Model-driven business process security requirement specification

Efficient resource allocation is a complex and dynamic task in business process management. Although a wide variety of mechanisms are emerging to support resource allocation in business process execution, these approaches do not consider performance optimization. This paper introduces a mechanism in which the resource allocation optimization problem is modeled as Markov decision processes and solved using reinforcement learning. The proposed mechanism observes its environment to learn appropriate policies which optimize resource allocation in business process execution. The experimental results indicate that the proposed approach outperforms well known heuristic or hand-coded strategies, and may improve the current state of business process management.

Reinforcement learning based resource allocation in business process management

Compliance checking is gaining importance as today's organizations need to show that operational processes are executed in a controlled manner while satisfying predefined (legal) requirements. Deviations may be costly and expose the organization to severe risks. Compliance checking is of growing importance for the business process management and auditing communities. This paper presents a comprehensive compliance checking approach based on Petri-net patterns and alignments. 55 control flow oriented compliance rules, distributed over 15 categories, have been formalized in terms of Petri-net patterns describing the compliant behavior. To check compliance with respect to a rule, the event log describing the observed behavior is aligned with the corresponding pattern. The approach is flexible (easy to add new patterns), robust (the selected alignment between log and pattern is guaranteed to be optimal), and allows for both a quantification of compliance and intuitive diagnostics explaining deviations at the level of alignments. The approach can also handle resource-based and data-based compliance rules and is supported by ProM plug-ins. The applicability of the approach has been evaluated using various real-life event logs.

/pdf/where-did-i-misbehave-diagnostic-information-in-compliance-1zbfof1hcs.pdf

Where did i misbehave? diagnostic information in compliance checking

As a result of the growing adoption of Business Process Management (BPM) technology different stakeholders need to understand and agree upon the process models that are used to con?gure BPM systems. However, BPM users have problems dealing with the complexity of such models. Therefore, the challenge is to improve the comprehension of process models. While a substantial amount of literature is devoted to this topic, there is no overview of the various mechanisms that exist to deal with managing complexity in (large) process models. It is thus hard to obtain comparative insight into the degree of support offered for various complexity reducing mechanisms by stateof-the-art languages and tools. This paper focuses on complexity reduction mechanisms that affect the abstract syntax of a process model, i.e. the structure of a process model. These mechanisms are captured as patterns, so that they can be described in their most general form and in a language- and tool-independent manner. The paper concludes with a comparative overview of the degree of support for these patterns offered by state-of-theart languages and language implementations.

Managing process model complexity via abstract syntax modifications

Service-oriented Architectures deliver a flexible infrastructure to allow independently developed software components to communicate in a seamless manner. In the scope of organisational workflows, SOA provides a suitable foundation to execute business processes as an orchestration of multiple independent services. Along with the increased connectivity, the corresponding security risks rise exponentially. However, security requirements are usually defined on a technical level, rather than on an organisational level that would provide a comprehensive view on the participants, the assets and their relationships regarding security.In this paper, we propose an approach to describe security requirements at the business process layer and their translation to concrete security configuration for service-based systems. We introduce security elements for business process modelling which allow to evaluate the trustworthiness of participants based on a rating of enterprise assets and to express security intentions such as confidentiality or integrity on an abstract level. Our aim is to facilitate the generation of security configurations based on the modelled requirements. For this purpose, we foster a model-driven approach: Information at the modelling layer is gathered and translated to a domain-independent security model. Concrete protocols and security mechanisms are resolved based on a security pattern system that is introduced in the course of this paper.

/pdf/security-requirements-specification-in-service-oriented-38k6op2pvr.pdf

Security Requirements Specification in Service-Oriented Business Process Management

Workflows model and control the execution of business processes inan organisation by defining a set of tasks to be done. The specification of workflowsis well-elaborated and heavily tool supported. Task-based access control istailored to specify authorization constraints for task allocation in workflows. Existingworkflow modeling notations do not support the description of authorizationconstraints for task allocation commonly referred to as resource allocationpatterns.

In this paper we propose an extension for the Business Process Modeling Notation(BPMN) to express such authorizations within the workflow model, enablingthe support of resource allocation pattern, such as Separation of Duty,Role-Based Allocation, Case Handling, or History-Based Allocation in BPMN.These pattern allow to specify authorization constraints, for instance role-task assignments,separation of duty, and binding of duty constraints. Based on a formalapproach we develop an authorization constraint artifact for BPMN to describesuch constraints.

As a pragmatic demonstration of the feasibility of our proposed extensionwe model authorization constraints inspired by a real world banking workflowscenario. In the course of this paper we identify several aspects of future workrelated to verification and consistency analysis of modeled authorization constraints,tool-supported and pattern-driven authorization constraint description,and automatic derivation of authorization policies, such as defined by the eXtensibleAccess Control Markup Language (XACML).

Modeling of task-based authorization constraints in BPMN

Various types of security goals, such as authentication or confidentiality, can be defined as policies for process-aware information systems, typically in a manual fashion. Therefore, we foster a model-driven transformation approach from modelled security goals in the context of process models to concrete security implementations. We argue that specific types of security goals may be expressed in a graphical fashion at the business process modelling level which in turn can be transformed into corresponding access control and security policies for process-aware information systems, for instance based on service-oriented architectures. In this paper we present security policy and policy constraint models. These models are projected onto general enterprise models and enterprise business processes in particular. We further discuss the suitability of this approach based on an example process and outline future work in order to derive security policy implementations out of the process models applicable for service-oriented architectures.

/pdf/modelling-security-goals-in-business-processes-2qp8wreqpv.pdf

Modelling Security Goals in Business Processes

The verification of access controls is essential for providing secure systems. Model checking is an automated technique used for verifying finite state machines. The properties to be verified are usually expressed as formula in temporal logic. In this paper we present an approach to verify access control security properties of a security annotated business process model. To this end we utilise a security enhanced BPMN notation to define access control properties.

To enhance the usability the complex and technical details are hidden from the process modeller by using an automatic translation of the process model into a process meta language (Promela) based on Coloured Petri net (CPN) semantics.

The model checker SPIN is used for the process model verification and a trace file is written to provide visual feedback to the modeller on the abstraction level of the verified process model. As a proof of concept the described translation methodology is implemented as a plug-in for the free web-based BPMN modelling tool Oryx.

Verification of Business Process Entailment Constraints Using SPIN

The Business Process Modeling Notation (BPMN) has become a defacto standard for describing processes in an accessible graphical notation. The eXtensible Access Control Markup Language (XACML) is an OASIS standard to specify and enforce platform independent access control policies.

In this paper we define a mapping between the BPMN and XACML metamodels to provide a model-driven extraction of security policies from a business process model. Specific types of organisational control and compliance policies that can be expressed in a graphical fashion at the business process modeling level can now be transformed into the corresponding task authorizations and access control policies for process-aware information systems.

As a proof of concept, we extract XACML access control policies from a security augmented banking domain business process. We present an XSLT converter that transforms modeled security constraints into XACML policies that can be deployed and enforced in a policy enforcement and decision environment. We discuss the benefits of our modeling approach and outline how XACML can support task-based compliance in business processes.

Christian Wolter

Papers

Modeling of task-based authorization constraints in BPMN

Model-driven business process security requirement specification

Modelling Security Goals in Business Processes

Verification of Business Process Entailment Constraints Using SPIN

Deriving XACML policies from business process models