Business Process Security (BPSec)

To assure security, the provision of evidence with regard to the adherence to regulatory and legal requirements is imperative in distributed business processes. In particular, the service provider must guarantee that the processes of different parties run on the same “service cloud” are kept isolated from each other. Currently, process isolation is achieved solely with access control mechanisms. This however, is not sufficient, as it does not provide “end-to-end” guarantees and neglects covert channels and implicit information flows.

To provide reliable isolation guarantees, AMBOSS applies information flow control to verify business process models. The goal are mechanisms that can be applied in the two prevalent verification time-points: first, a priori certification attests or refutes the fulfillment of isolation requirements based on process model analysis (focus of this proposal); second, a posteriori audit identifies isolation flaws based on log data and makes them accountable (focus of the subsequent proposal).

The applicants’ IFnet formalism provides the core technology for such verification. IFnet models are generated from industrial process specification languages BPEL and BPMN, or are reconstructed from authentic log data. The applicability of AMBOSS’s techniques will be evaluated in large case study conducted with a company which targets the security improvement of its distributed information management.