The Use of Business Process Models for Security Design in Organisations

Holbein, Ralph; Teufel, Stephanie; Bauknecht, Kurt

doi:10.1007/978-1-5041-2919-0_2

Cited by 9 publications

(9 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Conditions include tasks performed, time of day, resource availability and various other properties that can be used to describe a system's current operational state and behavior. The implications of "active", "just-in-time" or "need-to-know" authorizations have been discussed by various authors including [5,15,17]. We consider the authorizations generated from a choreography as active with respect to project membership, role, task and control flow.…”

Section: Discussion and Related Workmentioning

confidence: 99%

From Business Process Choreography to Authorization Policies

Robinson¹,

Kerschbaum²,

Schaad³

2006

Data and Applications Security XX

View full text Add to dashboard Cite

Abstract.A choreography specifies the interactions between the resources of multiple collaborating parties at design time. The runtime management of authorization policies in order to support such a specification is however tedious for administrators to manually handle. By compiling the choreography into enhanced authorization policies, we are able to automatically derive the minimal authorizations required for collaboration, as well as enable and disable the authorizations in a just-in-time manner that matches the control flow described in the choreography. We have evaluated the advantage of this utility in a collaborative engineering scenario.

show abstract

Section: Discussion and Related Workmentioning

confidence: 99%

From Business Process Choreography to Authorization Policies

Robinson¹,

Kerschbaum²,

Schaad³

2006

Data and Applications Security XX

View full text Add to dashboard Cite

show abstract

“…[32]). Many approaches adapt access control and authorization methods used in database and operation system areas to the domain of business processes and workflows (e.g., [1,5,9,30,53,58]). But the handling of security requirements of these areas need a more broaden view.…”

Section: Related Workmentioning

confidence: 99%

Security requirement analysis of business processes

Herrmann

2006

Electron Commerce Res

View full text Add to dashboard Cite

Economic globalization leads to complex decentralized company structures calling for the extensive use of distributed IT-systems. The business processes of a company have to reflect these changes of infrastructure. In particular, due to new electronic applications and the inclusion of a higher number of-potentially unknown-persons, the business processes are more vulnerable against malicious attacks than traditional processes. Thus, a business should undergo a security analysis. Here, the vulnerabilities of the business process are recognized, the risks resulting from the vulnerabilities are calculated, and suitable safeguards reducing the vulnerabilities are selected. Unfortunately, a security analysis tends to be complex and affords expensive security expert support. In order to reduce the expense and to enable domain experts with in-depth insight in business processes but with limited knowledge about security to develop secure business processes, we developed the framework MoSS B P facilitating the handling of business process security requirements from their specification to their realization. In particular, MoSS BP provides graphical concepts to specify security requirements, repositories of various mechanisms enforcing the security requirements, and a collection of reference models and case studies enabling the modification of the business processes. In this paper, the MoSS BP -framework is presented. Additionally, we introduce a tool supporting the MoSS B P -related security analysis of business processes and the incorporation of safeguards. This tool is based on object-oriented process models and acts with graph rewrite systems. Finally, we clarify the application of the MoSS B P -framework by means of a business process for tender-handling which is provided by anonymity-preserving safeguards.

show abstract

“…Transaction based business process models are used by Holbein et al [13,12] to derive role based access control for workflow data, i.e., information exchanged during the process execution. Their approach has been used in the MobiMed project [ 20], which aims to provide access control to data in a clinical environment.…”

Section: Related Workmentioning

confidence: 99%

Workflow Access Control From a Business Perspective

Domingos¹,

Silva²,

Veiga³

2004

Proceedings of the 4th International Workshop on Pattern Recognition in Information Systems

View full text Add to dashboard Cite

Workflow management systems are increasingly being used to support business processes. Methodologies have been proposed in order to derive workflow process definitions from business models. However, these methodologies do not comprise access control aspects. In this paper we propose an extension to the Work Analysis Refinement Modelling (WARM) methodology, which also enables to determine workflow access control information from the business process model. This is done by identifying useful information from business process models and showing how it can be refined to derive access control information. Our approach reduces the effort required to define the workflow access control, ensures that authorization rules are directly related to the business and aligns access control with the information system architecture that implements the business process.

show abstract

The Use of Business Process Models for Security Design in Organisations

Cited by 9 publications

References 7 publications

From Business Process Choreography to Authorization Policies

From Business Process Choreography to Authorization Policies

Security requirement analysis of business processes

Workflow Access Control From a Business Perspective

Contact Info

Product

Resources

About