Thursday, 23 December 2010

Annotated Bib.: Towards a UML 2.0 Extension for the Modeling of Security Requirements in Business Processes



[1] A. Rodr ́ıguez, E. Ferna ́ndez-Medina, and M. Piattini. Towards a uml 2.0 extension for the modeling of security requirements in business processes. In S. Fischer-Hu ̈bner, S. Furnell, and C. Lambrinoudakis, editors, TrustBus, volume 4083 of Lecture Notes in Computer Science, pages 51–61. Springer, 2006.

This paper presents an extension to UML 2.0 that can integrate security recruitments in the business process model. The paper started with showing the importance of security and the growth of BPM, then showed that security is usually neglected at the beginning and how that might lead to security complications. Moreover it explained the reason of choosing UML among all modelling languages.
On the second section the paper went into showing how important is security to BPM, and showed that there are two problems in this field; first that modelling has not been adequate yet, and the second that security usually not considered till actual implementation process. Moreover it compeered this work to other works related to security and BPM. In section 3 it briefly presented an overview of UML 2.0 and extensions.
Section 4 proposed the extension to represent security requirements in the model; the extension made use of the stereotypes by adding «SecureActivity» and «SecurityRequirement» which need to be followed by latter to represent the requirement (NR, AD, I, P or AC). also added «SecurityRole» and «SecurityPermissions». Then gave a table explaining all the new data type stereotypes definitions. Finally gave the notation and constrains for each new stereotype. Section 5 presented an example of "admission of patients in a health-care institution" and used this case study to present the new extension and to show how it could help in presenting security requirement in the process model.
The paper concluded that the new extension allowed for considering security requirements from the beginning and to include them in the model.

Relation to research in hand, this paper presented a methodology that can be used to integrate security requirements in the business process model. it provided an actual tool that can be used. The paper gave a solution to part of the research problem by integrating security in modelling, but it was limited to one toll (UML 2.0), the idea can be useful to extend and be generic that can be used on any other toll.

Annotated Bib.:Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes



[1] F. D’Aubeterre, R. Singh, and L. Iyer. Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes. European Journal of Information Systems, 17(5):528 – 542, 2008.

This paper addresses the question: "how can we integrate security as a functional requirement in the analysis and modelling of business processes?"
The paper start with showing the importance of considering the security requirements from the beginning and considering them as functional requirements as that will make analysts have greater security awareness in their analysis of the requirements of secure business processes". The Authors of this paper developed "secure activity resource coordination (SARC)" conceptualization, which is designed to view security as a functional requirement in the analysis and modelling of the activities in a business process.
The paper then gave the 5 rules that are considered the "modelling concepts, and grammar for SARC secure business processes:
1. Actors fulfil organizational roles.
2. Organizational roles are authorized to perform business activities.
3. Business activities are permitted to read, write, delete, or create information resources.
4. Dependencies do not exist directly between business activities. Business activities cannot directly produce or consume another business activity. 
5. Business activities have a sharing, fit or flow coordination dependency with an information resource”. 
Then it gave an experimental example to show how "business process models developed using SARC generates higher awareness of security constraints in modelling the secure exchange of information resources in coordinated business processes". The paper focused on "non-repudiation", "access control", and "segregation of duties" as an example for security requirements.
The paper concludes that SARC can be used by business analysts to analyse and model secure business processes, and that it effectively incorporate security requirements in the conceptualization of business processes.

Relation to research in hand; this paper provides a methodology (SARC) to integrating security requirements in Business processes, which is an important part of the literature review for the research. The idea of this paper, and the output is closely related to the idea of the research in hand, and it might form a small part of the big picture of the research idea.

Annotated Bib.: Security in Business Process Engineering



[1] M. Backes, B. Pfitzmann, and M. Waidner. Security in business process engineering. In W. M. P. van der Aalst, A. H. M. ter Hofstede, and M. Weske, editors, Business Process Management, volume 2678 of Lecture Notes in Computer Science, pages 168–183. Springer, 2003. 

The paper starts by showing that security is usually neglected in the modelling phase and only integrated in an ad-hoc manner later on, then it goes on showing how problematic this approach is, and how that security should be considered earlier as it will make it clearer, easier, and will produce less errors.
The paper then discusses the trust models, and how they can be applied to BPM, it also give an example to illustrate the need of integrating security (specially cryptography) in early stagiest of BPM. The example used was "Certified Mail System". The paper then went in to technical details in showing what security requirements are needed in such example; it was focusing more on the cryptographic requirements, and little on Trust.
Then it goes on showing in detailed technical way how would considering security requirements from the beginning help in building butter system.
It finally ends with comparing this work with other works done by others, and showing how considering cryptography from the beginning was useful in this example.

Relation to the research on hand, this paper shows the importance of early consideration of security, instead of an ad-hoc way. It also add to the review on what work is done in integrating security in to BPM. Also it gave a brief discussion about trust and trust-models, and showed that this might be important to BPM and it need to be integrated.

Tuesday, 21 December 2010

Annotated Bib.: Towards a Comprehensive Framework for Secure Systems Development



[1] H. Mouratidis, J. Ju ̈rjens, and J. Fox. Towards a comprehensive framework for secure systems develop- ment. In E. Dubois and K. Pohl, editors, CAiSE, volume 4001 of Lecture Notes in Computer Science, pages 48–62. Springer, 2006.

This paper is present a new framework that can be used to get a security-aware process. The paper is based on the idea that security involves technical and social parts. the paper state that all work done in the field is either focusing on the technical or on the social part, and that they all work to a cretin level. The authors claims that this approach consider both parts (technical and social), and it consider all stages in the process, starting form the early stage of data collection till the implementation stage.

The framework is integration between two security-aware methodologies; Secure Tropos and UMLsec; since secure Tropos focuses more on the social challenges, and on early stages of a process, where UMLsec focuses more on technical challenges and the late stages. so the new frame work will focus on both type of challenges and all stages.

The aim of the framework is to present an approach for modelling secure information systems; which is done through 4 stages:
1-Early Requirements Analysis; which uses Secure Tropos to analyse the security needs and goals of stakeholders.
2-Late Requirements Analysis; which also uses Secure Tropos to determine the security requirements of the system.
3-Architectural Design; in which the mapping of Secure Tropos to the UMLsec is performed. Secure Tropos is used to determine the general architecture and the components of the system. Then UMLsec is used to model the security protocols and properties.
4-Detailed design; which uses UMLsec to specify in details the components of the system and model the secure interaction of the system components.

The real challenge in this paper and probably the biggest contribution is providing an integration and mapping from Secure Tropos to UMLsec, the paper provided guide lines to do so:
1- Map the secure Tropos analysis module to UMLsec class diagram; which contains 5 steps.
2- Map the secure Tropos analysis module to UMLsec Deployment diagram; which contains 3 steps.
Finally, to show the effectiveness of the new framework, it was applied on an ecommerce case study, which showed that the framework actually discovered a new security requirement that was ignored initially.

The paper conclude that it is important today to consider security in process and system design the new framework, consider all security challenges and all process stages, and it is easy to understand since it is using popular methodologies.

Relation to research on hand, this paper is a big contribution to the literature review and on showing what have been done yet on the field on integrating security in to BPM. This paper presented a new framework that can be used to consider security recruitments from the beginning all the way till implementation. Although the framework in hand is aimed to system buildings but it can be used to generate a new framework that would be used in integrating security into BPM.

Annotated Bib.: Secure Information Systems Engineering: Experiences and Lessons Learned from Two Health Care Projects


[1] H. Mouratidis, A. Sunyaev, and J. Ju ̈rjens. Secure information systems engineering: Experiences and lessons learned from two health care projects. In P. van Eck, J. Gordijn, and R. Wieringa, editors, CAiSE, volume 5565 of Lecture Notes in Computer Science, pages 231–245. Springer, 2009.

This paper used a framework that was developed and published earlier in 2006 that is called "model based security engineering framework", this paper is not aimed to explaining the framework, rather, it is about using the framework in two different health care cases, and discussing the outputs of the case study.
This paper started with a brief explanation for the framework for those who did not read the original paper to be able to understand the rest of the paper, but did not go in to details. The framework is basically integrating two security-aware approaches; Secure Tropos and UMLsec.; the framework have 4 stages: Security Analysis of System Environment, Security Analysis of System, Secure System Design, and Secure Components Definition. The paper applied the framework using these 4 stages on 2 health care examples, but due to a space issue it only explained one of the cases.
The paper explained the case it self, and then went into showing how did the framework stages were applied. The next section was about the reflection or what would be called the results of the study, which was discussed in three subsections: challenges faced during the framework development, lessons learned, and improvements that can be done.
The paper conclude that this framework was helpful, and gave nice results for a first time real life application; giving how complicated the health cases are; and also shows that the fretwork was easy to understand, but might require basic knowledge in security terminology. The paper also showed that there was a problem faced in translating from the Secure Tropos to the UMLsec. but was solved by changing the guidelines.

Relation to the research in hand, this paper shows that a security-aware framework was successfully used in real life examples. Although it needed some enhancements, and some problems were faced, but it also showed that people were able to adapt to such framework, and it helped analyst and designers to take security requirements in consideration from the beginning all the way till the implementation phase.

Friday, 17 December 2010

Annotated Bib.: IT Security Management and Business Process Automation: Challenges, Approaches, and Rewards.


[1] R. P. Tracy. It security management and business process automation: Challenges, approaches, and rewards. Information Systems Security, 16(2):114–122, 2007.

This paper focuses on security polices and how to enforce them in an organization, it makes use of the business process automation idea to enforce security polices.
The paper start of with showing the importance of including security in the business to give security priority. Then discussed the challenges in enforcing security polices. after that it explain how to make use of Business process automation (BPA) concept to enforce security polices; first by making security polices in to process requirements, and then the authors made use of the BPA concept by creating and automating a process to enforce the security requirements: Inventory, Asses, Notify, Remediate, Validate, and report.
The paper conclude that with a good security polices, a platform that support automation of security polices, and a process automation solution in place an organization can be as secure as possible.

Relation to the research in hand; will be that this paper shows the importance of including security from the beginning and that security and business need each other and should be more integrated than ever.

Thursday, 16 December 2010

Annotated Bib.: An Empirical Evaluation of Information Security Awareness Levels in Designing Secure Business Processes



[1] F. D’Aubeterre, L. S. Iyer, and R. Singh. An empirical evaluation of information security awareness levels in designing secure business processes. In V. Vaishanvi and S. Purao, editors, DESRIST. ACM, 2009.


This paper demonstrate that "Secure Activity Resource Coordination (SARC)" is the best way to get analyst and designer of processes to be aware of the security requirements in the processess; SARC is not explained in this paper, another paper was published earlier does explain SARC in details, this paper focuses only on proving that it is the best way to increase the awareness level of security requirements in a process. To show how good is SARC, the paper compare based on a method called situational Awareness (SA); which place awareness on 3 levels: awareness of the existence, comprehension, prediction. SA was used as the measuring criteria to compare SARC to "Enriched-Use Case and UML-Active diagrams".
So the study was about proving if SARC can increase awareness in Security requirements for analysts and designers within these 3 levels. The study was preformed on different groups of students and the results showed that SARC mad the students more aware of the security requirements in the processes more than the "Enriched-Use Case and UML-Active diagrams".
The papers conclude that, considering security requirements from the beginning and treating them as functional requirements will increase the awareness of them for the analyst, and using SARC is the best way to do so.

If this paper would be related to the research on hand in anyway, it would be showing the importance of early consideration of security requirements; from the data collection phase. It might also be related in the form that SARC is worth looking at as a method, and it might be a good method to follow in integrating other security requirements; such as trust; since it is proven to be a good way to increase the awareness of security requirements.

Wednesday, 15 December 2010

nice qutes

An Empirical Evaluation of Information Security Awareness Levels in Designing Secure Business Process. 2009
by Fergle D’Aubeterre, Lakshmi S. Iyer, and Rahul Singh:
 
"Information Security is critical to ensuring the integrity and credibility of digitally exchanged information in business    processes".

BPM "development methodology that considers security requirements in the early phases (modeling, and requirments collecting) of systems development is essential" for information security.

"information security awareness should be present in the requirements gathering phase, so that analysts become more aware of security constraints and possible violations resulting into secure business processes".

the 2006 CSI/FBI Computer Crime and Security Survey identified that authorization violations are the second largest cause of economic losses (Gordon et al., 2006).

security should be embedded into the overall information systems development and not added as an afterthought (Mouratidis et al. 2009).

Existing work is mainly focused either on the technical or the social aspect of considering security, and approaches are usually applicable only to certain development stages (Mouratidis et al. 2009).


Thursday, 25 November 2010

Summary of "Secure Business Process Managment: A Roadmap"

It is a paper done by Thomas Neubauer, Markus Klemen, Stefan Biffl from the Institute of Software Technology and Interactive Systems in Vienna University of Technology, in Austria.

After they defined what is ”Secure Business Process Management”, they said that if the BPM life cycle consist of analyzing, optimizing and designing the business process in accordance with the business strategy, allocating applications and employees, implementing and executing the processes to support information exchange, monitoring and aggregating operational data for the purpose of decision making and continuous improvement. then so SBPM should take the same life cycle and Security should be presented the whole time.



The paper present an idea that Security should begin with strategy definition,  and Security should be developed in parallel with the business process.
Then they say that Security measures should be modeled in the same BPM diagram. after that they presented the idea that security should be valued based on the business process.
finally the idea of the business cockpit, where the monitoring should occur as security need to be monitored along with the business process.

This paper defined Secure Business Process Management and presented a research roadmap for this field. Compared to existing approaches the idea presented in this paper allows the alignment and integrated design of business processes and security objectives over the whole life cycle of a business process. The extension of existing BPM methodologies allows reducing the gap between IT- security and business activities using a combined business driven top down approach.

Summery of: A REFERENCE MODEL FOR PROCESS-ORIENTED IT RISK MANAGEMENT


Title: A REFERENCE MODEL FOR PROCESS-ORIENTED IT RISK MANAGEMENT
Authors: Stefan Sackmann.
Published: 2008

This paper focuses on threats generated from IT and their influence on BPM, and relevance of IT risks resulting from flexible business processes and the integration of cause-effect relations into the typical risk management process and necessary extensions.

It starts with trying to define “IT Risks”; and settled on that “IT risks should be seen as part of operational risks measuring the unexpected losses that are determined by the frequency and amount of losses e.g. by their value at risk”. Then it shows the importance on IT in today’s organizations, and explains how that Traditional methods for risk management are challenged by the increasing flexibility of business processes and their support by IT.

“The management of risks occurring from IT in its role as flexible and continuously changing infrastructure supporting business processes requires an extension of “traditional” risk management that enables continuously changing cause-effect relations to be taken into consideration. For this purpose, the layer-based IT Risk Reference Model is proposed providing a formal approach for modeling IT risks in a structured way on the basis of their relation between cause and effect.”

Then in Section 3 it went in to establishing the “IT Risk Reference Model”; Modeling the relations between the causes of IT risks and their effects on business processes:

Layer 4: Business Process (BP): On this layer, parts of the business process should be regarded as independent components that are defined as enclosed activities using at least one IT application for their realization.
Layer 3: IT Application / IT Infrastructure (AP): The assignment of protection goals to IT applications allows the bringing together of the economic handling of IT risks with the more technological.
Layer 2: Vulnerabilities (VN): the vulnerabilities identified are interpreted as independent “components” that can be associated to at least one IT application.
Layer 1: Threats (TH): This layer includes all known threats that are seen as causes of IT risks and, ideally, can be described with a probability of their occurrence.

Within these four layers, the relations between the causes and effects can be modeled addressing the needs of process-oriented IT risk management. Witch is done in the 4th section; “MODELING CAUSE & EFFECT RELATIONS FOR IT RISKS”.

Then in the 5th section the paper discussed some extensions, such as risk identification, risk quantification, risk treatment, and risk control.

This paper showed that the relations between the threats to IT (causes) and their implications on the business process activities (effects) have to be modeled in a standardized and formal way. The IT Risk Reference Model proposed in this contribution reduces the complexity of the modeling challenge by defining four layers. It also established the IT Risk Reference Model, which serves as a framework modeling the interdependent layers in the form of matrixes and allows a formal description of the interdependencies between the separated layers according to a company’s requirements.

Friday, 19 November 2010

Summery of "Security for workflow Systems"

The paper is by Vijay Atluri, from Rutgers University. published in 2002.

the paper started by defining what is Workflow, and what are the workflow systems.
then went in to explaining the security requirements for a workflow and define them in a BPM terminology.

then the paper explained in details what the other thought are the most important security requirements in regards to the BPM. The paper explained Authorization and Access Control. Then talked about Separation of Duties. Authentication and Anonymity where the last 2 security requirements that where explained in how to integrate in the BPM.

The paper described that most commercial workflow systems provide minimal security features such as user authentication, and most of them have to implement an ad-hoc manner through a script type language. where such ad-hoc implementation makes specification, analysis and maintenance of security policies more difficult.

There treatment of authorization emphasizes the need for synchronization of authorization flow with the workflow, and it is missing some features such as assigning different roles to tasks based on the outcome of the prior task, granting different permissions to roles based on the outcome of the task, capability to specify different authorizations for different instances of the same workflow, ability to specify authorizations based on the context and based on the responsibilities to be performed by individuals, and delegating the responsibility to other users and roles.

The paper  highlight the security requirements of workflow systems and discuss authorization, separation of duties, authentication and anonymity at length.

Thursday, 11 November 2010


summery of: Risk Management in the BPM Lifecycle


Title: Risk Management in the BPM Lifecycle
Authors: Michael zur Muehlen and Danny Ting-Yi Ho.
Published: 2006

This paper provided an overview of risks associated with BPM projects along the phases of the BPM lifecycle.

The paper started by trying to define BPM, providing different definitions by different researchers, and finally defining BPM as creating “alignment among the individual process components input, output, resources, process structure, and process goals”.

Then it went in to defining risk and risk management; it explains that risk management composed of 3 main phases: identification, analysis, and control of risk. And explained 4 of the management strategies; mitigation, avoidance, transfer, and acceptance.


Then in section 4 went into “risks specific to BPM projects”, and listed common risks encountered in and between BPM lifecycle phases;


This paper focused more on risks that can occur during BPM lifecycle and not on integrating risk to BPM or producing a risk-aware BPM.

Wednesday, 10 November 2010

Summery of: Modeling of Task-Based Authorization Constraints in BPMN

Title: Modeling of Task-Based Authorization Constraints in BPMN
Authors: Christian Wolter, and Andreas Schaad
Published: 2007

This paper proposes an extension for the Business Process Modeling Notation (BPMN) to express “authorization constraints for task allocation in workflows” within the workflow model. Such as Separation of Duty, Role-Based Allocation, Case Handling, or History-Based Allocation in BPMN.

The paper defines Task-based authorization constraints as “express who is allowed or must perform a certain task under specific circumstances in the context of a workflow”, and it state that most resource allocation pattern are not supported in the domain of business process modeling.

This paper provides:
      Formal definition of authorization constraints in the context of workflow models.
      Example workflow constraints derived from the banking domain and their formal representation.
      Evaluation of BPMN’s capabilities to express task-based authorization constraints in the context of resource allocation and defines a BPMN extension for the specification of appropriate authorization constraints.
      Applies the proposed BPMN extension to a real world banking scenario to evaluate its applicability.

Then it went in defining the constrains and what security requirements this paper is going cover, paper provided deep technical and mathematical definition of all the constrains related (such as task-roll, and conflict tasks). But all can be summarized in the below table:


Then the paper gave an example about a real-life process (Banking workflow) that can make use of these constraints, example can be understood from the process model:

And explained the 6 constraints that need to be applied in this process: Clerk must interact with the customer, bank manager must sign the form, user must not check the credit worthiness, bank manager may act as a clerk, user acquiring the customer data must identify the customer’s account, For a single customer an user must not perform more than five tasks. And gave the mathematical equation for each.

Finally, the paper explained how to solve these requirement and how to have them as an extension to BPMN, then showed how to represent each in a model (such as manual tasks and roles, task grouping and looping, Allocation Constraint Artifact), and finally reproduced the process model with all the 6 requirements expressed in the model, as shown below:

This paper presented a novel approach to describe authorization constraints for manual tasks within the Business Process Modeling Notation.

Tuesday, 9 November 2010

Summery: Modeling Business Process Availability


 Title: Modeling Business Process Availability
Authors: Nikola Milanovic, Bratislav Milic, and Miroslaw Malek
Published: 2008

Availability is one of information security main goals, this paper looks in to presenting a framework for modeling business process availability that takes into account services, the underlying ICT- infrastructure and people.

The paper then tried to define the layer where to model the availability and define the relation between ICT layer and BPM layer. It also reached a definition of business process availability:

“Several availability definitions are provided. Interval availability is the number of correct service or business process invocations over a number of total invocations for a given time interval. Steady- state availability is the expected availability defined as ser- vice or business process uptime over its lifetime. User- perceived availability is the number of correct service or business process invocations over a total number of invocations for a given time interval (interval user-perceived avail- ability) or over lifetime (steady-state user-perceived avail- ability), given for a particular user.”

Then it went in describing the process to assessing availability. Also it provided an example of how to integrate availability in a business process model. It was a simple editor process of revising and approving a new manuscript.



The 1st pictures shows the original process, while the last 3 shows how to integrate the availability for each task that required a human interaction (editor and junior editor). The approach depended on generating tickets and granting/revoking access rights. 

Then the paper went deep in technical technology explaining such as network communication, systems integration, and permission access, to prove the importance of availability for the process.


The presented approach enables business process and service availability assessment, based on the availability properties of the underlying ICT-components. The model may be extended with additional factors, such as cost or power utilization. 
 


Monday, 8 November 2010

summery: Managing Security and Privacy Integration across Enterprise Business Process and Infrastructur


Title: Managing Security and Privacy Integration across Enterprise Business Process and Infrastructure.
Authors: John A. Anderson and Vijay Rachamadugu.
Published: 2008.

This paper is based on the “Roadmap for Information Security across the Enterprise” (RISE). Which was developed by the MITRE corporation as part of the MIRTE technology program. (to read more about RISE see “Anderson et al. 2006”). This paper focuses on the processes designed into the RISE methodology that leverage an enterprise architecture (EA) to integrate security and privacy into business process and infrastructure management.

“current literature has shown lack of a well defined methodology for integrating security and privacy into business process”

Section 2 concentrates on Risk management. It shows that Requirements for security and privacy assurance should be recognized as critical business drivers, and all these requirements along with the organization’s capability to assure the integrity, availability, and confidentiality of the information it manages, should be shown in the “As-is” model. It also gave an assessment to risks, where it says “The risks are assessed based on a combination of the impact of loss and the likelihood that the attack may take place”.

Section 3 basically talked about “integrating the threat and response cycle with portfolio management process”, which can be summarized in the below picture:

Section 4 was about “Business and risk investigation”, section 5 was about the “tradeoff analysis”, and section 6 was about “investment strategies and budget submission”. Which all can be summarized in this diagram:




Suumery of: A Knowledge-based Security Policy Framework for Business Process Management


Title: A Knowledge-based Security Policy Framework for Business Process Management.
Authors: Dong Huang, Yi Yang, Jacques Calmet
Puplished: 2006.

This paper was more focused on the security policy and framework, the idea of it was to “gather pertinent data/knowledge from multiple stakeholders in the e- business scenario, along with constraints specified by non- functional requirements of web services and business rules”. It definition of security was only regarding access control, confidentiality, and integrity.

Section 2 talked about the agent approach for web services and introduces the principle of AOA and VKC, which is not important to us.

Section 3 outlines the requirements of the security constraints specification language for web services and introduces the principle of Constraint Interchange Format. It discussed the “Security Constraints Specification Language”, and explained the domains and levels of security framework (service domain, policy domain, rule domain, properties, and rule). Then it went technical in “interchange format”. Finally gave an example on “Framework Architecture” explaining the idea of a security framework for a BPM.

Section 4 surveys related works. And Section 5 includes the future research direction for the work and conclusion.

This paper investigated a distributed knowledge management approach to help modeling web services policies, and also proposed a representation for security constraints at the Semantic Web logic layer.

Summery of: Modelling Security Goals in Business Process

Paper: Modelling security goals in Business Processes.
Authors: Christian Wolter, Michael Menzel, Christoph Meinel.
Published: 2008.


The paper, basically proposing a new technique to integrate security requirements in the modeling notation. And then modeled security goals should be transformed into enforcing security polices implementations.
The paper provides:
-       Analysis of some basic security goals (authorization, confidentiality, integrity). Providing a general security policy and various related security constraint models.
-       A discussion on applying the models to the enterprise model layers.
-       Specifying security configuration in the context of business process.
-       An example banking process with annotation to security requirements to the model. As a proof of concept.

In the introduction, authors speaks about the paper, what is it about , the field on integrating security and BPM, and the paper’s organization.

Section 2 provides detailed discussion about some basic security goals and provides conceptual models. It gives an interpretation in BPM terms to some security goals (confidentiality, integrity, Authentication, Authorization, Auditing, Availability). Then it provides a constraint model to the first 4.

Section 3 outline dependencies between security goals and enterprise architecture model. It first talks about the Enterprise Architecture modeling, then how to extend the BPM layer and how to integrate the security goals in the model. It also provides a nice drawing showing and explaining how security goals can be modeled.
Section 4 compares the approach with some related work.

Section 5 discusses the potential benefits of he approach and outlines some future work that can be done.

This paper provided a modeling extension to express security requirements at the business process level, which is generic and could be applied to any modeling notation.

Wednesday, 3 November 2010

Summery of: "A survey of scientific Approaches Considering the Integration of security & Risk Aspects into BPM"

Paper title: "A survey of scientific Approaches Considering the Integration of security & Risk Aspects into BPM".
Authors: Stefan Jakoubi, Simon Tjoa, Gernot Goluch, Gerald Quirchmayr.
Published: 2009.

The paper basically provide an overview of scientific research efforts regarding the integration of security as well as risk considerations into business process management. it explains and compares between 9 different methods and papers puplished in the field.


the sumerry of the comparition is provided in the table below:
and the authors stated "The domain of business process security is still a very young research domain compared to the business process domain. Within this survey paper we have summarized a variety of approaches trying to diminish the gap between business process security and the risk management domain."  also they add "we have come to the conclusion that this emerging field of research still has a lot of potential, if certain challenges can be solved. "


Summery of "BPM and Security" ..


It is a white paper prepared by the BPMInstitute.org.

The paper was mainly focusing on showing and proving that processes will exceed the organization's boundaries .. and can not be performed fully with in the organization's walls.
"50% of planed BPM projects involve extending the process outside the firewall to a customer, partner, or suppliers."
The paper then listed some of the security requirements that should be in place if the process is exceeding the organization's walls; including protecting content from unauthorized access, assuring that the content came from the stated author, detecting altering of content, and maintaining the document security through out the whole process, including when exceeding the organization's firewalls. Then went in to explaining how important and also difficult it is to satisfy these requirements.


After that  it talked about a survey done by the BPMInstitute.org to show the importance of the issues and the challenges they faced with respect to extending BPM beyond the firewall.


and then the paper talked about some technical solutions that can help in satisfying some of the security requirements; such as "encryption" and rights management.


Finally the paper ended by showing an example of how an organization can manage to be secure without neglecting any other aspect.

Thursday, 28 October 2010

Meting minutes 26-10

Date: 26/10/2010
Place: Chun’s office
Participants: Arthur, Chun, and Khalid.
Time: 2:15 – 2:55

- Research for now should be wide and narrow it later.
- discussed worked done by Khalid.
- Arthur will be away for the next 2 weeks.
- Chun and Khalid agreed on moving the meeting to Monday 2 p.m. for the next 2 weeks.
- Khalid should continue the work and keep with the plan.
- Risk and BPM was discussed as a potential narrowing filed.
- Papers found so far are good.

Work to be done before next meeting:
- Khalid should contact the Author of one of the papers to get the paper.
- Khalid should contact Guy regarding the INN courses.
- Khalid should contact Peter regarding the IFN001 course.

Monday, 25 October 2010

From the BPM Book ..

" Unfortunately, the Techniques that guarantee transactional behaviour in databases systems cant be used for Business Process transactions, since they are based on preventing access to data objects by locking, and locking data objects during process instance is no valid option..." (Weske, Mathias. 2007 Business Process management. chapter 1. page 14)

Wednesday, 20 October 2010

1st month plan


Plan for 1st month (20/10 – 20/11):           


Week
Date
Basic readings
BPM
Papers
Extra
1
20-27/10
Introduction To logic cha. 1-4 + exercises
Chapter 1
Search for papers
Learn DBLP
2
28/10–4/11
Naive Set Theory + exercises
Chapter 2
Read and summarize 3 papers
Learn Latex
3
5-12/11
Workflow management cha. 1-4
Chapter 3
Read and summarize 3 papers
Pitri net T. Murata
4
13-19/11
Yawl chapter 1-3
Chapter 4
Read and summarize 3 papers
Learn Harzing + web of science