Abstract
Today, many systems are built by orchestrating existing services, custom developed services, as well as interaction with users. These orchestrations, also called composition plans, are often described using high-level modelling languages that allow for simplifying 1) the implementation of systems by using generic execution engines and 2) the adaption of deployed systems to changing business needs. Thus, composition plans play an important role for both communicating business requirements between domain experts and system experts, and serving as a basis for the system implementation.
At the same time, ICT systems need to fulfil an increasing number of security and compliance requirements. Thus, there is a demand for integrating security and compliance requirements into composition plans.
We present SecureBPMN, a language for modelling security properties that can easily be integrated into languages used for describing service orchestrations. Moreover, we integrate SecureBPMN into BPMN and, thus, present a common language for describing service orchestration (in terms of business process models) together with their security and compliance requirements.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Aktug, I., Naliuka, K.: Conspec - a formal language for policy specification. Sci. Comput. Program. 74(1-2), 2–12 (2008), doi:10.1016/j.scico.2008.09.004
Altuhhova, O., Matulevicius, R., Ahmed, N.: Towards definition of secure business processes. In: Bajec, M., Eder, J. (eds.) CAiSE Workshops. LNBIP, vol. 112, pp. 1–15. Springer, Heidelberg (2012)
American National Standard for Information Technology – Role Based Access Control. ANSI, New York (February 2004) ANSI INCITS 359-2004
Basel Committee on Banking Supervision. Basel III: A global regulatory framework for more resilient banks and banking systems. Technical report, Bank for International Settlements, Basel, Switzerland (2010)
Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Information and Software Technology 51(5), 815–831 (2009), Special Issue on Model-Driven Development for Secure Information Systems, doi:10.1016/j.infsof.2008.05.011, ISSN 0950-5849
Basin, D., Burri, S.J., Karjoth, G.: Separation of duties as a service. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 423–429. ACM Press (2011), doi:10.1145/1966913.1966972, ISBN 978-1-4503-0564-8
Basin, D.A., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology 15(1), 39–91 (2006), doi:10.1145/1125808.1125810, ISSN 1049-331X.
Brucker, A.D.: Integrating security aspects into business process models. it - Information Technology 55(6), 239–246 (2013), doi:10.1524/itit.2013.2004, ISSN 2196-7032
Brucker, A.D., Doser, J.: Metamodel-based UML notations for domain-specific languages. In: Favre, J.M., Gasevic, D., Lämmel, R., Winter, A. (eds.) 4th International Workshop on Software Language Engineering, ATEM 2007 (October 2007)
Brucker, A.D., Hang, I.: Secure and compliant implementation of business process-driven systems. In: Rosa, M.L., Soffer, P. (eds.) Data Base Design Techniques 1978. LNBIP, vol. 132, pp. 662–674. Springer, Heidelberg (1982)
Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: Carminati, B., Joshi, J. (eds.) ACM SACMAT, pp. 197–206. ACM Press (2009), doi:10.1145/1542207.1542239, ISBN 978-1-60558-537-6
Brucker, A.D., Doser, J., Wolff, B.: A model transformation semantics and analysis methodology for secureUML. In: Wang, J., Whittle, J., Harel, D., Reggio, G. (eds.) MoDELS 2006. LNCS, vol. 4199, pp. 306–320. Springer, Heidelberg (2006), An extended version of this paper is available as ETH Technical Report, no. 524
Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: Modeling and enforcing access control requirements in business processes. In: ACM SACMAT, pp. 123–126. ACM Press (2012), doi:10.1145/2295136.2295160, ISBN 978-1-4503-1295-0
Cherdantseva, Y., Hilton, J.: A reference model of information assurance amp;amp; security. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp. 546–555 (September 2013), doi:10.1109/ARES.2013.72
HIPAA. Health Insurance Portability and Accountability Act of 1996 (1996), http://www.cms.hhs.gov/HIPAAGenInfo/
Jürjens, J., Rumm, R.: Model-based security analysis of the german health card architecture. Methods Inf. Med. 47(5), 26–1270 (2008) ISSN 0026-1270
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–540. Springer, Heidelberg (2002)
Mülle, J., von Stackelberg, S., Böhm, K.: A security language for BPMN process models. Technical report, University Karlsruhe, KIT (2011), http://digbib.ubka.uni-karlsruhe.de/volltexte/1000023041
OASIS. eXtensible Access Control Markup Language (XACML), version 2.0 (2005a), http://docs.oasis-open.org/xacml/2.0/XACML-2.0-OS-NORMATIVE.zip
OASIS. Web services business process execution language (BPEL), version 2.0 (April 2007), urlhttp://docs.oasis-open.org/wsbpel/2.0/wsbpel-v2.0.pdf.
Object Management Group. Business process model and notation (BPMN), version 2.0 (January 2011), Available as OMG document formal/2011-01-03
RodrÃguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE - Trans. Inf. Syst. E90-D, 745–752 (2007), doi:10.1093/ietisy/e90-d.4.745, ISSN 0916-8532
Salnitri, M., Dalpiaz, F., Giorgini, P.: Modeling and verifying security policies in business processes. In: Bider, I., Gaaloul, K., Krogstie, J., Nurcan, S., Proper, H.A., Schmidt, R., Soffer, P. (eds.) BMMDS/EMMSAD. LNBIP, vol. 175, pp. 200–214. Springer, Heidelberg (2014)
Wolter, C., Schaad, A.: Modeling of task-based authorization constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 64–79. Springer, Heidelberg (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Brucker, A.D. (2014). Using SecureBPMN for Modelling Security-Aware Service Compositions. In: Brucker, A.D., Dalpiaz, F., Giorgini, P., Meland, P.H., Rios, E. (eds) Secure and Trustworthy Service Composition. Lecture Notes in Computer Science, vol 8900. Springer, Cham. https://doi.org/10.1007/978-3-319-13518-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-13518-2_8
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13517-5
Online ISBN: 978-3-319-13518-2
eBook Packages: Computer ScienceComputer Science (R0)