Incorporating Security Requirements into Service Composition: From Modelling to Execution

Despite an increasing need for considering security requirements in service composition, the incorporation of security requirements into service composition is still a challenge for many reasons: no clear identification of security requirements for composition, absence of notations to express them, difficulty in integrating them into the business processes, complexity of mapping them into security mechanisms, and the complexity inherent to specify and enforce complex security requirements. We identify security requirements for service composition and define notations to express them at different levels of abstraction. We present a novel approach consisting of a methodology, called Sec-MoSC, to incorporate security requirements into service composition, map security requirements into enforceable mechanisms, and support execution. We have implemented this approach in a prototype tool by extending BPMN notation and building on an existing BPMN editor, BPEL engine and Apache Rampart. We showcase an illustrative application of the Sec-MoSC toolset.

[1]  Khaled M. Khan,et al.  Security-Oriented Service Composition and Evolution , 2006, 2006 13th Asia Pacific Software Engineering Conference (APSEC'06).

[2]  Jun Han,et al.  Quality-Driven Business Policy Specification and Refinement for Service-Oriented Systems , 2008, ICSOC.

[3]  S. T. Buckland,et al.  An Introduction to the Bootstrap. , 1994 .

[4]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[5]  Kent Ka Lok Tong Developing Web Services with Apache Axis , 2006 .

[6]  Shixiong Zheng,et al.  Dynamic Weaving of Security Aspects in Service Composition , 2006, 2006 Second IEEE International Symposium on Service-Oriented System Engineering (SOSE'06).

[7]  Thomas Neubauer,et al.  Objective Types for the Valuation of Secure Business Processes , 2008, Seventh IEEE/ACIS International Conference on Computer and Information Science (icis 2008).

[8]  Mira Mezini,et al.  Using aspects for security engineering of Web service compositions , 2005, IEEE International Conference on Web Services (ICWS'05).

[9]  Athman Bouguettaya,et al.  Service-Oriented Computing - ICSOC 2008, 6th International Conference, Sydney, Australia, December 1-5, 2008. Proceedings , 2008, ICSOC.

[10]  Barbara Carminati,et al.  Security Conscious Web Service Composition , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[11]  Activité ad‐hoc Types de tâches Introduction to BPMN , 2004 .

[12]  Yanchun Zhang,et al.  Access Control for Human Tasks in Service Oriented Architecture , 2008, 2008 IEEE International Conference on e-Business Engineering.

[13]  Mario Piattini,et al.  A BPMN Extension for the Modeling of Security Requirements in Business Processes , 2007, IEICE Trans. Inf. Syst..

[14]  Maria Beatriz Felgar de Toledo,et al.  Ontology-Based Security Policies for Supporting the Management of Web Service Business Processes , 2008, 2008 IEEE International Conference on Semantic Computing.

[15]  Wil M. P. van der Aalst,et al.  Translating BPMN to BPEL , 2006 .

[16]  Stéphanie Chollet,et al.  Security Specification at Process Level , 2008, 2008 IEEE International Conference on Services Computing.

[17]  Thomas Neubauer,et al.  Defining Secure Business Processes with Respect to Multiple Objectives , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[18]  Christoph Meinel,et al.  Security Requirements Specification in Service-Oriented Business Process Management , 2009, 2009 International Conference on Availability, Reliability and Security.