Thursday, 25 November 2010

Summary of "Secure Business Process Managment: A Roadmap"

It is a paper done by Thomas Neubauer, Markus Klemen, Stefan Biffl from the Institute of Software Technology and Interactive Systems in Vienna University of Technology, in Austria.

After they defined what is ”Secure Business Process Management”, they said that if the BPM life cycle consist of analyzing, optimizing and designing the business process in accordance with the business strategy, allocating applications and employees, implementing and executing the processes to support information exchange, monitoring and aggregating operational data for the purpose of decision making and continuous improvement. then so SBPM should take the same life cycle and Security should be presented the whole time.



The paper present an idea that Security should begin with strategy definition,  and Security should be developed in parallel with the business process.
Then they say that Security measures should be modeled in the same BPM diagram. after that they presented the idea that security should be valued based on the business process.
finally the idea of the business cockpit, where the monitoring should occur as security need to be monitored along with the business process.

This paper defined Secure Business Process Management and presented a research roadmap for this field. Compared to existing approaches the idea presented in this paper allows the alignment and integrated design of business processes and security objectives over the whole life cycle of a business process. The extension of existing BPM methodologies allows reducing the gap between IT- security and business activities using a combined business driven top down approach.

Summery of: A REFERENCE MODEL FOR PROCESS-ORIENTED IT RISK MANAGEMENT


Title: A REFERENCE MODEL FOR PROCESS-ORIENTED IT RISK MANAGEMENT
Authors: Stefan Sackmann.
Published: 2008

This paper focuses on threats generated from IT and their influence on BPM, and relevance of IT risks resulting from flexible business processes and the integration of cause-effect relations into the typical risk management process and necessary extensions.

It starts with trying to define “IT Risks”; and settled on that “IT risks should be seen as part of operational risks measuring the unexpected losses that are determined by the frequency and amount of losses e.g. by their value at risk”. Then it shows the importance on IT in today’s organizations, and explains how that Traditional methods for risk management are challenged by the increasing flexibility of business processes and their support by IT.

“The management of risks occurring from IT in its role as flexible and continuously changing infrastructure supporting business processes requires an extension of “traditional” risk management that enables continuously changing cause-effect relations to be taken into consideration. For this purpose, the layer-based IT Risk Reference Model is proposed providing a formal approach for modeling IT risks in a structured way on the basis of their relation between cause and effect.”

Then in Section 3 it went in to establishing the “IT Risk Reference Model”; Modeling the relations between the causes of IT risks and their effects on business processes:

Layer 4: Business Process (BP): On this layer, parts of the business process should be regarded as independent components that are defined as enclosed activities using at least one IT application for their realization.
Layer 3: IT Application / IT Infrastructure (AP): The assignment of protection goals to IT applications allows the bringing together of the economic handling of IT risks with the more technological.
Layer 2: Vulnerabilities (VN): the vulnerabilities identified are interpreted as independent “components” that can be associated to at least one IT application.
Layer 1: Threats (TH): This layer includes all known threats that are seen as causes of IT risks and, ideally, can be described with a probability of their occurrence.

Within these four layers, the relations between the causes and effects can be modeled addressing the needs of process-oriented IT risk management. Witch is done in the 4th section; “MODELING CAUSE & EFFECT RELATIONS FOR IT RISKS”.

Then in the 5th section the paper discussed some extensions, such as risk identification, risk quantification, risk treatment, and risk control.

This paper showed that the relations between the threats to IT (causes) and their implications on the business process activities (effects) have to be modeled in a standardized and formal way. The IT Risk Reference Model proposed in this contribution reduces the complexity of the modeling challenge by defining four layers. It also established the IT Risk Reference Model, which serves as a framework modeling the interdependent layers in the form of matrixes and allows a formal description of the interdependencies between the separated layers according to a company’s requirements.

Friday, 19 November 2010

Summery of "Security for workflow Systems"

The paper is by Vijay Atluri, from Rutgers University. published in 2002.

the paper started by defining what is Workflow, and what are the workflow systems.
then went in to explaining the security requirements for a workflow and define them in a BPM terminology.

then the paper explained in details what the other thought are the most important security requirements in regards to the BPM. The paper explained Authorization and Access Control. Then talked about Separation of Duties. Authentication and Anonymity where the last 2 security requirements that where explained in how to integrate in the BPM.

The paper described that most commercial workflow systems provide minimal security features such as user authentication, and most of them have to implement an ad-hoc manner through a script type language. where such ad-hoc implementation makes specification, analysis and maintenance of security policies more difficult.

There treatment of authorization emphasizes the need for synchronization of authorization flow with the workflow, and it is missing some features such as assigning different roles to tasks based on the outcome of the prior task, granting different permissions to roles based on the outcome of the task, capability to specify different authorizations for different instances of the same workflow, ability to specify authorizations based on the context and based on the responsibilities to be performed by individuals, and delegating the responsibility to other users and roles.

The paper  highlight the security requirements of workflow systems and discuss authorization, separation of duties, authentication and anonymity at length.

Thursday, 11 November 2010


summery of: Risk Management in the BPM Lifecycle


Title: Risk Management in the BPM Lifecycle
Authors: Michael zur Muehlen and Danny Ting-Yi Ho.
Published: 2006

This paper provided an overview of risks associated with BPM projects along the phases of the BPM lifecycle.

The paper started by trying to define BPM, providing different definitions by different researchers, and finally defining BPM as creating “alignment among the individual process components input, output, resources, process structure, and process goals”.

Then it went in to defining risk and risk management; it explains that risk management composed of 3 main phases: identification, analysis, and control of risk. And explained 4 of the management strategies; mitigation, avoidance, transfer, and acceptance.


Then in section 4 went into “risks specific to BPM projects”, and listed common risks encountered in and between BPM lifecycle phases;


This paper focused more on risks that can occur during BPM lifecycle and not on integrating risk to BPM or producing a risk-aware BPM.

Wednesday, 10 November 2010

Summery of: Modeling of Task-Based Authorization Constraints in BPMN

Title: Modeling of Task-Based Authorization Constraints in BPMN
Authors: Christian Wolter, and Andreas Schaad
Published: 2007

This paper proposes an extension for the Business Process Modeling Notation (BPMN) to express “authorization constraints for task allocation in workflows” within the workflow model. Such as Separation of Duty, Role-Based Allocation, Case Handling, or History-Based Allocation in BPMN.

The paper defines Task-based authorization constraints as “express who is allowed or must perform a certain task under specific circumstances in the context of a workflow”, and it state that most resource allocation pattern are not supported in the domain of business process modeling.

This paper provides:
      Formal definition of authorization constraints in the context of workflow models.
      Example workflow constraints derived from the banking domain and their formal representation.
      Evaluation of BPMN’s capabilities to express task-based authorization constraints in the context of resource allocation and defines a BPMN extension for the specification of appropriate authorization constraints.
      Applies the proposed BPMN extension to a real world banking scenario to evaluate its applicability.

Then it went in defining the constrains and what security requirements this paper is going cover, paper provided deep technical and mathematical definition of all the constrains related (such as task-roll, and conflict tasks). But all can be summarized in the below table:


Then the paper gave an example about a real-life process (Banking workflow) that can make use of these constraints, example can be understood from the process model:

And explained the 6 constraints that need to be applied in this process: Clerk must interact with the customer, bank manager must sign the form, user must not check the credit worthiness, bank manager may act as a clerk, user acquiring the customer data must identify the customer’s account, For a single customer an user must not perform more than five tasks. And gave the mathematical equation for each.

Finally, the paper explained how to solve these requirement and how to have them as an extension to BPMN, then showed how to represent each in a model (such as manual tasks and roles, task grouping and looping, Allocation Constraint Artifact), and finally reproduced the process model with all the 6 requirements expressed in the model, as shown below:

This paper presented a novel approach to describe authorization constraints for manual tasks within the Business Process Modeling Notation.

Tuesday, 9 November 2010

Summery: Modeling Business Process Availability


 Title: Modeling Business Process Availability
Authors: Nikola Milanovic, Bratislav Milic, and Miroslaw Malek
Published: 2008

Availability is one of information security main goals, this paper looks in to presenting a framework for modeling business process availability that takes into account services, the underlying ICT- infrastructure and people.

The paper then tried to define the layer where to model the availability and define the relation between ICT layer and BPM layer. It also reached a definition of business process availability:

“Several availability definitions are provided. Interval availability is the number of correct service or business process invocations over a number of total invocations for a given time interval. Steady- state availability is the expected availability defined as ser- vice or business process uptime over its lifetime. User- perceived availability is the number of correct service or business process invocations over a total number of invocations for a given time interval (interval user-perceived avail- ability) or over lifetime (steady-state user-perceived avail- ability), given for a particular user.”

Then it went in describing the process to assessing availability. Also it provided an example of how to integrate availability in a business process model. It was a simple editor process of revising and approving a new manuscript.



The 1st pictures shows the original process, while the last 3 shows how to integrate the availability for each task that required a human interaction (editor and junior editor). The approach depended on generating tickets and granting/revoking access rights. 

Then the paper went deep in technical technology explaining such as network communication, systems integration, and permission access, to prove the importance of availability for the process.


The presented approach enables business process and service availability assessment, based on the availability properties of the underlying ICT-components. The model may be extended with additional factors, such as cost or power utilization. 
 


Monday, 8 November 2010

summery: Managing Security and Privacy Integration across Enterprise Business Process and Infrastructur


Title: Managing Security and Privacy Integration across Enterprise Business Process and Infrastructure.
Authors: John A. Anderson and Vijay Rachamadugu.
Published: 2008.

This paper is based on the “Roadmap for Information Security across the Enterprise” (RISE). Which was developed by the MITRE corporation as part of the MIRTE technology program. (to read more about RISE see “Anderson et al. 2006”). This paper focuses on the processes designed into the RISE methodology that leverage an enterprise architecture (EA) to integrate security and privacy into business process and infrastructure management.

“current literature has shown lack of a well defined methodology for integrating security and privacy into business process”

Section 2 concentrates on Risk management. It shows that Requirements for security and privacy assurance should be recognized as critical business drivers, and all these requirements along with the organization’s capability to assure the integrity, availability, and confidentiality of the information it manages, should be shown in the “As-is” model. It also gave an assessment to risks, where it says “The risks are assessed based on a combination of the impact of loss and the likelihood that the attack may take place”.

Section 3 basically talked about “integrating the threat and response cycle with portfolio management process”, which can be summarized in the below picture:

Section 4 was about “Business and risk investigation”, section 5 was about the “tradeoff analysis”, and section 6 was about “investment strategies and budget submission”. Which all can be summarized in this diagram:




Suumery of: A Knowledge-based Security Policy Framework for Business Process Management


Title: A Knowledge-based Security Policy Framework for Business Process Management.
Authors: Dong Huang, Yi Yang, Jacques Calmet
Puplished: 2006.

This paper was more focused on the security policy and framework, the idea of it was to “gather pertinent data/knowledge from multiple stakeholders in the e- business scenario, along with constraints specified by non- functional requirements of web services and business rules”. It definition of security was only regarding access control, confidentiality, and integrity.

Section 2 talked about the agent approach for web services and introduces the principle of AOA and VKC, which is not important to us.

Section 3 outlines the requirements of the security constraints specification language for web services and introduces the principle of Constraint Interchange Format. It discussed the “Security Constraints Specification Language”, and explained the domains and levels of security framework (service domain, policy domain, rule domain, properties, and rule). Then it went technical in “interchange format”. Finally gave an example on “Framework Architecture” explaining the idea of a security framework for a BPM.

Section 4 surveys related works. And Section 5 includes the future research direction for the work and conclusion.

This paper investigated a distributed knowledge management approach to help modeling web services policies, and also proposed a representation for security constraints at the Semantic Web logic layer.

Summery of: Modelling Security Goals in Business Process

Paper: Modelling security goals in Business Processes.
Authors: Christian Wolter, Michael Menzel, Christoph Meinel.
Published: 2008.


The paper, basically proposing a new technique to integrate security requirements in the modeling notation. And then modeled security goals should be transformed into enforcing security polices implementations.
The paper provides:
-       Analysis of some basic security goals (authorization, confidentiality, integrity). Providing a general security policy and various related security constraint models.
-       A discussion on applying the models to the enterprise model layers.
-       Specifying security configuration in the context of business process.
-       An example banking process with annotation to security requirements to the model. As a proof of concept.

In the introduction, authors speaks about the paper, what is it about , the field on integrating security and BPM, and the paper’s organization.

Section 2 provides detailed discussion about some basic security goals and provides conceptual models. It gives an interpretation in BPM terms to some security goals (confidentiality, integrity, Authentication, Authorization, Auditing, Availability). Then it provides a constraint model to the first 4.

Section 3 outline dependencies between security goals and enterprise architecture model. It first talks about the Enterprise Architecture modeling, then how to extend the BPM layer and how to integrate the security goals in the model. It also provides a nice drawing showing and explaining how security goals can be modeled.
Section 4 compares the approach with some related work.

Section 5 discusses the potential benefits of he approach and outlines some future work that can be done.

This paper provided a modeling extension to express security requirements at the business process level, which is generic and could be applied to any modeling notation.

Wednesday, 3 November 2010

Summery of: "A survey of scientific Approaches Considering the Integration of security & Risk Aspects into BPM"

Paper title: "A survey of scientific Approaches Considering the Integration of security & Risk Aspects into BPM".
Authors: Stefan Jakoubi, Simon Tjoa, Gernot Goluch, Gerald Quirchmayr.
Published: 2009.

The paper basically provide an overview of scientific research efforts regarding the integration of security as well as risk considerations into business process management. it explains and compares between 9 different methods and papers puplished in the field.


the sumerry of the comparition is provided in the table below:
and the authors stated "The domain of business process security is still a very young research domain compared to the business process domain. Within this survey paper we have summarized a variety of approaches trying to diminish the gap between business process security and the risk management domain."  also they add "we have come to the conclusion that this emerging field of research still has a lot of potential, if certain challenges can be solved. "


Summery of "BPM and Security" ..


It is a white paper prepared by the BPMInstitute.org.

The paper was mainly focusing on showing and proving that processes will exceed the organization's boundaries .. and can not be performed fully with in the organization's walls.
"50% of planed BPM projects involve extending the process outside the firewall to a customer, partner, or suppliers."
The paper then listed some of the security requirements that should be in place if the process is exceeding the organization's walls; including protecting content from unauthorized access, assuring that the content came from the stated author, detecting altering of content, and maintaining the document security through out the whole process, including when exceeding the organization's firewalls. Then went in to explaining how important and also difficult it is to satisfy these requirements.


After that  it talked about a survey done by the BPMInstitute.org to show the importance of the issues and the challenges they faced with respect to extending BPM beyond the firewall.


and then the paper talked about some technical solutions that can help in satisfying some of the security requirements; such as "encryption" and rights management.


Finally the paper ended by showing an example of how an organization can manage to be secure without neglecting any other aspect.