short-paper

Separation of duties as a service

Authors:

Samuel J. Burri,

Günter KarjothAuthors Info & Claims

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

Pages 423 - 429

https://doi.org/10.1145/1966913.1966972

Published: 22 March 2011 Publication History

Abstract

We introduce the concept of Separation of Duties (SoD) as a Service, an approach to enforcing SoD requirements on workflows and thereby preventing fraud and errors. SoD as a Service facilitates a separation of concern between business experts and security professionals. Moreover, it allows enterprises to address the need for internal controls and to quickly adapt to organizational, regulatory, and technological changes. In this paper, we describe an implementation of SoD as a Service, which extends a widely used, commercial workflow system, and discuss its performance. We present a drug dispensation workflow deployed in a hospital as case study to demonstrate the feasibility and benefits of our proof-of-concept implementation.

References

[1]

Sarbanes-Oxley Act of 2002. Public Law 107-204 (116 Statute 745), United States, 2002.

[2]

A. Agrawal, et al. WS-BPEL extension for people (BPEL4People), v1.0. 2007.

[3]

A. Alves, et al. Web services business process execution language (WS-BPEL), v2.0. OASIS Standard, 2007.

[4]

A. Anderson. Hierarchical resource profile of XACML, v2.0. OASIS Standard, 2005.

[5]

D. A. Basin, S. J. Burri, and G. Karjoth. Dynamic enforcement of abstract separation of duty constraints. Proc. of ESORICS, pp. 250--267, 2009.

Digital Library

[6]

S. J. Burri, and G. Karjoth, and D. A. Basin. Separation of duties as a service. IBM Research --- Zurich, TR RZ 3784 (http://bit.ly/gAbQUy), 2010.

[7]

E. Bertino, E. Ferrari, and V. Atluri. The specification and enforcement of authorization constraints in workflow management systems. TISSEC, 2(1):65--104, 1999.

Digital Library

[8]

J. Crampton. A reference monitor for workflow systems with constrained task execution. Proc. of SACMAT, pp. 38--47, 2005.

Digital Library

[9]

European fraud survey 2009. Ernest & Young, TR, 2009.

[10]

D. F. Ferraiolo, R. S. Sandhu, S. I. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. TISSEC, 4(3):224--274, 2001.

Digital Library

[11]

V. D. Gligor, S. I. Gavrila, and D. Ferraiolo. On the formal definition of separation-of-duty policies and their composition. Proc. of S&P, pp. 172--183, 1998.

[12]

J. Huschens and M. Rumpold-Preining, M. Bernus. IBM Insurance Application Architecture (IAA) --- An overview of the Insurance Business Architecture. Handbook on Architectures of Information Systems, pp. 669--692, 2006.

[13]

IBM Tivoli Directory Server (TDS) v6. www.ibm.com/software/tivoli/products/directory-server.

[14]

IBM WebSphere Application Server (WAS) v6.1. www.ibm.com/software/webservers/appserv/was/.

[15]

IBM WebSphere Process Server (WPS) v6.2. www.ibm.com/software/integration/wps/.

[16]

N. Li and Q. Wang.Beyond separation of duty: An algebra for specifying high-level security policies. JACM, 55(3), 2008.

Digital Library

[17]

D. Marino, et al. Deliverable D1.2.1: Master scenarios. EU Project MASTER (www.master-fp7.eu), 2009.

[18]

Business Process Modeling Notation (BPMN), v1.2. OMG Standard, 2009.

[19]

F. Paci, F. E. Bertino, and J. Crampton. An Access-Control Framework for WS-BPEL. Int. Journal of Web Services Research, pp. 20--43, 2008.

[20]

A. W. Roscoe. The theory and practice of concurrency. Prentice Hall, 2005.

Digital Library

[21]

Apache Axis2, v1.5. http://ws.apache.org/axis2, 2009.

[22]

M. Turner, D. Budgen, and P. Brereton. Turning software into a service. IEEE Computer, 36:38--44, 2003.

Digital Library

[23]

Q. Wang and N. Li. Direct static enforcement of high-level security policies. Proc. of ASIACCS, pp. 214--225, 2007.

Digital Library

Cited By

Odongo NWang D(2019)Performance-Oriented Contracting—A ReviewIEEE Engineering Management Review10.1109/EMR.2019.292420347:3(135-153)Online publication date: 1-Sep-2019
https://doi.org/10.1109/EMR.2019.2924203
Asghar MRussello GCrispo B(2015)E-GRANTProceedings of the 2015 3rd International Conference on Future Internet of Things and Cloud10.1109/FiCloud.2015.43(135-144)Online publication date: 24-Aug-2015
https://dl.acm.org/doi/10.1109/FiCloud.2015.43
Wu QZhu QZhou M(2014)A correlation-driven optimal service selection approach for virtual enterprise establishmentJournal of Intelligent Manufacturing10.1007/s10845-013-0751-025:6(1441-1453)Online publication date: 1-Dec-2014
https://dl.acm.org/doi/10.1007/s10845-013-0751-0
Show More Cited By

Index Terms

Separation of duties as a service

Recommendations

Multi-session Separation of Duties (MSoD) for RBAC
ICDEW '07: Proceedings of the 2007 IEEE 23rd International Conference on Data Engineering Workshop

Separation of duties (SoD) is a key security requirement for many business and information systems. Role Based Access Controls (RBAC) is a relatively new paradigm for protecting information systems. In the ANSI standard RBAC model both static and ...
Separation of duties for access control enforcement in workflow environments
End-to-end security

Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. This ...
Constraint generation for separation of duty
SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologies

Separation of Duty (SoD) is widely recognized to be a fundamental principle in computer security. A Static SoD (SSoD) policy states that in order to have all permissions necessary to complete a sensitive task, the cooperation of at least a certain ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

March 2011

527 pages

ISBN:9781450305648

DOI:10.1145/1966913

General Chairs:
Bruce Cheung
The University of Hong Kong, China
,
Lucas Chi Kwong Hui
The University of Hong Kong, China
,
Program Chairs:
Ravi Sandhu
University of Texas, San Antonio
,
Duncan S. Wong
City University of Hong Kong, China

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 March 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Short-paper

Funding Sources

Seventh Framework Programme

Conference

ASIA CCS '11

Sponsor:

SIGSAC

ASIA CCS '11: 6th ACM Symposium on Information, Compuer and Communications Security

March 22 - 24, 2011

Hong Kong, China

Acceptance Rates

ASIACCS '11 Paper Acceptance Rate 35 of 217 submissions, 16%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
386
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)1

Reflects downloads up to 07 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Odongo NWang D(2019)Performance-Oriented Contracting—A ReviewIEEE Engineering Management Review10.1109/EMR.2019.292420347:3(135-153)Online publication date: 1-Sep-2019
https://doi.org/10.1109/EMR.2019.2924203
Asghar MRussello GCrispo B(2015)E-GRANTProceedings of the 2015 3rd International Conference on Future Internet of Things and Cloud10.1109/FiCloud.2015.43(135-144)Online publication date: 24-Aug-2015
https://dl.acm.org/doi/10.1109/FiCloud.2015.43
Wu QZhu QZhou M(2014)A correlation-driven optimal service selection approach for virtual enterprise establishmentJournal of Intelligent Manufacturing10.1007/s10845-013-0751-025:6(1441-1453)Online publication date: 1-Dec-2014
https://dl.acm.org/doi/10.1007/s10845-013-0751-0
Brucker A(2014)Using SecureBPMN for Modelling Security-Aware Service CompositionsSecure and Trustworthy Service Composition10.1007/978-3-319-13518-2_8(110-120)Online publication date: 2014
https://doi.org/10.1007/978-3-319-13518-2_8
Brucker AMalmignati FMerabti MShi QZhou B(2013)A Framework for Secure Service CompositionProceedings of the 2013 International Conference on Social Computing10.1109/SocialCom.2013.97(647-652)Online publication date: 8-Sep-2013
https://dl.acm.org/doi/10.1109/SocialCom.2013.97
Basin DBurri SKarjoth G(2012)Dynamic enforcement of abstract separation of duty constraintsACM Transactions on Information and System Security10.1145/2382448.238245115:3(1-30)Online publication date: 30-Nov-2012
https://dl.acm.org/doi/10.1145/2382448.2382451

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents