Wednesday, 14 September 2011

Security policies in PAIS

Source: M. Leitner. Security policies in adaptive process-aware information systems: Existing approaches and challenges. In ARES 2011, 6th International Conference on Availability, Reliability and Security, New York City, 2011. Institute of Electrical and Electronics Engineers (IEEE).

** all information below is quoted directly from the source paper, non of this is in my own words **

In PAIS, security policies are often related to role-based access control restrictions or constraints (e.g. separation of duties). But to be more specific, security policies in PAIS might relate to access control, control flow, information flow, data integrity, and availability. Therefore, policies can be specified for users, information (data), control flow, activities, and process instances. Can be enforced at build time (static constraints) and run time (dynamic).

security policies in PAIS categorized by the main key concepts of information security: confidentiality, integrity, and availability:

Confidentiality: In PAIS, confidentiality is usually ensured by an access control model and constraints associated with activities. Information should only be accessible to authorized users.

Integrity: A security policy for the integrity of a control flow signifies that, for example, a certain activity has to be finished before another activity starts (e.g. activity PayQuotation has to be completed before SendShipment). Integrity of data means that no user who is unauthorized to access the data can modify it. Therefore, only authorized actions are carried out on data.

Availability: In PAIS, availability may refer to the system, resources (e.g. data, users), or the control flow which can be verified with the workflow liveliness and soundness.


No comments:

Post a Comment