Modeling Security Requirements in Service Based Business Processes

Secure Software Development of Cyber-Physical and IoT Systems

Encyclopedia of Information Science and Technology, Fourth Edition ◽

10.4018/978-1-5225-2255-3.ch655 ◽

2018 ◽

pp. 7525-7538

Author(s):

Muthu Ramachandran

Keyword(s):

Business Processes ◽

Systems Development ◽

Cloud Services ◽

Security Requirements ◽

Cloud Environment ◽

Systems Security ◽

Development Life Cycle ◽

General Systems ◽

Secure Software Development

This real-world case study has been used to demonstrate the best practices on business process modelling and component based design for developing cloud services with Build Security In (BSI). BSI techniques, strategies, and processes presented in this article are general systems security principles and are applicable for both a cloud environment and traditional environment (non-cloud environment). The significant contribution of this research is to illustrate the application of the extended system security method known as SysSQUARE to elicit security requirements, identify security threats of data, as well as integrating build-in security techniques by modelling and simulating business processes upfront in the systems development life cycle.

Download Full-text

A semi-automated BPMN-based framework for detecting conflicts between security, data-minimization, and fairness requirements

Software & Systems Modeling ◽

10.1007/s10270-020-00781-x ◽

2020 ◽

Vol 19 (5) ◽

pp. 1191-1227 ◽

Cited By ~ 2

Author(s):

Qusai Ramadan ◽

Daniel Strüber ◽

Mattia Salnitri ◽

Jan Jürjens ◽

Volker Riediger ◽

...

Keyword(s):

Data Storage ◽

Business Processes ◽

User Study ◽

Query Language ◽

Healthcare Management ◽

Security Requirements ◽

Domain Specific ◽

Trade Offs ◽

Legal Sanctions ◽

Context Specific

Abstract Requirements are inherently prone to conflicts. Security, data-minimization, and fairness requirements are no exception. Importantly, undetected conflicts between such requirements can lead to severe effects, including privacy infringement and legal sanctions. Detecting conflicts between security, data-minimization, and fairness requirements is a challenging task, as such conflicts are context-specific and their detection requires a thorough understanding of the underlying business processes. For example, a process may require anonymous execution of a task that writes data into a secure data storage, where the identity of the writer is needed for the purpose of accountability. Moreover, conflicts not arise from trade-offs between requirements elicited from the stakeholders, but also from misinterpretation of elicited requirements while implementing them in business processes, leading to a non-alignment between the data subjects’ requirements and their specifications. Both types of conflicts are substantial challenges for conflict detection. To address these challenges, we propose a BPMN-based framework that supports: (i) the design of business processes considering security, data-minimization and fairness requirements, (ii) the encoding of such requirements as reusable, domain-specific patterns, (iii) the checking of alignment between the encoded requirements and annotated BPMN models based on these patterns, and (iv) the detection of conflicts between the specified requirements in the BPMN models based on a catalog of domain-independent anti-patterns. The security requirements were reused from SecBPMN2, a security-oriented BPMN 2.0 extension, while the fairness and data-minimization parts are new. For formulating our patterns and anti-patterns, we extended a graphical query language called SecBPMN2-Q. We report on the feasibility and the usability of our approach based on a case study featuring a healthcare management system, and an experimental user study.

Download Full-text

A BPMN Extension for the Modeling of Security Requirements in Business Processes

IEICE Transactions on Information and Systems ◽

10.1093/ietisy/e90-d.4.745 ◽

2007 ◽

Vol E90-D (4) ◽

pp. 745-752 ◽

Cited By ~ 141

Author(s):

A. RODRIGUEZ ◽

E. FERNANDEZ-MEDINA ◽

M. PIATTINI

Keyword(s):

Business Processes ◽

Security Requirements

Download Full-text

Eliciting Security Requirements for Business Processes using Patterns

Proceedings of the 9th International Workshop on Security in Information Systems ◽

10.5220/0004100200490058 ◽

2012 ◽

Keyword(s):

Business Processes ◽

Security Requirements

Download Full-text

Information flow control for workflow management systems

it - Information Technology ◽

10.1515/itit-2014-1055 ◽

2014 ◽

Vol 56 (6) ◽

Cited By ~ 3

Author(s):

Thomas Bauereiß ◽

Dieter Hutter

Keyword(s):

Flow Control ◽

Information Flow ◽

Business Processes ◽

Open Systems ◽

Workflow Management ◽

User Interaction ◽

Security Requirements ◽

Management Systems ◽

Workflow Management Systems ◽

Information Flow Control

AbstractWorkflow management plays an important role in analyzing and automating business processes. Security requirements in workflow management systems are typically mapped to (role-based) access control configurations. This paper focuses on information flow control, taking into account implicit information leaks. The presented approach operates on a specification level in which no executable program is available yet. We illustrate the modeling of a workflow management system as a composition of state-event systems, each representing one of the activities of the workflow. This facilitates distributed deployment and eases verification by splitting up the verification of the overall system into verification of the individual components. Confidentiality requirements are modeled in terms of information flow predicates using the MAKS framework and verified following existing decomposition methodologies, which are adapted for open systems with ongoing user interaction. We discuss the interaction with other security requirements, notably separation of duty.

Download Full-text

VISUAL PROGRAMMING LANGUAGE FOR SECURITY REQUIREMENTS IN BUSINESS PROCESSES AS MODEL-DRIVEN SOFTWARE DEVELOPMENT

Proceedings of the International Conference on Security and Cryptography ◽

10.5220/0002227500290036 ◽

2009 ◽

Keyword(s):

Software Development ◽

Programming Language ◽

Business Processes ◽

Visual Programming ◽

Security Requirements ◽

Model Driven ◽

Model Driven Software Development ◽

Visual Programming Language

Download Full-text

A survey on automation of security requirements in service-based business processes

International Journal of Web Engineering and Technology ◽

10.1504/ijwet.2018.092398 ◽

2018 ◽

Vol 13 (1) ◽

pp. 3 ◽

Cited By ~ 2

Author(s):

Fernando A.A. Lins ◽

Erica T.G. Sousa ◽

Nelson S. Rosa

Keyword(s):

Business Processes ◽

Security Requirements

Download Full-text

Engineering Secure Web Services

Performance and Dependability in Service Computing - Advances in Web Technologies and Engineering ◽

10.4018/978-1-60960-794-4.ch016 ◽

2012 ◽

pp. 360-380

Author(s):

Douglas Rodrigues ◽

Julio Cezar Estrella ◽

Francisco José Monaco ◽

Kalinka Regina Lucas Jaquie Castelo Branco ◽

Nuno Antunes ◽

...

Keyword(s):

Web Services ◽

Business Processes ◽

State Of The Art ◽

Security Requirements ◽

Security Assessment ◽

Service Oriented Architectures ◽

Practical Engineering ◽

Service Oriented ◽

Security Standards ◽

Art Techniques

Web services are key components in the implementation of Service Oriented Architectures (SOA), which must satisfy proper security requirements in order to be able to support critical business processes. Research works show that a large number of web services are deployed with significant security flaws, ranging from code vulnerabilities to the incorrect use of security standards and protocols. This chapter discusses state of the art techniques and tools for the deployment of secure web services, including standards and protocols for the deployment of secure services, and security assessment approaches. The chapter also discusses how relevant security aspects can be correlated into practical engineering approaches.

Download Full-text

SSC4Cloud Tooling: An Integrated Environment for the Development of Business Processes with Security Requirements in the Cloud

2011 IEEE World Congress on Services ◽

10.1109/services.2011.72 ◽

2011 ◽

Cited By ~ 7

Author(s):

F. Lins ◽

R. Medeiros ◽

B. Silva ◽

A. Souza ◽

D. Aragão ◽

...

Keyword(s):

Business Processes ◽

Security Requirements ◽

Integrated Environment

Download Full-text

Risk Assessment Driven Use of Advanced SIEM Technology for Cyber Protection of Critical e-Health Processes

SN Computer Science ◽

10.1007/s42979-021-00858-4 ◽

2021 ◽

Vol 3 (1) ◽

Author(s):

Luigi Coppolino ◽

Luigi Sgaglione ◽

Salvatore D’Antonio ◽

Mario Magliulo ◽

Luigi Romano ◽

...

Keyword(s):

Risk Assessment ◽

Business Processes ◽

Trusted Computing ◽

Homomorphic Encryption ◽

Cyber Attacks ◽

Public Hospitals ◽

Security Requirements ◽

Use Case ◽

Combined Use ◽

Trusted Execution Environment

AbstractThe approach presented in this paper provides effective protection of critical business processes by applying advanced SIEM technology in a rigorous fashion, based on the results of accurate risk assessment. The proposed SIEM tool advances the State of The Art of the technology along two axes, specifically: privacy and integrity. The advancements are achieved via combined use of two of the most promising technologies for trusted computing, namely: Trusted Execution Environment (TTE) and Homomorphic Encryption (HE). The approach is validated with respect to a real use case of a Smart Hospital (i.e., one where IT is massively used), with challenging security requirements. The use case is contributed by one of the major public hospitals in Italy. Experiments demonstrate that, by relying on continuous monitoring of security relevant events and advanced correlation techniques, the SIEM solution proposed in this work effectively protects the critical workflows of the hospital business processes from cyber-attacks with high impact (specifically: serious harm to or even death of the patient).

Download Full-text