SLA Driven Process Security through Monitored E-contracts

In this work we look into the domain of process security from a service perspective. Most often process security has been enacted through service level agreements (SLA) and business agreements. However, in a multi-party environment such as business process outsourcing (BPO) where processes themselves are offered as a service, the qualitative nature of SLA makes their monitoring quite difficult and their implementation through various restrictions, quite costly. We present our approach wherein we provide security as a process represented using e-Contracts and enacted through workflows. We explore if security too could be offered as a service which could be enacted and monitored by the process participants themselves; thus ensuring more trust. Most of the process based systems employ either Task Based Model (TBAC) or Role Based Model (RBAC) for granting privileges that are needed for executing the individual activities of the workflow. Current approaches are either potentially weak from security perspective, as they grant even those permissions to user which are actually not needed by him for executing the tasks, or they have very high administrative overhead. In this paper, we propose to couple RBAC with TBAC and additionally enforce sequential and temporal constraints over them so that process participants get only ´Need to know information´ with less administrative overhead. In this paper, we propose our extended e-contract framework for security (EC framework), and the architecture of a system which implements it. In the end we present a briefcase study presenting our process security model.