Maintaining Secure Business Processes in Light of Socio-Technical Systems' Evolution

Today's systems are socio-technical, they are composed of social (humans and organizations) and technical components that interact with one another to achieve objectives they cannot achieve on their own. Security is a central issue in socio-technical systems and cannot be tackled through technical mechanisms alone. Instead, it requires enforcing security policies over the procedures that specify how components of these systems operate and interact (i.e., business processes). The continuous evolution of socio-technical systems, to adapt to external changes, may result in business processes that do not enforce security. Thus, it is important to preserve security through a constant update of business processes and/or security policies, to avoid security issues that may result in loss of reputation or monetary sanctions. To this end, in this paper we propose a framework to assist security engineers in maintaining secure business processes during socio-technical systems evolution. The framework is composed of: (i) SecBPMN2-ml, a modeling language for business processes, (ii) SecBPMN2-Q, a modeling language for security policies, and (iii) a software engine that verifies if security policies are enforced in business processes. The framework is applied to a case from the air traffic management domain.

[1]  MeinelChristoph,et al.  Model-driven business process security requirement specification , 2009 .

[2]  Akhil Kumar,et al.  W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints , 2003, Int. J. Cooperative Inf. Syst..

[3]  Jens Linneberg Rasmussen,et al.  Designing a Security System by Means of Coloured Petri Nets , 1996, Application and Theory of Petri Nets.

[4]  Paolo Giorgini,et al.  Modeling and Verifying Security Policies in Business Processes , 2014, BMMDS/EMMSAD.

[5]  Wil M. P. van der Aalst Business Process Execution Language , 2009, Encyclopedia of Database Systems.

[6]  Jeremy Hilton,et al.  A Reference Model of Information Assurance & Security , 2013, 2013 International Conference on Availability, Reliability and Security.

[7]  Daniel Deutch,et al.  Querying Structural and Behavioral Properties of Business Processes , 2007, DBPL.

[8]  Wolfgang Faber,et al.  Planning under Incomplete Knowledge , 2000, Computational Logic.

[9]  Ying Liu,et al.  A static compliance-checking framework for business process models , 2007, IBM Syst. J..

[10]  Kathryn Fraughnaugh,et al.  Introduction to graph theory , 1973, Mathematical Gazette.

[11]  Paolo Giorgini,et al.  Preserving Compliance with Security Requirements in Socio-Technical Systems , 2014, CSP Forum.

[12]  Mario Piattini,et al.  A BPMN Extension for the Modeling of Security Requirements in Business Processes , 2007, IEICE Trans. Inf. Syst..

[13]  Craig A. Knoblock,et al.  PDDL-the planning domain definition language , 1998 .

[14]  Achim D. Brucker,et al.  SecureBPMN: modeling and enforcing access control requirements in business processes , 2012, SACMAT '12.

[15]  Mohd Fadzil Hassan,et al.  A Domain-Specific Language for Modelling Security Objectives in a Business Process Models of SOA Applications , 2012 .

[16]  Christoph Meinel,et al.  Security Requirements Specification in Service-Oriented Business Process Management , 2009, 2009 International Conference on Availability, Reliability and Security.

[17]  Paolo Giorgini,et al.  Managing Security Requirements Conflicts in Socio-Technical Systems , 2013, ER.

[18]  Paolo Giorgini,et al.  Aligning Service-Oriented Architectures with Security Requirements , 2012, OTM Conferences.

[19]  John Rushby,et al.  Using model checking to help discover mode confusions and other automation surprises , 2002, Reliab. Eng. Syst. Saf..

[20]  Francisco Curbera,et al.  Web Services Business Process Execution Language Version 2.0 , 2007 .

[21]  J.S. Meserole,et al.  What is System Wide Information Management (SWIM)? , 2006, 2006 ieee/aiaa 25TH Digital Avionics Systems Conference.

[22]  Paolo Giorgini,et al.  Modeling and verification of ATM security policies with SecBPMN , 2014, 2014 International Conference on High Performance Computing & Simulation (HPCS).

[23]  Richard Fikes,et al.  STRIPS: A New Approach to the Application of Theorem Proving to Problem Solving , 1971, IJCAI.

[24]  Paolo Giorgini,et al.  STS-Tool 3.0: Maintaining Security in Socio-Technical Systems , 2015, CAiSE Forum.

[25]  Catriel Beeri,et al.  Querying Business Processes with BP-QL , 2005, VLDB.

[26]  Mike Hritz,et al.  System Wide Information Management (SWIM) , 2004 .

[27]  Aditya K. Ghose,et al.  Auditing Business Process Compliance , 2007, ICSOC.

[28]  Andreas Schaad,et al.  Model-driven business process security requirement specification , 2009, J. Syst. Archit..

[29]  Shazia Wasim Sadiq,et al.  Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[30]  Tony Flick,et al.  Securing the Smart Grid: Next Generation Power Grid Security , 2010 .

[31]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[32]  Edwin P. D. Pednault,et al.  ADL: Exploring the Middle Ground Between STRIPS and the Situation Calculus , 1989, KR.

[33]  Paolo Giorgini,et al.  Designing secure business processes with SecBPMN , 2015, Software & Systems Modeling.

[34]  Vijayalakshmi Atluri,et al.  An Extended Petri Net Model for Supporting Workflows in a Multilevel Secure Environment , 1996, DBSec.