[1] V. Atluri. Security for workflow systems. In Information
Security Technical Report, volume 6, pages 59–68, 2001.
The paper started by defining what is
Workflow, and what are the workflow systems. Then went in to explaining the
security requirements for a workflow and define them in a BPM terminology.
Then the paper explained in details what the other thought are the most important security requirements in regards to the BPM. The paper explained Authorization and Access Control. Then talked about Separation of Duties. Authentication and Anonymity were the last 2 security requirements that where explained in how to integrate in the BPM.
The paper described that most commercial workflow systems provide minimal security features such as user authentication, and most of them have to implement an ad-hoc manner through a script type language. where such ad-hoc implementation makes specification, analysis and maintenance of security policies more difficult.
There treatment of authorization emphasizes the need for synchronization of authorization flow with the workflow, and it is missing some features such as assigning different roles to tasks based on the outcome of the prior task, granting different permissions to roles based on the outcome of the task, capability to specify different authorizations for different instances of the same workflow, ability to specify authorizations based on the context and based on the responsibilities to be performed by individuals, and delegating the responsibility to other users and roles.
Relation to research in hand, the paper highlights the security requirements of workflow systems and also discussed authorization, separation of duties, authentication and anonymity at length. In terms of discussing the security requirements, the paper might be old (2001), and other papers provided a better discussion and more relevant. But the paper provided a concise and specific definition to eight security requirements in terms of BPM, and what would these security requirements means to the workflow, this paper is the best yet in doing such work.
Then the paper explained in details what the other thought are the most important security requirements in regards to the BPM. The paper explained Authorization and Access Control. Then talked about Separation of Duties. Authentication and Anonymity were the last 2 security requirements that where explained in how to integrate in the BPM.
The paper described that most commercial workflow systems provide minimal security features such as user authentication, and most of them have to implement an ad-hoc manner through a script type language. where such ad-hoc implementation makes specification, analysis and maintenance of security policies more difficult.
There treatment of authorization emphasizes the need for synchronization of authorization flow with the workflow, and it is missing some features such as assigning different roles to tasks based on the outcome of the prior task, granting different permissions to roles based on the outcome of the task, capability to specify different authorizations for different instances of the same workflow, ability to specify authorizations based on the context and based on the responsibilities to be performed by individuals, and delegating the responsibility to other users and roles.
Relation to research in hand, the paper highlights the security requirements of workflow systems and also discussed authorization, separation of duties, authentication and anonymity at length. In terms of discussing the security requirements, the paper might be old (2001), and other papers provided a better discussion and more relevant. But the paper provided a concise and specific definition to eight security requirements in terms of BPM, and what would these security requirements means to the workflow, this paper is the best yet in doing such work.
No comments:
Post a Comment