Deploying Security Policy in Intra and Inter Workflow Management Systems

Ayed, Samiha; Cuppens-Boulahia, Nora; Cuppens, Frédéric

doi:10.1109/ares.2009.152

Cited by 17 publications

(12 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…It covers a lot of issues such as conflict detection [14] or interoperability and deployment in companies Workflows [15]. In [16], OrBAC has been enhance to tackle information flow control problematic.…”

Section: Unifying Ac and Tcmentioning

confidence: 99%

See 1 more Smart Citation

Generation of Transmission Control Rules Compliant with Existing Access Control Policies

Bertrand

Blay–Fornarino

Boudaoud

et al. 2015

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. Access Control (AC) is a well known mechanism that allows access restriction to resources. Nevertheless, it does not provide notification when a resource is retransmitted to an unauthorized third party. To overcome this issue, one can use mechanisms such as Data Loss/Leak Prevention (DLP) or Transmission Control (TC). These mechanisms are based on policies that are defined by security experts. Unfortunately, these policies can contradict existing AC rules, leading to security leakage (i.e. a legitimate user is allowed to send a resource to someone who has no access rights in the AC). In this article, we aim at creating TC policies that are compliant with existing AC policies. To do so, we use a mapping mechanism that generates TC rules directly from existing AC policies. Thanks to the generated rules, our solution can make inferences to improve existing AC and enhance security knowledge between infrastructures.

show abstract

Section: Unifying Ac and Tcmentioning

confidence: 99%

“…A target can be formalized as an entity and an element (14). An entity can be a sender, a receiver, an action of the sender, an action of the receiver or a resource (15). An element can be an entity identifier (ex: "John"), a parameter key (ex: "role"), or a parameter value (ex: "manager") (16).…”

Section: Mapping Rules Syntaxmentioning

confidence: 99%

Generation of Transmission Control Rules Compliant with Existing Access Control Policies

Bertrand

Blay–Fornarino

Boudaoud

et al. 2015

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

show abstract

“…In particular, they assume fail-save participants and processes, reliable communication, as well as a centralized workflow coordinator. Ayed et al [1] discuss the deployment of workflow security policies for inter-organizational workflow. However, the approach also assumes fail-save hard-and software.…”

Section: Related Workmentioning

confidence: 99%

“…Our runtime engine ensures the consistency of business processes with corresponding entailment constraints at the type-level (design-time) and at the instance-level (runtime). The source code of our implementation is available for download 1 . However, the deployment of such a process engine in a distributed system raises a number of challenges.…”

Section: Motivationmentioning

confidence: 99%

On the Impact of Concurrency for the Enforcement of Entailment Constraints in Process-driven SOAs

Quirchmayr

Strembeck

2013

Proceedings of the 10th International Workshop on Security in Information Systems

View full text Add to dashboard Cite

Abstract. A distributed business process is executed in a distributed computing environment. In this context, the service-oriented architecture (SOA) paradigm provides a mature and well understood framework for the integration of software services. Entailment constraints, such as mutual exclusion or binding constraints, are an important means to specify and enforce business processes in a SOA. However, the inherent concurrency of a distributed system may lead to omission and ordering failures. Such failures impact the enforcement of entailment constraints in a process-driven SOA. In particular, the impact of these failures as well as the corresponding countermeasures depend on the architecture of the respective process engine. In this paper, we discuss the impact of omission and ordering failures on the enforcement of entailment constraints in process-driven SOAs. In this context, we especially consider if the respective process engine acts as an orchestration engine or as a choreography engine.

show abstract

“…In this context, work in the area of access control enforcement in workflow management [34] [35] and Model-Driven Security [36][37], though important, suffer from enforcing security policies only at run-time and not during the workflow formation.…”

Section: Related Workmentioning

confidence: 99%

A privacy-aware access control model for distributed network monitoring

Papagiannakopoulou

Koukovini

Lioudakis

et al. 2013

Computers & Electrical Engineering

Self Cite

View full text Add to dashboard Cite

Despite the usefulness of network monitoring for the operation, maintenance, control and protection of communication networks, as well as law enforcement, network monitoring activities are surrounded by serious privacy implications. Their inherent leakage-proneness is harshened due to the increasing complexity of the monitoring procedures and infrastructures, that may include multiple traffic observation points, distributed mitigation mechanisms and even inter-operator cooperation. However, current approaches present limitations in effectively addressing such privacy issues, as they have not been designed for meeting the particular requirements of distributed network monitoring and conceptualising the corresponding functionalities and infrastructures; additionally, they are not suitable for highly dynamic and distributed environments and for automating privacy-awareness. In this paper, we introduce a new access control model that aims at addressing these concerns; it is conceived on the basis of data protection legislation, as well as distributed network monitoring. The proposed approach provides rich expressiveness, captures all the underlying concepts along with their associations and enables the specification of contextual authorisation policies and * Corresponding author.Email address: epapag@icbnet.ntua.gr (Eugenia I. Papagiannakopoulou) ⋆ This is a revised and expanded version of a paper that appeared in the proceedings of the 4th MITACS Workshop on Foundations & Practice of Security, Paris, France, May 2011, pp. 208-217 [44]. Computers & Electrical Engineering 2011 June 7, 2012 expressive separation and binding of duty constraints. Finally, two key innovations of our work consist in the ability to define access control rules in any possible level of abstraction and in enabling a verification procedure which results in inherently privacy-aware workflows, thus minimising run-time reasoning overheads and fostering the realisation of the Privacy by Design vision. Preprint submitted to Elsevier

show abstract

Deploying Security Policy in Intra and Inter Workflow Management Systems

Cited by 17 publications

References 4 publications

Generation of Transmission Control Rules Compliant with Existing Access Control Policies

Generation of Transmission Control Rules Compliant with Existing Access Control Policies

On the Impact of Concurrency for the Enforcement of Entailment Constraints in Process-driven SOAs

A privacy-aware access control model for distributed network monitoring

Contact Info

Product

Resources

About