Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor...
-
date post
22-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor...
![Page 1: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/1.jpg)
Specification and Management of Security in
the Business Process
Marc Frappier, PhD
Full Professor
Département d'informatique
![Page 2: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/2.jpg)
2
Collaborators
Louise Adant, FBN
Alexandre Beaupré, Université de Sherbrooke and FBN
Pierre Konopacki, Université de Sherbrooke and Paris-12
Jérémy Milhau, Université de Sherbrooke and Paris-12
Michel Eme Jiague, Université de Sherbrooke and Paris-12
Régine Laleau, Paris-12
Richard St-Denis, Université de Sherbrooke
![Page 3: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/3.jpg)
3
Your Data
![Page 4: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/4.jpg)
4
Outline
Functional Security
Functional Security Policy
Software Architecture
![Page 5: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/5.jpg)
5
As a Citizen
Do you know who has access to your medical file? your banking records? your credit file? transactions on your credit cards? your tax return?
Would you like to know who has accessed your personal data?
Would you like to be able to decide who can access/manipulate your data?
![Page 6: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/6.jpg)
6
Security and Business Process
Who can do what with the data and functions in your applications?
Where is this described?
Who controls your security policy? accessing it changing it validating it
Can you show that you are complying with the relevant legislation?
![Page 7: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/7.jpg)
7
Functional Security
Focuses on policies on access to data functions
Is different from architectural security, technological security, etc. physical security
Is also called access control access permission
![Page 8: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/8.jpg)
8
Access and Filtering
Functions according to user’s role
Filtering on the user’s data
![Page 9: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/9.jpg)
9
Architectural and Technological Security
Management of user codes and passwords
Authentication
Secure communication protocols
Data encryption
Firewall
Attack prevention
Etc.
![Page 10: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/10.jpg)
10
Physical Security
Devices for gaining access to buildings, equipment Magnetic card Biometric scanner
Protection of equipment
Protection of communication lines
Etc.
![Page 11: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/11.jpg)
11
Functional Security: Traditional Models
RBAC: Role-Based Access Control
ORBAC: Organization-Based Access Control
Bell-Lapadula
Sandu
Clark-Wilson
![Page 12: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/12.jpg)
12
ORBAC – Components of the Model
Organization
Role Set of subjects (users)
Activity Set of actions (services)
View Set of objects (data)
Context
![Page 13: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/13.jpg)
13
ORBAC – Components of the Model
Context Catch-all for any other parameter of the policy
Temporal, spatial, emergency, application data, workflow, etc.
Hierarchy Organization Role Activity
![Page 14: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/14.jpg)
14
ORBAC
Source: http://orbac.org/
![Page 15: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/15.jpg)
15
Role
User Role
Marc Individual
Paul Cashier
Isabelle Representative
Marie Manager
Role Actions
Individual Account: access, deposit, withdraw
Cashier Account: access, deposit, withdraw, etc.
Representative Create or close account, request credit
Manager Authorize credit
Manager
Representative
Cashier
Individual
On his accounts
On branch accounts.
For her clients
For the branch
![Page 16: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/16.jpg)
16
Organization
User Role Organization
IsabelleBroker Financière Banque Populaire
Representative Banking servicesSole user
Banque Populaire
Brokerage services Banking services
Quebecbrokerage
Ontariobrokerage
Province
Region
Branch
![Page 17: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/17.jpg)
17
ORBAC – Implementation
MotOrBac API Java Few uses documented in the literature
Ad Hoc A number of organizations use principles similar to
ORBAC (without knowing it) In-house implementation
![Page 18: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/18.jpg)
18
ORBAC - Limitations
General nature of the model Do you need all the concepts?
Organization, Role, Activity, View Do you need other things?
Put it in the context How to integrate your security policy with the data
in your existing applications Put it in the context
![Page 19: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/19.jpg)
19
In-house Approaches
Menu functions access manager Shows who has access to which function Is generally based on
User’s role Location, organization
Separate from the application
Data filtering For restricting access to the data of a function Embedded in the code for the function
![Page 20: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/20.jpg)
20
The EB3SEC Project
![Page 21: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/21.jpg)
21
Presentation of Problem
User
21
![Page 22: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/22.jpg)
22
Presentation of Problem
I would like to be able to access my accounts.
I would like to be able to access my accounts.
User
22
![Page 23: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/23.jpg)
23
Presentation of Problem
User
Internet
IS
23
![Page 24: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/24.jpg)
24
Presentation of Problem
User
Internet
IS
Is the user entitled to perform the basic operations of this
action?
Is the user entitled to perform the basic operations of this
action?
24
![Page 25: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/25.jpg)
25
Presentation of Problem
User
Internet
IS
Verification of permissions
Verification of permissions
25
![Page 26: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/26.jpg)
26
Presentation of Problem
User
Internet
IS
Verification ofpermissions
Verification ofpermissions
Is the user entitled to perform this action at this
time?
Is the user entitled to perform this action at this
time?
26
![Page 27: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/27.jpg)
27
Presentation of Problem
User
Internet
IS
Verification of permissions
Verification of permissions
Verification ofSecurity Workflow
Verification ofSecurity Workflow
27
![Page 28: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/28.jpg)
28
Architecture of the Solution
I would like to perform an action, so I send a request
to the IS.
I would like to perform an action, so I send a request
to the IS.
28
![Page 29: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/29.jpg)
29
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorization2
29
![Page 30: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/30.jpg)
30
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorisation2
To know whether the action is authorized by the security kernel, Authorization1 and
Authorization2 must be conjoined.
To know whether the action is authorized by the security kernel, Authorization1 and
Authorization2 must be conjoined.
30
![Page 31: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/31.jpg)
31
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorization2
Authorization
31
![Page 32: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/32.jpg)
32
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorization2
Authorization refused
Authorization refused
Answer
32
![Page 33: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/33.jpg)
33
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorization2
Authorization refused
Authorization refused
Answer
I have just received an error message explaining the
refusal to execute.
I have just received an error message explaining the
refusal to execute.
33
![Page 34: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/34.jpg)
34
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorization2
Permission granted
Permission granted
34
![Page 35: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/35.jpg)
35
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorization2
Permission granted
Permission granted
Answer
Authorization must also be
granted by the existing IS.
Authorization must also be
granted by the existing IS.
35
![Page 36: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/36.jpg)
36
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
Request
Authorization1 Authorization2
36
![Page 37: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/37.jpg)
37
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
The IS may refuse or accept the request.The IS may refuse or accept the request.
Request
Authorization1 Authorization2
37
![Page 38: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/38.jpg)
38
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
Authorisation refused
Authorisation refused
Request
Authorization1 Authorization2
38
![Page 39: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/39.jpg)
39
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
Answer
IS
RequestAutorization
refusedAutorization
refused
Answer
Authorization1 Authorization2
39
![Page 40: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/40.jpg)
40
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
Answer
IS Kernel
RequestRequest RejectedRequest Rejected
Answer
I have just received an error message explaining the
refusal to execute.
I have just received an error message explaining the
refusal to execute.Authorization1 Authorization2
40
![Page 41: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/41.jpg)
41
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
RequestRequest acceptedRequest accepted
Authorization1 Authorization2
41
![Page 42: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/42.jpg)
42
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
RequestPermission
grantedPermission
granted
UpdatingIS
Kernel
UpdatingIS
Kernel
Authorization1 Authorization2
42
![Page 43: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/43.jpg)
43
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
RequestPermission
grantedPermission
granted
Answer
UpdatingIS
Kernel
UpdatingIS
Kernel
Authorization1 Authorization2
43
![Page 44: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/44.jpg)
44
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
RequestPermission
grantedPermission
granted
Answer
UpdatingSecurity Kernel
UpdatingSecurity Kernel
UpdatingIS
Kernel
UpdatingIS
Kernel
Authorization1 Authorization2
44
![Page 45: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/45.jpg)
45
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
RequestPermission
grantedPermission
granted
UpdatingIS
Kernel
UpdatingIS
KernelAnswer Answer
UpdatingSecurity Kernel
UpdatingSecurity Kernel
Authorization1 Authorization2
45
![Page 46: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/46.jpg)
46
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS Kernel
RequestPermission
grantedPermission
granted
UpdatingIS
Kernel
UpdatingIS
KernelAnswer Answer
UpdatingSecurity Kernel
UpdatingSecurity Kernel
I have just received the answer to my request.I have just received the answer to my request.
Authorization1 Authorization2
46
![Page 47: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/47.jpg)
47
Security Rule or Business Rule?
Business rule Describes the functioning of the application Assumes that anyone can do anything
Security rule Who has access to what action on which data
Approval process Sometimes business rule Sometimes security rule
![Page 48: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/48.jpg)
48
ESB Architecture
Enterprise Service Bus (ESB)
Routing, Connectivity, Security, Transformation
Consumer
1
AuthorizationRegister of
services
SecurityKernel
Service A Service B
18 2 3
5498 1514 1110
6 7 12 13
1716
![Page 49: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/49.jpg)
49
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow book in the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
49
![Page 50: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/50.jpg)
50
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
RoleRole
50
![Page 51: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/51.jpg)
51
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
RoleRole
51
![Page 52: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/52.jpg)
52
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole
52
![Page 53: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/53.jpg)
53
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole
Organization
Organization
53
![Page 54: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/54.jpg)
54
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole
Organization
Organization
54
![Page 55: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/55.jpg)
55
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole organizationorganization
55
![Page 56: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/56.jpg)
56
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole organizationorganization
ActionAction
56
![Page 57: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/57.jpg)
57
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole organizationorganization actionaction
57
![Page 58: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/58.jpg)
58
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole organizationorganization actionaction
ObjectObject
58
![Page 59: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/59.jpg)
59
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole organizationorganization actionaction objectobject
59
![Page 60: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/60.jpg)
60
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole organizationorganization actionaction objectobject useruser
60
![Page 61: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/61.jpg)
61
Example of the Library
Role:StudentLibrarianProfessor
Organization:Science libraryLaw library
User:PersonFinancial system
Actions:Actions involved inspecifying the information system
Object:BookArticleMember
61
![Page 62: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/62.jpg)
62
Description of Security Policy
The security policy has two parts: Access permission data model
Class diagram Security workflow and data filtering
Process expression
![Page 63: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/63.jpg)
63
Access Permissions
Construct the appropriate data model Traditional entity-relation model No particular restriction
More flexible than ORBAC
![Page 64: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/64.jpg)
64
Access Permissions
Organization
Action
User
Role
plays
permission
64
![Page 65: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/65.jpg)
65
Security Workflow and Filtering
A process algebra called EB3SEC is used
Request is of the form<User,role,organization,action>
User: the identifier of the user performing the action
Role: the role played by the user when performing the action
Organization: the organization in which the action is performed
Action: an EB3 action
65
![Page 66: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/66.jpg)
66
Security Workflow
Any user having the role ‘librarian’ can perform, in any organization, the action Lend( _ , _ )
rule1() = < _ , librarian, _, Lend( _, _ ) >
For this particular case, redundant with access permissions We could therefore also represent access permissions
with process expressions. Tabular format is more user-friendly.
66
![Page 67: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/67.jpg)
67
Security Workflow
A book cannot be discarded without the consent of the professor who initially approved it.
Acquisitions or discards can only be made by a librarian.
rule2() = ||| bId: book: | pId: person: < pId , professor , _ , ApproveAcquire( bId ) > •< _ , librarian, _ , Acquire( bId ) > •< pId , professor , _ , ApproveDiscard( bId ) > •< _ , librarian, _ , Discard( bId ) >
67
![Page 68: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/68.jpg)
68
Security Workflow
A loan must be returned to the branch where it was borrowed.
rule3() = ||| bId: BOOKID: ( | oid: organization:
< _ , _ ,oid, Lend( bId, _ ) > • < _ , _ ,oid, Return( bId, _ ) >
)*
![Page 69: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/69.jpg)
69
Security Workflow
Security rules are applied indefinitely and in parallel fashion.
main() = rule1()* Ш rule2() Ш rule3()
69
![Page 70: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/70.jpg)
70
Validation of Security Policy
Use of automated verification tools
Proof of ownership
Exhaustive run through all sequences of actions allowed by a policy
![Page 71: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/71.jpg)
71
Implementation: APIS Platform
![Page 72: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/72.jpg)
72
Conclusion
Possible to make security policies explicit
Separate security policy from application evolution validation
Increased desire of public to control access to their data
![Page 73: Specification and Management of Security in the Business Process Marc Frappier, PhD Full Professor Département d'informatique.](https://reader030.fdocument.pub/reader030/viewer/2022032704/56649d775503460f94a592ed/html5/thumbnails/73.jpg)
73
Contact Information
Marc FrappierDépartement d'informatiqueUniversité de SherbrookeSherbrooke, Quebec Canada J1K 2R1Tel: +1 819-821-8000, Local 62096Fax: +1 [email protected]://www.dmi.usherb.ca/~frappier