On the satisfiability of constraints in workflow systems

Separation of duty and binding of duty in workflow systems is an important area of current research in computer security. We introduce a formal model for constrained workflow systems that incorporate constraints for implementing such policies. We define an entailment constraint, which is defined on a pair of tasks in a work flow, and show that such constraints can be used to model many familiar authorization policies. We show that a set of entailment constraints can be manipulated algebraically in order to compute all possible dependencies between tasks in the workflow. The resulting set of constraints form the basis for an analysis of the satisfiability of a workflow. We briefly consider how this analysis can be used to implement a reference monitor for workflow systems

A Declarative Framework for Specifying and Enforcing Purpose-aware Policies

Purpose is crucial for privacy protection as it makes users confident that their personal data are processed as intended. Available proposals for the specification and enforcement of purpose-aware policies are unsatisfactory for their ambiguous semantics of purposes and/or lack of support to the run-time enforcement of policies. In this paper, we propose a declarative framework based on a first-order temporal logic that allows us to give a precise semantics to purpose-aware policies and to reuse algorithms for the design of a run-time monitor enforcing purpose-aware policies. We also show the complexity of the generation and use of the monitor which, to the best of our knowledge, is the first such a result in literature on purpose-aware policies.Comment: Extended version of the paper accepted at the 11th International Workshop on Security and Trust Management (STM 2015

A structured approach to VO reconfigurations through Policies

One of the strength of Virtual Organisations is their ability to dynamically and rapidly adapt in response to changing environmental conditions. Dynamic adaptability has been studied in other system areas as well and system management through policies has crystallized itself as a very prominent solution in system and network administration. However, these areas are often concerned with very low-level technical aspects. Previous work on the APPEL policy language has been aimed at dynamically adapting system behaviour to satisfy end-user demands and - as part of STPOWLA - APPEL was used to adapt workflow instances at runtime. In this paper we explore how the ideas of APPEL and STPOWLA can be extended from workflows to the wider scope of Virtual Organisations. We will use a Travel Booking VO as example.Comment: In Proceedings FAVO 2011, arXiv:1204.579

Supporting Compliance through Enhancing Internal Control Systems by Conceptual Business Process Security Modeling

The importance of Business Process Modeling (BPM) particularly in sensitive areas combined with the rising impact of legislative requirements on IT operations results in a need to conceptually represent security seman- tics in BPM. We define critical security semantics that need to be incorporated in BPM to aid documentation of security needs and support compliant behavior of security systems. We analyze ways to express such semantics in BPM and their possible role in designing and operating internal control systems, which ensure and document the execution of compliance-related activities. The analysis shows that there are informal, semi-formal and for- mal approaches to represent security semantics in BPM. We consider the informal approaches as best suited to express security objectives and their formal counterparts as best to specify security mechanisms to enforce the objectives. All three groups of approaches have the potential to enhance the expressiveness and informative value of an internal control system

Proceedings ICPW'07: 2nd International Conference on the Pragmatic Web, 22-23 Oct. 2007, Tilburg: NL

Proceedings ICPW'07: 2nd International Conference on the Pragmatic Web, 22-23 Oct. 2007, Tilburg: N