Robson W. A. Medeiros

Incorporating Security Requirements into Service Composition: From Modelling to Execution

Despite an increasing need for considering security requirements in service composition, the incorporation of security requirements into service composition is still a challenge for many reasons: no clear identification of security requirements for composition, absence of notations to express them, difficulty in integrating them into the business processes, complexity of mapping them into security mechanisms, and the complexity inherent to specify and enforce complex security requirements. We identify security requirements for service composition and define notations to express them at different levels of abstraction. We present a novel approach consisting of a methodology, called Sec-MoSC, to incorporate security requirements into service composition, map security requirements into enforceable mechanisms, and support execution. We have implemented this approach in a prototype tool by extending BPMN notation and building on an existing BPMN editor, BPEL engine and Apache Rampart. We showcase an illustrative application of the Sec-MoSC toolset.

SSC4Cloud Tooling: An Integrated Environment for the Development of Business Processes with Security Requirements in the Cloud

Cloud Computing, Business Process Modeling (BPM) and Service-oriented architectures (SOA) are playing a relevant role in the evolution of Information Technology (IT). A considerable number of system developers are using Cloud technologies to deploy and make available systems over the Internet. Business Process Management standards are being widely used to model business requirements. In addition, SOA-based systems are considered an interesting approach to execute high-level business process specifications. Based on the fact that business processes are executed, usually, using services available in network environments, security requirements should be considered, especially when dealing with sensitive data (e.g., credit card information or personal data). Despite the increasing need for specifying security mechanisms in web service compositions in the Cloud, this topic remains a challenge for many reasons, including the known difficulty of expressing security requirements at a business level and the enforcement of such requirements at an execution level in a cloud environment. This work presents an environment to collaboratively model business processes considering security requirements and to automatically deploy them in the Cloud with security requirements enforcement. The business process is realized through the utilization of web service composition. This environment consists of a set of tools to support the business process modeling and secure service composition execution in the Cloud. Security-related information can be shared among different users in the Cloud and used to enable the activation and configuration of security mechanisms. The proposed approach is showcased in a Virtual Travel Agency scenario to show its feasibility.

Modeling and Executing Business Processes with Annotated Security Requirements in the Cloud

The design, deployment and execution of business process models and their associated security models is expensive and time consuming. This is because these activities usually involve multiple stakeholders that include business domain experts, security experts, web service developers and IT operations teams, and there is no streamlined development environment to allow these stakeholders to work collaboratively on a business process. We have developed a cloud-based model-driven development and execution environment called SSC4Cloud to provide a shared business process modeling workspace and a business process execution environment. More specifically, with the shared modeling workspace, business process models can be developed, refined and shared. Within the shared execution environment, a business process model is translated into a WS-BPEL based executable model, which is then assigned for execution in a virtual machine container from a shared machine cluster. The common model execution environment supports both business process execution and enforcement of the security requirements attached to the business process models.

Predicting Service Composition Costs with Complex Cost Behavior

Nowadays, many companies expose their competencies as services on the Internet to facilitate the cooperation with their customers. This situation has created a new marketplace where services have been provided with similar functionality but different qualities such as cost, performance, and reliability. In this scenario, service composition providers have faced the challenge of choosing services that fulfill an expected quality without compromising a planned budget. This challenge is even more stringent when services have different cost behaviors. As a consequence, services can be less expensive than others in a scenario and be more expensive in others. Several approaches have been proposed to address cost analysis of service compositions. However, these approaches have not considered all classes of possible cost behaviors, e.g., Fixed, variable, mixed and step cost. This paper addresses this limitation by proposing a solution to analyze costs of service compositions taking into account service reliability and all classes of cost behaviors. In order to evaluate the proposed solution, we carried out some experiments that show its effectiveness.

A Survey of Cost Accounting in Service-Oriented Computing

Nowadays, companies are increasingly offering their business services through computational services on the Internet in order to attract more customers and increase their revenues. However, these services have financial costs that need to be managed in order to maximize profit. Several models and techniques have been recently reported that aim at managing, controlling and reducing service costs. However, each of these contributions covers a specific cost aspect subject to certain constraints, while in practice more comprehensive solutions are necessary. This paper presents a survey of models and techniques to handle service costs throughout the phases of the service lifecycle. Based on this survey, we identified a number of opportunities for future research, which should eventually yield comprehensive cost solutions.

Sec-MoSC Tooling - Incorporating Security Requirements into Service Composition

The Sec-MoSC Tooling supports modelling and enforcement of security abstractions in business processes and service composition. It offers a novel approach consisting of abstractions and methods for capturing and enforcing security requirements in service composition.

A metamodel for modeling cost behavior in service composition

During the service composition lifecycle, service costs should be predicted, controlled and reported in order to optimize resource utilization and increase profit. Several approaches have been proposed to address cost issues in some phases of the service composition lifecycle. However, each approach expresses costs in its own way, which makes it hard to integrate them into a comprehensive and automated approach that tackles cost issues throughout the service composition lifecycle. This paper addresses this problem by proposing a metamodel for expressing costs in service compositions. The proposed metamodel allows designers to express different cost behaviors and to enforce them throughout the service composition lifecycle. In addition to the metamodel, the paper also discusses the tools have been specially designed and implemented to support this metamodel. In order to evaluate the metamodel, we performed a case study in which cost results calculated with the proposed tools are compared with results obtained in a conventional way. Moreover, we describe some cost behaviors of real web service to evaluate the applicability of our metamodel.

Automation of service-based security-aware business processes in the Cloud

The use of business process standards to model and execute business needs is growing rapidly. In addition, Service-oriented Computing has been adopted to realize business processes, which basically consists of executing the process activities using services available in the Internet. In this context, the importance of security is apparent, because sensitive data sent over the Internet may be accessed by unauthorized third-parties. To prevent security problems, users may associate security requirements that must be enforced in essential tasks of the business process. This fact leads to the need of automation, because both functional and security requirements should be modeled, at high-level, and enforced, at execution level. This work proposes a cloud-based solution named BPA-Sec4Cloud that supports all phases of the security-aware business process automation, from its modeling to its deployment. The use of a cloud-based solution facilitates the deployment process because all needed resources are available in the cloud and ready to be used. In addition, the cloud is also used as a platform in order to provide specific services, such as translators, to support the automation process. In order to evaluate the BPA-Sec4Cloud, the solution was compared against existing solutions through the use of metrics related to the quality of generated artifacts.

Towards an approach to design and enforce security in web service composition

Modelling and enforcing security requirements is an important but challenging task in web service composition. However, the explicit treatment of security requirements is challenging for many reasons: diversity of security background of involved stakeholders, absence or complexity of notations to express security requirements, complexity of mapping security requirements into security mechanisms and enforcing them at runtime. Existing work often delays considering the security requirements until the implementation and execution. We present an approach to design and enforce security in web service composition. By adopting the proposed approach, security requirements are incorporated during the business process definition and service composition code generation, and enforced at runtime. The proposed approach is supported by a set of tools that allows annotating business processes with security requirements, refining the security annotated business process and enforcing security annotations at execution time. We showcase an illustrative application to demonstrate the proposed approach and developed tools.

Towards Generating Richer Code by Binding Security Abstractions to BPMN Task Types.

This paper presents an approach for binding security requirements to different BPMN task types to create secure executable business processes.