Bryan Stephenson

Incorporating Security Requirements into Service Composition: From Modelling to Execution

Despite an increasing need for considering security requirements in service composition, the incorporation of security requirements into service composition is still a challenge for many reasons: no clear identification of security requirements for composition, absence of notations to express them, difficulty in integrating them into the business processes, complexity of mapping them into security mechanisms, and the complexity inherent to specify and enforce complex security requirements. We identify security requirements for service composition and define notations to express them at different levels of abstraction. We present a novel approach consisting of a methodology, called Sec-MoSC, to incorporate security requirements into service composition, map security requirements into enforceable mechanisms, and support execution. We have implemented this approach in a prototype tool by extending BPMN notation and building on an existing BPMN editor, BPEL engine and Apache Rampart. We showcase an illustrative application of the Sec-MoSC toolset.

SSC4Cloud Tooling: An Integrated Environment for the Development of Business Processes with Security Requirements in the Cloud

Cloud Computing, Business Process Modeling (BPM) and Service-oriented architectures (SOA) are playing a relevant role in the evolution of Information Technology (IT). A considerable number of system developers are using Cloud technologies to deploy and make available systems over the Internet. Business Process Management standards are being widely used to model business requirements. In addition, SOA-based systems are considered an interesting approach to execute high-level business process specifications. Based on the fact that business processes are executed, usually, using services available in network environments, security requirements should be considered, especially when dealing with sensitive data (e.g., credit card information or personal data). Despite the increasing need for specifying security mechanisms in web service compositions in the Cloud, this topic remains a challenge for many reasons, including the known difficulty of expressing security requirements at a business level and the enforcement of such requirements at an execution level in a cloud environment. This work presents an environment to collaboratively model business processes considering security requirements and to automatically deploy them in the Cloud with security requirements enforcement. The business process is realized through the utilization of web service composition. This environment consists of a set of tools to support the business process modeling and secure service composition execution in the Cloud. Security-related information can be shared among different users in the Cloud and used to enable the activation and configuration of security mechanisms. The proposed approach is showcased in a Virtual Travel Agency scenario to show its feasibility.

Modeling and Configuration of Process Variants for On-Boarding Customers to IT Outsourcing

An essential part of IT outsourcing is to move the customers IT environment into the service providers mode of operation, which is known as customer on-boarding. It covers every aspect of transition and transformation, from the time the customer signs the contract to the time the provider can deliver steady-state IT services. In order to improve the repeatability and enforce adoption of best practices, a standard set of processes should be established to direct, control, and measure on-boarding activities for each customer. However, this process is very complex and often gets adapted according to customer environments and requirements. It is very difficult to incorporate process variants needed for diverse scenarios into a single on-boarding process model, so that they can be reused. In this paper, we propose an approach based on ontology and rules to model the standard on-boarding process and configure process variants based on the business context that characterizes various scenarios. Further, semantic rules model adaptation policies and help generate a customized process variant schema on the fly. Based on this framework, we have developed a prototype to support process variant configuration. We also discuss the flexibility of our approach, and present its cost-benefit analysis.

Modeling and Executing Business Processes with Annotated Security Requirements in the Cloud

The design, deployment and execution of business process models and their associated security models is expensive and time consuming. This is because these activities usually involve multiple stakeholders that include business domain experts, security experts, web service developers and IT operations teams, and there is no streamlined development environment to allow these stakeholders to work collaboratively on a business process. We have developed a cloud-based model-driven development and execution environment called SSC4Cloud to provide a shared business process modeling workspace and a business process execution environment. More specifically, with the shared modeling workspace, business process models can be developed, refined and shared. Within the shared execution environment, a business process model is translated into a WS-BPEL based executable model, which is then assigned for execution in a virtual machine container from a shared machine cluster. The common model execution environment supports both business process execution and enforcement of the security requirements attached to the business process models.

Virtual Business Operating Environment in the Cloud: Conceptual Architecture and Challenges

Advances in service oriented architecture (SOA) have brought us close to the once imaginary vision of establishing and running a virtual business, a business in which most or all of its business functions are outsourced to online services. Cloud computing offers a realization of SOA in which IT resources are offered as services that are more affordable, flexible and attractive to businesses. In this paper, we briefly study advances in cloud computing, and discuss the benefits of using cloud services for businesses and trade-offs that they have to consider. We then present 1) a layered architecture for the virtual business, and 2) a conceptual architecture for a virtual business operating environment. We discuss the opportunities and research challenges that are ahead of us in realizing the technical components of this conceptual architecture. We conclude by giving the outlook and impact of cloud services on both large and small businesses.

Sec-MoSC Tooling - Incorporating Security Requirements into Service Composition

The Sec-MoSC Tooling supports modelling and enforcement of security abstractions in business processes and service composition. It offers a novel approach consisting of abstractions and methods for capturing and enforcing security requirements in service composition.

A Policy Framework for Data Management in Services Marketplaces

Large numbers of consumers, businesses, and public entities are now using the Internet for a variety of transactions. This has enabled service providers to offer outsourcing capabilities to business customers using software-as-a-service delivery models in services marketplaces. However, challenges remain in widespread acceptance of such delivery models because they require customers to share business critical data with the service providers. This paper presents a policy framework that enables businesses to communicate data management policies with service providers at an arbitrarily granular level. Policy is described as a state machine with each state representing a lifecycle stage, and attached to data when it is shared between services. Data management related policies including data appropriateness, data quality assurance, data retention and data migration can be described in this framework and enforced correspondingly.

Governance Framework for IT Transformation Projects in Outsourcing

In the IT Outsourcing industry, a complex transition and transformation process is required for on-boarding large enterprise customers. The process begins after the customer signs a contract, and ends when steady-state operation is attained by the service provider. Large outsourcing deals may last several years, involve several hundred million dollars, and are traditionally highly customized. In this paper, we provide recommendations for a governance framework that can manage the on-boarding stage of large, customized deals. There are no existing governance frameworks that work well from the perspective of the service provider, at the scale and diversity observed in these deals. The framework must standardize a set of processes to direct, control, and measure on-boarding activities and enable a governance organization to create and maintain a single data, process and program management instance for each customer. It must also maintain a well-defined and comprehensive view of the key entities in the transition and transformation process, and their relationships. These entities may include projects, people, roles and responsibilities, process metrics, services, and the multiple internal and partner organizations and their operational level agreements (OLAs). Finally, the framework must improve repeatability across service deals, enforce adoption of best practices that are distilled from historical deals, and better avoid known problems and issues.

Towards an approach to design and enforce security in web service composition

Modelling and enforcing security requirements is an important but challenging task in web service composition. However, the explicit treatment of security requirements is challenging for many reasons: diversity of security background of involved stakeholders, absence or complexity of notations to express security requirements, complexity of mapping security requirements into security mechanisms and enforcing them at runtime. Existing work often delays considering the security requirements until the implementation and execution. We present an approach to design and enforce security in web service composition. By adopting the proposed approach, security requirements are incorporated during the business process definition and service composition code generation, and enforced at runtime. The proposed approach is supported by a set of tools that allows annotating business processes with security requirements, refining the security annotated business process and enforcing security annotations at execution time. We showcase an illustrative application to demonstrate the proposed approach and developed tools.

Towards Generating Richer Code by Binding Security Abstractions to BPMN Task Types.

This paper presents an approach for binding security requirements to different BPMN task types to create secure executable business processes.