Developing System Security through Business Process Modelling

Äriprotsesside arusaam ja modelleerimine on üks olulisematest aspektidesttänapäevases süsteemiarenduses. Infosüsteemide modeleerimiseks on loodud erinevaid käsitlusi ning äriprotsesside modeleerimisnotatsioon on üks nendest. On teada, et BPMN aitab äriprotsesse kirjeldada, modelleerida ja optimeerida. Keerulisem on mõista kuidas saab selle käsitluse raames juhtida äriprotsesside turvalisust ning analüüüsida infosüsteemi turvariske. See aspekt muutub kaasaegsetes infosüsteemides veel komplitseeritumaks, kuna turvatud süsteemi loomiseks peavad nii äriprotsessid kui ka selle turvalisuse küsimused olema vaadeldud parallellselt, see tähendab koostoimes. Käesoleva uurimistöö eesmärgiks on analüüsida BPMN ja infosüsteemi turvariskide juhtimise vastastikkust koosmõju. BPMN’i võtmeaspektide väljaselgitamiseks ja antud modelleerimissüsteemi turvanäitajate, riskide ja riskide juhtimise mõistmiseks on antud töös kasutatud struktureeritud lähenemist. Töös uuritakse kuidas modelleerija saab BPMN’i abil väljastada turvatud süsteemi komponente, riske või riskide juhtimist. Töös ühtlustatakse BPMN keele põhikonstruktsioonid ISSRM mudeli kontseptiga. Antud uurimistöös on BPMN-i käsitluse rakendausvõimalusi vaadeldud ühe internetikaupluse näitel. Meie uurimistöö pakkub infosüsteemi analüütikule või arhitektile võimalust mõista äriprotsesse ja turvakomponente ühe modelleerimiskeele abil. Analüüs on tehtud ainult esimese keele, Descriptive modelling, tasemel. Sellega avatakse uurijale võimalus tuua paralelle erinevate modeleerimiskeelte vahel, et uurida mustreid ISSRM perekonda kuuluvate mudelite loomises.Business process modelling is one of the major aspects in the modern system development. Recently business process model and notation (BPMN) has become a standard technique to support this activity. Although BPMN is a good approach to understand business processes, there is a limited work to understand how it could deal with business security and security risk management. This is a problem, since both business processes and security concerns should be understood in parallel to support a development of the secure systems. In this paper we analyse BPMN with respect to the domain model of the IS security risk management (ISSRM). We apply a structured approach to understand key aspects of BPMN and how modeller could express secure assets, risks and risk treatment using BPMN. We align the main BPMN constructs with the key concepts of the ISSRM domain model. We show applicability of our approach on a running example related to the Internet store. Our proposal would allow system analysts to understand how to develop security requirements to secure important assets defined through business processes. In addition we open a possibility for the business and security model interoperability and the model transformation between several modelling approaches (if these both are aligned to the ISSRM domain model)

Process business modeling of emerging security threats with BPMN extension

Effective and rational management of a company cannot take place without the use of information technologies. Additionally, according to specific security requirements to protect the IT system against different threats, the development of a security system is significant for the companies and their clients and satisfactory common cooperation. The BPMN (Business Process Model and Notation) can be used for this purpose; however, the basic version of BPMN and its current extensions do not support the service of security threats. For this reason, we propose to extend the BPMN to be possible to model the chosen security issues coming from company business processes. The paper deals with the selected aspects of security requirements modeling in terms of emerging threats on the example of existing extensions of business process modeling language and the proposition of BPMN extension for chosen security issues together with the definition of information security policy

An Extension of Business Process Model and Notation for Security Risk Management

Kaasaegsed infosüsteemide arendamise metoodikad hõlmavad erinevaid tehnilisi äriprotsesside modelleerimise meetmeid. Äriprotsesside modelleerimiseks kasutatav keel (BPMN) on tänapäeval muutunud üheks standartseks meetmeks, mis edukalt rakendatakse infosüsteemide loomisel ning edasi arendamisel selleks, et ettevõtete äriprotsesse kirjeldada ja modelleerida.Vaatamata sellele, et BPMN on hea töörist, mille abil on võimalik ettevõtte äriprotsesse mõistma ja esitama, see ei võimalda äriprotsesside modelleerimisel adresseerida süsteemi turvalisuse aspekte. Autor leiab, et see on BPMN nõrk külg, selle pärast, et turvalise infosüsteemi arendamiseks on oluline nii äriprotsesse kui ka süsteemi turvalisust vaadeldada tervikuna. Käesolevas magistritöös autor töötab välja BPMN 2.0 keele jaoks uusi elemente, mis edaspidi peavad võimaldama adresseerima turvalisuse temaatika süsteemi modelleerimisel. Autori pakutud lahendus põhineb BPMN modelleerimiskeele seostamisel turvalisuse riski juhendamise metoodikaga (ISSRM). Antud magistritöös rakendatakse struktureeritud lähenemine BPMN peamiste aspektide analüüsimisel ja turvalisuse riskide juhtimiseks uute elementide väljatöötamisel, selleks ühildades BPMN ning ISSRM-i kontsepte. Magistritöös on demonstreeritud väljatöötatud lisaelementide kasutus, selgitatud kuidas antud elementidega laiendatud BPMN võimaldab väljendada ettevõtte varasid (assets), nendega seotuid riske (risks) ja riskide käsitlust (risk treatment). See on analüüsitud internetkaupluse varade konfidentsiaalsuse, terviklikkuse ja kättesaadavuse näitel. Autor on veendunud, et BPMN laienemine turvalisuse kontseptide osas ja antud töö raames tehtud konkreetsed ettepanekud aitavad infosüsteemide analüütikutele mõistma kuidas süsteemi turvalisust arendada nii, et läbi äriprotsessi tuvastatud olulisemate ettevõtte varade turvalisus oleks infosüsteemis käsitletud ning tagatud. Autori poolt antud käsitlus on vaadeldud ka laiemas mõttes, nimelt, BPMN keelele pakutud laienemisega avaneb perspektiiv äriprotsesside ja turvalisuse mudeleite koosvõimele ning BPMN-i teiste modelleerimise metoodikatega, nagu ISSRM või Secure Tropos, integreerimisele.Modern Information System (IS) development supports different techniques for business process modelling. Recently Business Process Model and Notation (BPMN) has become a standard that allows modelers to visualize organizational business processes. However, despite the fact that BPMN is a good approach to introduce and understand business processes, there is no opportunity to address security concerns while analysing the business needs. This is a problem, since both business processes and security concerns should be understood in parallel to support a development of the secure systems. In current thesis we introduce the extensions for BPMN 2.0 regarding security aspects. The following proposal is based on alignment of the modelling notation with IS security risk management (ISSRM).We apply a structured approach to understand major aspects of BPMN and propose extensions for security risk management based on the BPMN alignment to the ISSRM concepts. We demonstrate the use of extensions, illustrating how the extended BPMN could express assets, risks and risk treatment on few running examples related to the Internet store assets’ confidentiality, integrity and availability. We believe that our proposal would allow system analysts to understand how to develop security requirements to secure important assets defined through business processes. We also attempt to observe the following approach in the broader sense and we open a possibility for the business and security model interoperability and the model transformation between BPMN and another modelling approach also aligned to ISSRM, Secure Tropos

AuSCL -- Another unified Service Composition Language

Creating software systems by composing already existing reusable software is a vision which has been driving the development of software technologies and paradigms for a long time. By combining visual modelling and service oriented architecture, this thesis proposes a visual language for composition of heterogeneous service, called AuSCL (Another unified Service Composition Language). The thesis presents requirements for service composition in general, and additional requirements introduced by the use of heterogeneous service technologies. Existing visual languages such as UML2 and BPMN has been investigated and evaluated in three case studies. This has lead to a list of potential improvements for UML2 and BPMN which have been used in the design of AuSCL. AuSCL is a UML2 profile, introducing a set of stereotypes to enhance UML2 functionality and a domain specific structure of model views for modelling a heterogeneous service composition from a set of viewpoints. This structure consists of a set of model views and are introduced to narrow the extensive modelling possibilities provided by UML2. The model views are divided into abstract and concrete views, and does also separate between internal and external aspects. AuSCL extends UML2 to support dynamic service selection (service discovery and and runtime selection) for late binding and a consistent way of combinig activities and interactions to model communication. AuSCL is evaluated against the identified requirements and by implementation of the same case studies used in the evaluation of UML2 and BPMN. The evaluation shows that AuSCL is better suited than UML2 and BPMN for visual modelling of heterogeneous service composition for the identified requirements and case studies

Ontology-based patterns for the integration of business processes and enterprise application architectures

Increasingly, enterprises are using Service-Oriented Architecture (SOA) as an approach to Enterprise Application Integration (EAI). SOA has the potential to bridge the gap between business and technology and to improve the reuse of existing applications and the interoperability with new ones. In addition to service architecture descriptions, architecture abstractions like patterns and styles capture design knowledge and allow the reuse of successfully applied designs, thus improving the quality of software. Knowledge gained from integration projects can be captured to build a repository of semantically enriched, experience-based solutions. Business patterns identify the interaction and structure between users, business processes, and data. Specific integration and composition patterns at a more technical level address enterprise application integration and capture reliable architecture solutions. We use an ontology-based approach to capture architecture and process patterns. Ontology techniques for pattern definition, extension and composition are developed and their applicability in business process-driven application integration is demonstrated

Auditing business process compliance

Compliance issues impose significant management and reporting requirements upon organizations.We present an approach to enhance business process modeling notations with the capability to detect and resolve many broad compliance related issues. We provide a semantic characterization of a minimal revision strategy that helps us obtain compliant process models from models that might be initially non-compliant, in a manner that accommodates the structural and semantic dimensions of parsimoniously annotated process models. We also provide a heuristic approach to compliance resolution using a notion of compliance patterns. This allows us to partially automate compliance resolution, leading to reduced levels of analyst involvement and improved decision support

A resource-oriented architecture for business process systems

Background: The REpresentational State Transfer (REST) design principles treat all concepts in the world as link-connected resources, and support ROA (Resource-Oriented Architecture) for the Web applications. REST and ROA are responsible for the adaptability achieved in the Web. Some design approaches of Web-based business process systems recently evolved towards RESTful to inherit adaptability. However, none of the approaches can improve the adaptability of the produced systems. Aims: Propose a systematic approach for design and execution of Web-based business processes to improve adaptability of the produced systems. Methods: This research followed an empirical research methodology, which evaluates research solutions with real-world cases. On one hand, the research solution was derived by 1) tailoring the REST principles towards business process systems; 2) proposing REST annotations on existing business process modelling; 3) mapping the concepts of business process to HTTP/URI specifications; and 4) designing a format for process context information. On the other hand, the research solution was evaluated through three real-world case studies. Two of the case studies conducted comparative analysis in terms of adaptability of the systems produced by the proposed approach and two alternatives, namely, SOA and MEST (MESsage Transfer). The analysis is based on metrics, including LOC difference, change locality, coupling and cohesion, and an analysis framework called BASE. Results: The research solution is ROA4BP, which includes 1) an architecting approach for design and implementation of Web-based business processes to provide a development guideline; 2) a set of REST-related annotations on existing process modelling to ensure the compatibility with existing techniques; 3) A systematic mapping between business process and HTTP/URI specifications to utilize the advanced mechanisms provided by the Web infrastructure; and 4) a communication format to exchange structured process context information during runtime among process participants. A modelling tool, a programming API and a runtime engine were implemented to support the approach and simplify the implementation of case studies. The case studies demonstrated that ROA4BP can produce more adaptable business process systems compared to the other two alternatives. Conclusion: ROA4BP can help to design and execute RESTful business process systems with better adaptability at design-time and runtime

Automated Creation and Provisioning of Value-added Telecommunication Services

The subject of this research is to find a continuous solution, which allows the description, the creation, the provisioning, and the execution of value-added telecommunication services. This work proposes a framework for an easy and timesaving creation and provisioning of value-added telecommunication services in Next Generation Networks. As research method, feasibility, comparative methods are used in this study. Criteria and requirements for service description, service creation, service execution, and service provisioning, are defined and existing technologies are compared with each other and evaluated regarding these criteria and requirements. Extensions to the selected technologies are proposed and possibilities to combine these technologies are researched. From the results of the previous steps, a framework is defined which offers a continuous solution for the description, creation, provisioning and execution of value-added services. In order to test the proof of concept, this framework is prototypically implemented. For a qualitative analysis of the research targets and the proof of concept, an example service is created and executed within the framework prototype. Furthermore, in order to examine the validity of the quantitative aims and objectives of this research work, a second example service is created, and its characteristics are measured and analysed. The result of this research is a novel continuous approach for the creation of value-added telecommunication services. This research introduces new possibilities for the service description, service creation, service provisioning, and service execution through an extension of the common telecommunication real-time execution environment JAIN SLEE. Value-added services are described by using the business process execution language BPEL. This language facilitates a simple and fast service design. The service can automatically be composed from pre-defined and pre-deployed components

Domain-Specific Modelling for Coordination Engineering

Multi-core processors offer increased speed and efficiency on various devices, from desktop computers to smartphones. But the challenge is not only how to gain the utmost performance, but also how to support portability, continuity with prevalent technologies, and the dissemination of existing principles of parallel software design. This thesis shows how model-driven software development can help engineering parallel systems. Rather than simply offering yet another programming approach for concurrency, it proposes using an explicit coordination model as the first development artefact. Key topics include: Basic foundations of parallel software design, coordination models and languages, and model-driven software development How Coordination Engineering eases parallel software design by separating concerns and activities across roles How the Space-Coordinated Processes (SCOPE) coordination model combines coarse-grained choreography of parallel processes with fine-grained parallelism within these processes Extensive experimental evaluation on SCOPE implementations and the application of Coordination Engineerin