Business Process Compliance via Security Validation as a Service

By Luca Compagna, Pierre Guilleminot, and Achim D. Brucker.

Modern enterprise systems are often process-based, i. e., they allow for the direct execution of business processes that are specified in a high-level language such as BPMN. Moreover, modern enterprises need to comply to more and more security and compliance regulations. In this paper, we present a service based, called Security Validation as a Service (SVaaS) for validating the compliance of the business processes (BPs) during design-time. Basically, while modeling a BP the business analyst specifies as well the security and compliance requirements the BP should comply to. By pressing a button, these requirements are validated and the results are presented in a graphical format to the business analysis. At the core of SVaaS lies a rigorous and industrially viable approach in which the security validation business logic is handled server-side (SVaaS Server) in the Cloud, while the client-side user interface that business analysts use is handled by a light-weight (SVaaS Connector). As proof-of-concept we created a SVaaS prototype in which the SVaaS Server is deployed on the SAP NetWeaver Cloud and two SVaaS Connectors are built to enable two well-known BPM clients, SAP NetWeaver BPM and Activiti, to consume SVaaS against industrial relevant BPs.

Keywords:
Validation, Security, Business Process Management

Please cite this work as follows:
L. Compagna, P. Guilleminot, and A. D. Brucker, “Business process compliance via security validation as a service,” in IEEE sixth international conference on software testing, verification and validation (ICST), 2013, pp. 455–462. doi: 10.1109/ICST.2013.63. Author copy: http://logicalhacking.com/publications/compagna.ea-bp-compliance-2013/

BibTeX
@InProceedings{ compagna.ea:bp-compliance:2013,
  author    = {Luca Compagna and Pierre Guilleminot and Achim D. Brucker},
  booktitle = {IEEE Sixth International Conference on Software Testing,
               Verification and Validation (ICST)},
  language  = {USenglish},
  publisher = {IEEE Computer Society },
  address   = {Los Alamitos, CA, USA },
  areas     = {formal methods, software, security},
  keywords  = {Validation, Security, Business Process Management},
  pages     = {455--462},
  title     = {Business Process Compliance via Security Validation as a
               Service},
  editor    = {Manuel Oriol and John Penix},
  isbn      = {978-1-4673-5961-0},
  location  = {Luxembourg},
  year      = {2013},
  doi       = {10.1109/ICST.2013.63},
  abstract  = {Modern enterprise systems are often process-based, i. e.,
               they allow for the direct execution of business processes that
               are specified in a high-level language such as BPMN. Moreover,
               modern enterprises need to comply to more and more security
               and compliance regulations. In this paper, we present a
               service based, called Security Validation as a Service (SVaaS)
               for validating the compliance of the business processes (BPs)
               during design-time. Basically, while modeling a BP the
               business analyst specifies as well the security and compliance
               requirements the BP should comply to. By pressing a button,
               these requirements are validated and the results are presented
               in a graphical format to the business analysis. At the core of
               SVaaS lies a rigorous and industrially viable approach in
               which the security validation business logic is handled
               server-side (SVaaS Server) in the Cloud, while the client-side
               user interface that business analysts use is handled by a
               light-weight (SVaaS Connector). As proof-of-concept we created
               a SVaaS prototype in which the SVaaS Server is deployed on the
               SAP NetWeaver Cloud and two SVaaS Connectors are built to
               enable two well-known BPM clients, SAP NetWeaver BPM and
               Activiti, to consume SVaaS against industrial relevant BPs.},
  note      = {Author copy: \url{http://logicalhacking.com/publications/compagna.ea-bp-compliance-2013/}},
}