Security Analysis of Electronic Business Processes

This article introduces POSeM, a method that uses business process descriptions to derive appropriate security safeguards. This is achieved by assigning security levels to the components of a business process such as actors, artefacts, and activities with a specially developed description language. These levels are checked for consistency, and security measures are derived using a configurable rule base that maps security objectives to safeguards. POSeM in practice is illustrated by an application to electronic business, i.e., the publication process of information for a company's web-site. Both the advantages of POSeM and its possible refinements are discussed.

[1]  Günther Pernul,et al.  A language for modelling secure business transactions , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[2]  Francis Fung,et al.  A prototype secure workflow server , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[3]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[4]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[5]  Konstantin Knorr,et al.  Dynamic access control through Petri net workflows , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[6]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[7]  S. Jajodia,et al.  Information Security: An Integrated Collection of Essays , 1994 .

[8]  Bill Curtis,et al.  Process modeling , 1992, CACM.

[9]  Thomas H. Davenport,et al.  Process Innovation: Reengineering Work Through Information Technology , 1992 .

[10]  Konstantin Knorr,et al.  Sicherheit von E-Business-Anwendungen — Struktur und Quantifizierung , 2000, Wirtschaftsinf..

[11]  Lawrence Chung,et al.  Dealing with Security Requirements During the Development of Information Systems , 1993, CAiSE.

[12]  Robert W. Shirey,et al.  Internet Security Glossary , 2000, RFC.

[13]  James H. Burrows Guidelines for Security of Computer Applications , 1980 .

[14]  Walker,et al.  Guide to the Secure Configuration and Administration of Microsoft Internet Information Services 5.0 , 2001 .

[15]  Henrik Stormer,et al.  Modeling and Analyzing Separation of Duties in Workflow Environments , 2001, SEC.