Chinese wall security for decentralized workflow management systems

Workflow systems are gaining importance as an infrastructure for automating inter-organizational interactions, such as those in Electronic Commerce. In such an environment, a centralized Workflow Management System is not desirable because: (i) it can be a performance bottleneck, and (ii) the systems are inherently distributed, heterogeneous, and autonomous in nature. Decentralized execution of interorganizational workflows may raise a number of security issues including those related to conflict-of-interest among competing organizations. In this paper, we first provide an approach to realize decentralized workflow execution, in which the workflow is divided into partitions, called self-describing workflows, and handled by a light weight workflow management component, called workflow stub, located at each organizational agent. Second, we identify the limitations of the traditional workflow model with respect to expressing the various types of join dependencies and extend the traditional workflow model suitably. Distinguishing the different types of dependencies among tasks is essential in the efficient execution of self-describing workflows. Finally, we recognize that placing the task execution agents that belong to the same conflict-of-interest class in one self-describing workflow may lead to unfair, and in some cases, undesirable results, akin to being on the wrong side of the Chinese wall. Therefore, to address the conflict-of-interest issues that arise in competitive business environments, we propose a decentralized workflow Chinese wall security model. We propose a restrictive partitioning solution to enforce the proposed model.

[1]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[2]  Amit P. Sheth,et al.  Specifying interdatabase dependencies in a multidatabase environment , 1991, Computer.

[3]  Ravi Sandhu A Lattice Interpretation Of The Chinese Wall Policy , 1992 .

[4]  Amit P. Sheth,et al.  Specification and Execution of Transactional Workflows , 1995, Modern Database Systems.

[5]  Won Kim,et al.  Modern Database Systems: The Object Model, Interoperability, and Beyond , 1995, Modern Database Systems.

[6]  Gustavo Alonso,et al.  Exotica/FMQM: A Persistent Message-Based Architecture for Distributed Workflow Management , 1995 .

[7]  Vijayalakshmi Atluri,et al.  An Authorization Model for Workflows , 1996, ESORICS.

[8]  William M. Farmer,et al.  Security for Mobile Agents: Issues and Requirements , 1996 .

[9]  Amit P. Sheth,et al.  ORBWork: A Reliable Distributed CORBA-based Workflow Enactment System for METEOR2 , 1996 .

[10]  Elisa Bertino,et al.  A flexible model supporting the specification and enforcement of role-based authorization in workflow management systems , 1997, RBAC '97.

[11]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[12]  Gerhard Weikum,et al.  A Formal Foundation for Distributed Workflow Execution Based on State Charts , 1997, ICDT.

[13]  Giovanni Vigna,et al.  Mobile Agents and Security , 1998, Lecture Notes in Computer Science.

[14]  Andrew C. Myers,et al.  Mostly-static decentralized information flow control , 1999 .

[15]  Paul F. Syverson,et al.  Onion routing , 1999, CACM.

[16]  Dan S. Wallach,et al.  A new approach to mobile code security , 1999 .

[17]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[18]  Paul Syverson,et al.  Onion Routing for Anonymous and Private Internet Connections , 1999 .

[19]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[20]  Anand R. Tripathi,et al.  Implementing Distributed Workflow Systems from XML Specifications , 2000 .

[21]  Joon S. Park,et al.  Access control mechanisms for inter-organizational workflow , 2001, SACMAT '01.

[22]  Joon S. Park,et al.  A Secure Workflow System for Dynamic Collaboration , 2001, SEC.

[23]  Karin Venter The Delegation Authorization Model: A Model For The Dynamic Delegation Of Authorization Rights In A Secure Workflow Management System , 2002, ISSA.

[24]  Anand R. Tripathi,et al.  A coordination model for secure collaboration , 2002 .

[25]  Anand R. Tripathi,et al.  Specification of secure distributed collaboration systems , 2003, The Sixth International Symposium on Autonomous Decentralized Systems, 2003. ISADS 2003..

[26]  Gerhard Weikum,et al.  From Centralized Workflow Specification to Distributed Workflow Execution , 1998, Journal of Intelligent Information Systems.

[27]  Vijayalakshmi Atluri,et al.  Modeling and Analysis of Workflows Using Petri Nets , 1998, Journal of Intelligent Information Systems.

[28]  Amit P. Sheth,et al.  An overview of workflow management: From process modeling to workflow automation infrastructure , 1995, Distributed and Parallel Databases.