Information Flow Security for Business Process Models - just one click away

When outsourcing tasks of a business process to a third party, information flow security becomes a critical issue. In particular implicit information leaks are an intriguing problem. Given a business process one could ask whether the execution of a confidential task is kept secret to a third party which can observe some public (nonconfidential) tasks. A business process is secure in sense of implicit information flow if a third party can not deduce the execution of confidential tasks based on observations of public tasks. We will show that we can verify much faster whether a given process model is secure, support a new information flow property, and support the modeler to create a secure process using a graphical modeling tool. The demo might be interesting for all process modelers and those who are concerned with security in the BPM community.

[1]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[2]  Karsten Wolf,et al.  Generating Petri Net State Spaces , 2007, ICATPN.

[3]  Dirk Fahland,et al.  Analysis on demand: Instantaneous soundness checking of industrial business process models , 2011, Data Knowl. Eng..

[4]  Roberto Gorrieri,et al.  Petri Net Security Checker: Structural Non-interference at Work , 2009, Formal Aspects in Security and Trust.

[5]  Remco M. Dijkman,et al.  Petri Net Transformations for Business Processes - A Survey , 2009, Trans. Petri Nets Other Model. Concurr..

[6]  Remco M. Dijkman,et al.  Semantics and analysis of business process models in BPMN , 2008, Inf. Softw. Technol..

[7]  Niels Lohmann,et al.  Modeling Wizard for Confidential Business Processes , 2012, Business Process Management Workshops.

[8]  Rafael Accorsi,et al.  Automatic Information Flow Analysis of Business Process Models , 2012, BPM.

[9]  Roberto Gorrieri,et al.  Foundations of Security Analysis and Design VII , 2014, Lecture Notes in Computer Science.

[10]  J. van Leeuwen,et al.  Foundations of Security Analysis and Design II , 2001, Lecture Notes in Computer Science.

[11]  Roberto Gorrieri,et al.  On Intransitive Non-interference in Some Models of Concurrency , 2011, FOSAD.

[12]  Mathias Weske,et al.  Oryx - An Open Modeling Platform for the BPM Community , 2008, BPM.

[13]  Rafael Accorsi,et al.  SWAT: A Security Workflow Analysis Toolkit for Reliably Secure Process-aware Information Systems , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[14]  Wil M. P. van der Aalst,et al.  The Application of Petri Nets to Workflow Management , 1998, J. Circuits Syst. Comput..

[15]  Roberto Gorrieri,et al.  Structural non-interference in elementary and trace nets , 2009, Mathematical Structures in Computer Science.