TY - GEN
T1 - Responsibility-driven design and development of process-aware security policies
AU - Leitner, Maria
AU - Rinderle-Ma, Stefanie
AU - Mangler, Juergen
PY - 2011
Y1 - 2011
N2 - Process-Aware Information Systems (PAIS) enable the automated support of business processes that are executed by a combination of human actors and systems. As processes typically require access to sensitive data, security policies are of high importance. Typically security policies in PAIS range from access rules and authorization constraints to context policies (location, time) and are scattered over the multitude of heterogeneous PAIS components, i.e. process models, repositories, organizational structures, etc. Currently, different approaches for modeling and enforcing security policies exist that assume a set of explicitly defined security policies. Because of aforementioned heterogeneity, these approaches are suboptimal for PAIS. In order to improve upon existing approaches we present a security policy data model and design methodology, based on the concept of responsibilities, permissions and constraints. The goal is to not only unify diverse security policies in different PAIS subsystems, but also to make security policies independent of these subsystems to restrain complexity from process modeling and evolution, and to allow for comprehensive security policy development and maintenance.
AB - Process-Aware Information Systems (PAIS) enable the automated support of business processes that are executed by a combination of human actors and systems. As processes typically require access to sensitive data, security policies are of high importance. Typically security policies in PAIS range from access rules and authorization constraints to context policies (location, time) and are scattered over the multitude of heterogeneous PAIS components, i.e. process models, repositories, organizational structures, etc. Currently, different approaches for modeling and enforcing security policies exist that assume a set of explicitly defined security policies. Because of aforementioned heterogeneity, these approaches are suboptimal for PAIS. In order to improve upon existing approaches we present a security policy data model and design methodology, based on the concept of responsibilities, permissions and constraints. The goal is to not only unify diverse security policies in different PAIS subsystems, but also to make security policies independent of these subsystems to restrain complexity from process modeling and evolution, and to allow for comprehensive security policy development and maintenance.
KW - Process Aware Information Systems
KW - Security policy design
KW - Security policy development
UR - http://www.scopus.com/inward/record.url?scp=80455140371&partnerID=8YFLogxK
U2 - 10.1109/ARES.2011.56
DO - 10.1109/ARES.2011.56
M3 - Conference contribution
AN - SCOPUS:80455140371
SN - 9780769544854
T3 - Proceedings of the 2011 6th International Conference on Availability, Reliability and Security, ARES 2011
SP - 334
EP - 341
BT - Proceedings of the 2011 6th International Conference on Availability, Reliability and Security, ARES 2011
T2 - 2011 6th International Conference on Availability, Reliability and Security, ARES 2011
Y2 - 22 August 2011 through 26 August 2011
ER -