Security Requirements Specification in Service-Oriented Business Process Management

Service-oriented Architectures deliver a flexible infrastructure to allow independently developed software components to communicate in a seamless manner. In the scope of organisational workflows, SOA provides a suitable foundation to execute business processes as an orchestration of multiple independent services. Along with the increased connectivity, the corresponding security risks rise exponentially. However, security requirements are usually defined on a technical level, rather than on an organisational level that would provide a comprehensive view on the participants, the assets and their relationships regarding security. In this paper, we propose an approach to describe security requirements at the business process layer and their translation to concrete security configuration for service-based systems. We introduce security elements for business process modelling which allow to evaluate the trustworthiness of participants based on a rating of enterprise assets and to express security intentions such as confidentiality or integrity on an abstract level. Our aim is to facilitate the generation of security configurations based on the modelled requirements. For this purpose, we foster a model-driven approach: Information at the modelling layer is gathered and translated to a domain-independent security model. Concrete protocols and security mechanisms are resolved based on a security pattern system that is introduced in the course of this paper.