Secure business processes in service-oriented architectures - A requirements analysis

Proceedings - 8th IEEE European Conference on Web Services, ECOWS 2010

Volumn , Issue , 2010, Pages 35-42

  Müller, Jens ^a   Mülle, Jutta ^a   Von Stackelberg, Silvia ^a   Böhm, Klemens ^a  

^a KARLSRUHE INSTITUTE OF TECHNOLOGY   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

BUSINESS PROCESS; COORDINATING ACTIVITIES; EHEALTH; HUMAN ACTOR; MANAGEMENT SYSTEMS; POSSIBLE SOLUTIONS; REAL-WORLD; REQUIREMENTS ANALYSIS; SECURITY MECHANISM; SECURITY REQUIREMENTS; SERVICE ORIENTED; SERVICE-ORIENTED ENVIRONMENT; STATE OF THE ART;

ARCHITECTURE; DESIGN; INFORMATION MANAGEMENT; INFORMATION SERVICES; SEMANTICS; WEB SERVICES;

SERVICE ORIENTED ARCHITECTURE (SOA);

EID: 79951826265     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ECOWS.2010.24     Document Type: Conference Paper

References (46)

1. European Community, "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data."
2. B. Claerhout, S. Winfield, and T. Kirkham, "D9.1: Pilots Specifications and Use Case Scenarios," TAS3 Consortium, Tech. Rep., 2009.
3. ITU-T, "Security Frameworks for Open Systems: Overview," Recommendation X.810, 1995.
4. S. Jablonski and C. Bussler, Workflow Management: Modeling Concepts, Architecture and Implementation. International Thomson Computer Press, 1996.
5. A. Charfi and M. Mezini, "Aspect-Oriented Workflow Languages," in CoopIS 2006, 2006.
6. OASIS, "Web Services Security 1.1," February 2006.
7. K. Tan, J. Crampton, and C. A. Gunter, "The Consistency of Task-Based Authorization Constraints in Workflow Systems," in CSFW '04: Proceedings of the 17th IEEE workshop on Computer Security Foundations. Los Alamitos, CA, USA: IEEE Computer Society, 2004, pp. 155-169.
8. E. Barka and R. Sandhu, "Framework for role-based delegation models," p. 168, 2000.
9. D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli, "Proposed NIST Standard for Role-based Access Control," ACM Trans. Inf. Syst. Secur., vol. 4, no. 3, pp. 224-274, 2001.
10. OASIS, "Web Services Business Process Execution Language Version 2.0," April 2007.
11. R. L. Rivest, A. Shamir, and L. Adleman, "A method for obtaining digital signatures and public-key cryptosystems," Commun. ACM, vol. 21, no. 2, pp. 120-126, 1978. (Pubitemid 8591219)
12. ITU-T, "The Directory: Public-key and attribute certificate frameworks," Recommendation X.509, 2005.
13. OASIS, "Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)," February 1 2006.
14. ITU-T, "Security Architecture for Open Systems Interconnection for CCITT Applications," Recommendation X.800, 1991.
15. D. Ferraiolo and R. Kuhn, "Role-based Access Controls," in In Proceedings of the 15th NIST-NCSC National Computer Security Conference, 1992, pp. 554-563.
16. ANSI/INCITS, "Information Technology - Role Based Access Control," Standard, February 2004.
17. T. Priebe, W. Dobmeier, C. Schläger, and N. Kamprath, "Supporting Attribute-based Access Control in Authentication and Authorization Infrastructures with Ontologies," Journal of software: JSW, vol. 2, no. 1, pp. 27-38, Februar 2007. [Online]. Available: http://epub.uni-regensburg.de/6423/
18. D. R. Kuhn and D. F. Ferraiolo, "Role-Based Access Control (RBAC): Features and Motivations," 1995. [Online]. Available: http://csrc.nist.gov/ rbac/
19. V. Gligor, S. L. Gavrila, and D. Ferraiolo, "On the Formal Definition of Separation-of-Duty Policies and their Composition." Los Alamitos, CA, USA: IEEE Computer Society, 1998, pp. 172-183.
20. G.-J. Ahn and R. Sandhu, "The RSL99 Language for Role-based Separation of Duty Constraints," pp. 43-54, 1999.
21. E. Bertino, E. Ferrari, and V. Atluri, "The Specification and Enforcement of Authorization Constraints in Workflow Management Systems," ACM Trans. Inf. Syst. Secur., vol. 2, no. 1, pp. 65-104, 1999.
22. J. Wainer, P. Barthelmess, and A. Kumar, "W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints," Int. J. Cooperative Inf. Syst., vol. 12, no. 4, pp. 455-485, 2003. (Pubitemid 38000660)
23. Active Endpoints, Adobe, BEA, IBM, Oracle, SAP AG, "WS-BPEL Extension for People," June 2007.
24. -, "Web Services Human Task (WS-HumanTask), Version 1.0," June 2007.
25. N. Russell, W. M. van der Aalst, A. H. ter Hofstede, and D. Edmond, Advanced Information Systems Engineering. Springer Berlin / Heidelberg, 2005, ch. Workflow Resource Patterns: Identification, Representation and Tool Support, pp. 216-232.
26. V. Atluri and W.-K. Huang, "An Authorization Model for Workflows," in ESORICS '96: Proceedings of the 4th European Symposium on Research in Computer Security. London, UK: Springer-Verlag, 1996, pp. 44-64. (Pubitemid 126128893)
27. -, "A Petri Net Based Safety Analysis of Workflow Authorization Models," J. Comput. Secur., vol. 8, no. 2, 3, pp. 209-240, 2000.
28. R. K. Thomas and R. S. Sandhu, "Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management," in Proceedings of the IFIP TC11 WG11.3 11th International Conference on Database Securty XI: Status and Prospects. London, UK, UK: Chapman & Hall, Ltd., 1998, pp. 166-181.
29. R. K. Thomas, "Team-based Access Control (TMAC): a Primitive for Applying Role-based Access Controls in Collaborative Environments," in RBAC '97: Proceedings of the Second ACM Workshop on Role-based Access Control. New York, NY, USA: ACM, 1997, pp. 13-19.
30. C. K. Georgiadis, I. Mavridis, G. Pangalos, and R. K. Thomas, "Flexible Team-based Access Control using Contexts," in SACMAT '01: Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies. New York, NY, USA: ACM, 2001, pp. 21-27.
31. E. Hammer-Lahav, "The OAuth 1.0 Protocol," RFC 5849 (Informational), Internet Engineering Task Force, Apr. 2010. [Online]. Available: http://www.ietf.org/rfc/rfc5849.txt
32. L. Zhang, G.-J. Ahn, and B.-T. Chu, "A Rule-based Framework for Role-based Delegation and Revocation," ACM Trans. Inf. Syst. Secur., vol. 6, no. 3, pp. 404-441, 2003.
33. V. Atluri and J. Warner, "Supporting Conditional Delegation in Secure Workflow Management Systems."
34. J. Wainer and A. Kumar, "A Fine-grained, Controllable, User-to-user Delegation Method in RBAC," pp. 59-66, 2005.
35. E. Maler and D. Reed, "The Venn of Identity: Options and Issues in Federated Identity Management," IEEE Security and Privacy, vol. 6, pp. 16-23, 2008. (Pubitemid 351506252)
36. OASIS, "Security Assertion Markup Language (SAML) V2.0 Technical Overview," March 2008.
37. OpenID Foundation, "OpenID Authentication 2.0," 2007.
38. -, "OpenID Attribute Exchange 1.0," 2007.
39. Liberty Alliance, "Liberty ID-WSF Authentication, Single Sign-On, and Identity Mapping Services Specification v2.0."
40. H. Görig, "Kontextbezogene Zugriffskontrolle für BPEL (Engines)," Diplomarbeit, Universität Stuttgart, April 2009.
41. OASIS. (2005, February) eXtensible Access Control Markup Language tc v2.0 (XACML).
42. -, "Core and hierarchical role based access control (RBAC) profile of XACML v2.0," February 2005.
43. D. W. Chadwick and A. Otenko, "RBAC Policies in XML for X.509 Based Privilege Management," in SEC, ser. IFIP Conference Proceedings, A. Ghonaimy, M. T. El-Hadidi, and H. K. Aslan, Eds., vol. 214. Kluwer, 2002, pp. 39-54.
44. E. Bertino, J. Crampton, and F. Paci, "Access Control and Authorization Constraints for WS-BPEL," in ICWS '06: Proceedings of the IEEE International Conference on Web Services. Los Alamitos, CA, USA: IEEE Computer Society, 2006, pp. 275-284. (Pubitemid 351209863)
45. ITU-T, "Security Frameworks for Open Systems: Security Audit and Alarms Framework," Recommendation X.816, 1995.
46. W. van der Aalst and A. de Medeiros, "Process Mining and Security: Detecting Anomalous Process Executions and Checking Process Conformance," Electronic Notes in Theoretical Computer Science, vol. 121, pp. 3 - 21, 2005. (Pubitemid 40219700)