaptive Process Management Systems , 2005, OTM Conferences.

[19]  Vijayalakshmi Atluri,et al.  Inter-instance authorization constraints for secure workflow management , 2006, SACMAT '06.