Privacy-enhanced BPMN: enabling data privacy analysis in business processes models

Privacy-enhancing technologies play an important role in preventing the disclosure of private data as information is transmitted and processed. Although business process model and notation (BPMN) is well suited for expressing stakeholder collaboration and business processes support by technical solutions, little is done to depict and analyze the flow of private information and its technical safeguards as it is disclosed to process participants. This gap motivates the development of privacy-enhanced BPMN (PE-BPMN)—a BPMN language for capturing PET-related activities in order to study the flow of private information and ease the communication of privacy concerns and requirements among stakeholders. We demonstrate its feasibility in a mobile app scenario and present techniques to analyze information disclosures identified by models enriched with PE-BPMN.

[1]  Andreas Schaad,et al.  Model-driven business process security requirement specification , 2009, J. Syst. Archit..

[2]  Klemens Böhm,et al.  A Security Language for BPMN Process Models , 2011 .

[3]  Josep Domingo-Ferrer,et al.  Privacy and Data Protection by Design - from policy to engineering , 2014, ArXiv.

[4]  Joint Task Force Transformation Initiative,et al.  Security and Privacy Controls for Federal Information Systems and Organizations , 2013 .

[5]  Niels Lohmann,et al.  Information leak detection in business process models: Theory, application, and tool support , 2015, Inf. Syst..

[6]  Stefan Fenz,et al.  A taxonomy for privacy enhancing technologies , 2015, Comput. Secur..

[7]  Daniel J. Solove A Taxonomy of Privacy , 2006 .

[8]  Dan Bogdanov,et al.  PE-BPMN: Privacy-Enhanced Business Process Model and Notation , 2017, BPM.

[9]  Mario Piattini,et al.  A BPMN Extension for the Modeling of Security Requirements in Business Processes , 2007, IEICE Trans. Inf. Syst..

[10]  Achim D. Brucker,et al.  SecureBPMN: modeling and enforcing access control requirements in business processes , 2012, SACMAT '12.

[11]  David Llewellyn-Jones,et al.  A Cyber Security Ontology for BPMN-Security Extensions , 2015, 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing.

[12]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[13]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[14]  Haralambos Mouratidis,et al.  Attribute-Based Security Verification of Business Process Models , 2017, 2017 IEEE 19th Conference on Business Informatics (CBI).

[15]  Mohd Fadzil Hassan,et al.  A Domain-Specific Language for Modelling Security Objectives in a Business Process Models of SOA Applications , 2012 .

[16]  David Levin,et al.  Privacy-Enhanced Android for Smart Cities Applications , 2016 .

[17]  Raimundas Matulevicius,et al.  Conceptual Representation of the GDPR: Model and Application Directions , 2018, BIR.

[18]  Ghazi Ben Ayed,et al.  Processes View Modeling of Identity-related Privacy Business Interoperability: Considering User-Supremacy Federated Identity Technical Model and Identity Contract Negotiation , 2012, 2012 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining.

[19]  Werner Esswein,et al.  Classification of Domain-Specific BPMN Extensions , 2014, PoEM.

[20]  Marlon Dumas,et al.  Differential Privacy Analysis of Data Processing Workflows , 2016, GraMSec@CSF.

[21]  Alberto Rodrigues da Silva,et al.  Model-driven engineering: A survey supported by the unified conceptual model , 2015, Comput. Lang. Syst. Struct..

[22]  Mohamed El-Amine Chergui,et al.  A Valid BPMN Extension for Supporting Security Requirements Based on Cyber Security Ontology , 2018, MEDI.

[23]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[24]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[25]  Martin A. Weiss,et al.  U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield [May 19, 2016] , 2016 .

[26]  Christoph Meinel,et al.  Security Requirements Specification in Service-Oriented Business Process Management , 2009, 2009 International Conference on Availability, Reliability and Security.

[27]  Paolo Giorgini,et al.  Modeling and Verifying Security Policies in Business Processes , 2014, BMMDS/EMMSAD.

[28]  Bo Zhou,et al.  BPMN Security Extensions for Healthcare Process , 2015, 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing.

[29]  Haralambos Mouratidis,et al.  Model Based Process to Support Security and Privacy Requirements Engineering , 2012, Int. J. Secur. Softw. Eng..

[30]  Arvind Narayanan,et al.  De-anonymizing Web Browsing Data with Social Networks , 2017, WWW.

[31]  Marlon Dumas,et al.  Disclosure Analysis of SQL Workflows , 2018, GraMSec@FLoC.

[32]  Raimundas Matulevicius,et al.  An Extension of Business Process Model and Notation for Security Risk Management , 2013, Int. J. Inf. Syst. Model. Des..

[33]  Omer F. Rana,et al.  Towards SecureBPMN - Aligning BPMN with the Information Assurance and Security Domain , 2012, BPMN.

[34]  Nikolay Mehandjiev,et al.  Modeling of privacy-aware business processes in BPMN to protect personal data , 2014, SAC.

[35]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[36]  Jun Li,et al.  Incorporating Security Requirements into Service Composition: From Modelling to Execution , 2009, ICSOC/ServiceWave.