A Usage Control Model Extension for the Verification of Security Policies in Artifact-Centric Business Process Models

Artifact-centric initiatives have been used in business processes whose data management is complex, being the simple activity centric workflow description inadequate. Several artifact-centric initia tives pursue the verification of the structural and data perspectives of the models, but unfortunately uncovering security aspects. Security has become a crucial priority from the business and customer perspectives, and a complete verification procedure should also fulfill it. We propose an extension of artifact-centric process models based on the Usage Control Model which introduces mechanisms to specify security policies. An auto matic transformation is provided to enable the verification of enriched artifact-centric models using existing verification correctness algorithms.Ministerio de Ciencia y Tecnología TIN2015-63502-C3-2-

Reasoning on the usage control security policies over data artifact business process models

The inclusion of security aspects in organizations is a crucial aspect to ensure compliance with both internal and external regulations. Business process models are a well-known mechanism to describe and automate the activities of the organizations, which should include security policies to ensure the correct performance of the daily activities. Frequently, these security policies involve complex data which cannot be represented using the standard Business Process Model Notation (BPMN). In this paper, we propose the enrichment of the BPMN with a UML class diagram to describe the data model, that is also combined with security policies defined using the UCONABC framework annotated within the business process model. The integration of the business process model, the data model, and the security policies provides a context where more complex reasoning can be applied about the satisfiability of the security policies in accordance with the business process and data models. To do so, wetransform the original models, including security policies, into the BAUML framework (an artifact-centric approach to business process modelling). Once this is done, it is possible to ensure that there are no inherent errors in the model (verification) and that it fulfils the business requirements (validation), thus ensuring that the business process and the security policies are compatible and that they are aligned with the business security requirements.This work has been supported by Project PID2020-112540RB-C44 funded by MCIN/AEI/ 10.13039/501100011033, Project TIN2017-87610-R funded by MCIN/AEI/10.13039/501100011033 and FEDER “Una manera de hacer Europa”, Project 2017-SGR-1749 by the Generalitat de Catalunya, Projects COPERNICA (P20 01224) and METAMORFOSIS by the Junta de Andalucía.Peer ReviewedPostprint (published version

SoNeUCONADM: the administrative model for SoNeUCONABC usage control model

The popularity of Web Based Social Networks (WBSNs) encourages their enhancement. Many WBSN data is considered personal data and access control management plays a key role in this regard. The point is not only to manage access control but to determine how administration should be performed. Based on SoNeUCONABC, an expressive usage control model that allows fine-grained access control management, this paper presents SoNeUCONADM, the complementary administrative model. Based on a pair of related and popular administrative models, the evaluation proves the completeness of SoNeUCONADM

Control de acceso en redes sociales web

Proceeding of: XII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2012), Donostia-San Sebastián, Spain, 4-7 sept. 2012Recientemente, motivados por la expansión de internet y la aparición de las Redes Sociales Web (RSW), han surgido gran cantidad de problemas y retos asociados con la privacidad. Uno de los problemas principales es el diseño y la implementación de sistemas que posibiliten a los usuarios la gestión del control de acceso. A este respecto, pero en el contexto de las RSW, se han identificado una serie de requisitos. Sin embargo, en la literatura, los trabajos existentes sólo satisfacen parcial o completamente algunos de ellos. En este artículo, se propone primero un modelo de control de acceso, SoNeUCONABC, el cual extiende el modelo UCONABC, junto con la especificación de un mecanismo que lo implementa. En segundo lugar, se proporcionan directrices para el establecimiento de mecanismos que, desplegados sobre SoNeUCONABC, satisfagan todos los requisitos. PalabrasNo publicad

Towards Data Protection Compliance

Privacy and data protection are fundamental issues nowadays for every organization. This paper calls for the development of methods, techniques and infrastructure to allow the deployment of privacy-aware IT systems, in which humans are integral part of the organizational processes and accountable for their possible misconduct. In particular, we discuss the challenges to be addressed in order to improve organizations privacy practices, as well as the approach to ensure compliance with legal requirements and increasing efficiency

Usage Management Enforcement in Cloud Computing Virtual Machines

Many are interested in adopting cloud computing technology, but have concerns about the security of their data. This issue has motivated extensive research to address potential vulnerabilities, with a major focus on access control. A related cloud computing concern is controlling what users can do with data to which they have been granted access. This control is needed to prevent accidental loss or deliberate theft of data by users who have been granted legitimate access. The need for this control, called usage management, has led to a number of conceptual approaches for both conventional and cloud computing, all of which will require an enforcement mechanism within the processors domain. The goal of this research is to prove that it is possible to implement a completely software-based enforcement mechanism that can operate independently of the application software. The implementation is based on a formal operational model. A number of implementation approaches were considered in formulating the enforcement strategy. Then, leveraging software instrumentation capabilities and extending tools developed for taint analysis, we developed a software-based usage management enforcement mechanism that uses dynamic data flow tracking. Based on usage flow policies that are specified in machine readable licenses, the enforcement mechanism can permit or inhibit data flows to standard interfaces, data files, and network sockets. The enforcement mechanism does not require direct hardware access, so it can be used very effectively in a cloud computing environment. This demonstrated capability now provides information owners an ability to control what authorized users can do with the information.\u2