SecBPMN2. OIS 2017 Marco Robol

Transcription

1 SecBPMN2 OIS 2017 Marco Robol 1

2 Security and Organizational Information Systems Security is a central activity for todays organizations Security breaches cause millions of dollars of losses Secure Organizational Information Systems Security by design Social aspects 2

3 From Secure Software Systems to Secure Business Processes Secure software design Security requirements Non-Functional requirements The CIA triad of security requirements Secure Business Processes (BP) Social aspects How to engineer secure BP? SecBPMN2.0 3

4 Business Processes (BP) Specify how objectives are achieved Set of linked activities that take an input and create an output Target: For instructions to actors For organizational purposes Select a tutorial room Reach the room Listen to the tutorial 4

5 Social aspects in Business Processes Interactions among actors and with external services e.g., how the pilots interact with the control tower; e.g., how the visa is checked. 5

6 Processes could became very complex Multiple components: Autonomous Heterogeneous Mutually interdependent Evolve to adapt to unforeseen changes of the environment New laws/regulations Change of requirements 6

7 Why Business Processes and Security? Security aspects at business processes level Permits to use a level of detail nearer to development Some business process specification can be directly executed (BPEL) Large amount of assets to protect Information: pilots social security number, flight plan, etc. Other assets: e.g., meteo service, luggage management service, etc. How to guarantee their protection? How to represent security concepts in business processes? How to represent security constraints in business process? How to guarantee security at every evolution step? 7

8 SecBPMN2 BPMN 2.0 Security annotations (SecBPMN-ml) Security policies (SecBPMN-Q) Verification BPMN 2.0 Security annotations Security policies Automated reasoning tool SecBPMN2-ml Modelling BPs and security concepts Complies? SecBPMN2-Q Modelling security policies 8

9 BPMN 2.0 9

10 BPMN 2.0 Rich standard for modelling business processes Released in 2011 Well known and widely used 10

11 BPMN 2.0 basic elements Task: an atomic activity 11

12 BPMN 2.0 basic elements Sequence flow: is used to show the order of tasks in a process 12

13 BPMN 2.0 basic elements Event: is something that happens during the course of a process 13

14 BPMN 2.0 basic elements Participant: represents a specific entity (e.g., Control tower) and/or a more general Role (e.g., a Pilot, or Co-pilot). 14

15 BPMN 2.0 basic elements Data objects: represent a singular object or a collection of objects Data associations: are used to move data between data objects and tasks. 15

16 BPMN 2.0 basic elements Gateways: are used to control how sequence flows interact as they converge and diverge within a process. Parallel gateway: is used to create parallel flows and to synchronize (combine) parallel flows 16

17 BPMN 2.0 basic elements Exclusive gateway: is used to create alternative paths within a process flow 17

18 BPMN 2.0 Message flows Message flows: is used to show the communication between two participants. Message: represents the content of a communication between two participants. 18

19 SecBPMN2-ml 19

20 SecBPMN2-ml BPMN security annotations 11 security annotations Formalization 20

21 SecBPMN2 Security annotations Accountability Auditability Authenticity Availability Confidentiality An ability of a system to hold users responsible for their actions (e.g. misuse of information). An ability of a system to conduct persistent, non-by passable monitoring of all actions performed by humans or machines within the system. An ability of a system to verify identity and establish trust in a third party and in information it provides. A system should ensure that all system s components are available and operational when they are required by authorised users. A system should ensure that only authorised users access information. Integrity Non-Repudiation Privacy Bind of duties Separation of duties Non-Delegation A system should ensure completeness, accuracy and absence of unauthorised modifications in all its components. The ability of a system to prove (with legal validity) occurrence/nonoccurrence of an event or participation/non-participation of a party in an event. A system should obey privacy legislation and it should enable individuals to control, where feasible, their personal information (user-involvement). The same actor should be responsible for the completion of a set of related tasks Two or more different actor should be responsible for the completion of a task or set of related tasks A set of actions should be executed only by the actor assigned. 21

22 SecBPMN2 Security annotations 1/3 Accountability Auditability Authenticity Accountability Availability Confidentiality Auditability Integrity Non-Repudiation Privacy Authenticity Bind of duties Separation of duties Non-Delegation An ability of a system to hold users responsible for their actions (e.g. misuse of information). An ability of a system to conduct persistent, non-by passable monitoring of all actions performed by humans or machines within the system. An ability of a system to verify identity and establish trust in a third party and in information it provides. An ability of a system to hold users responsible for their actions (e.g. misuse of information). A system should ensure that all system s components are available and operational when they are required by authorised users. A system should ensure that only authorised users access information. An ability of a system to conduct persistent, non-by passable monitoring of all actions performed by humans or machines within the system. A system should ensure completeness, accuracy and absence of unauthorised modifications in all its components. The ability of a system to prove (with legal validity) occurrence/nonoccurrence of an event or participation/non-participation of a party in an event. A system should obey privacy legislation and it should enable individuals to control, where feasible, their personal information (user-involvement). An ability of a system to verify identity and establish trust in a third party and in information it provides. The same actor should be responsible for the completion of a set of related tasks Two or more different actor should be responsible for the completion of a task or set of related tasks A set of actions should be executed only by the actor assigned. 22

23 Accoutability Accountability An ability of a system to hold users responsible for their actions (e.g. misuse of information). Linked to Activities Security properties Enforced by Monitored 23

24 Auditability Auditability An ability of a system to conduct persistent, nonby passable monitoring of all actions performed by humans or machines within the system. Linked to Activities Data objects Message flows Security properties Enforced by Frequency 24

25 Authenticity Authenticity An ability of a system to verify identity and establish trust in a third party and in information it provides. Linked to Activities Data objects Security properties Enforced by Identification needed Auth needed Trust value 25

26 SecBPMN2 Security annotations 2/3 Accountability Availability Auditability Authenticity Availability Confidentiality Confidentiality Integrity Integrity An ability of a system to hold users responsible for their actions (e.g. misuse of information). An ability of a system to conduct persistent, non-by passable monitoring of all actions performed by humans or machines within the system. An ability of a system to verify identity and establish trust in a third party and in information it provides. A system should ensure that all system s components are available and operational A when system they are required should by authorised ensure users. that only A system should ensure that only authorised users access information. A system should ensure completeness, accuracy and absence of unauthorised modifications in all its components. Non-Repudiation The ability of a system to prove (with legal validity) occurrence/nonoccurrence modifications of an event or participation/non-participation in all its components. of a party in an event. Non-Repudiation Privacy A system should The obey ability privacy of legislation a system and it should to enable prove individuals (with to control, where feasible, their personal information (user-involvement). Bind of duties Separation of duties Non-Delegation A system should ensure that all system s components are available and operational when they are required by authorised users. authorised users access information. A system should ensure completeness, accuracy and absence of unauthorised legal validity) occurrence/nonoccurrence of an event or participation/non-participation of a party in an event. The same actor should be responsible for the completion of a set of related tasks Two or more different actor should be responsible for the completion of a task or set of related tasks A set of actions should be executed only by the actor assigned. 26

27 Availability Availability A system should ensure that all system s components are available and operational when they are required by authorised users. Linked to Activities Data objects Message flows Security properties Enforced by Level of availability Authorized users 27

28 Confidentiality Confidentiality A system should ensure that only authorised users access information. Linked to Message flows Data objects Security properties Enforced by Readers Writers 28

29 Integrity Integrity A system should ensure completeness, accuracy and absence of unauthorised modifications in all its components. Linked to Message flows Data objects Activities Security properties Enforced by Personnel Hardware Software 29

30 Non-Repudiation Non-Repudiation Linked to Message flows Activities Security properties Enforced by Execution The ability of a system to prove (with legal validity) occurrence/non- occurrence of an event or participation/non-participation of a party in an event. 30

31 SecBPMN2 Security annotations 3/3 Accountability Privacy Auditability Authenticity Availability Bind of duties Confidentiality Integrity Separation of duties Non-Repudiation Privacy Non-Delegation Bind of duties Separation of duties Non-Delegation An ability of a system to hold users responsible for their actions (e.g. misuse of information). A system should obey privacy legislation and it should enable individuals to control, where feasible, their personal information (user-involvement). An ability of a system to conduct persistent, non-by passable monitoring of all actions performed by humans or machines within the system. An ability of a system to verify identity and establish trust in a third party and in information it provides. A system should ensure that all system s components are available and operational when they are required by authorised users. The same actor should be responsible for the completion of a set of related tasks A system should ensure that only authorised users access information. Two or more different actor should be responsible for the completion of a task or set of related tasks A system should ensure completeness, accuracy and absence of unauthorised modifications in all its components. The ability of a system to prove (with legal validity) occurrence/nonoccurrence of an event or participation/non-participation of a party in an event. A system should obey privacy legislation and it should enable individuals to control, where feasible, their personal information (user-involvement). A set of actions should be executed only by the actor assigned. The same actor should be responsible for the completion of a set of related tasks Two or more different actor should be responsible for the completion of a task or set of related tasks A set of actions should be executed only by the actor assigned. 31

32 Privacy Privacy A system should obey privacy legislation and it should enable individuals to control, where feasible, their personal information (userinvolvement). Linked to Activities Data Objects Security properties Enforced by Sensitive info 32

33 Bind-of-duties Bind of duties The same actor should be responsible for the completion of a set of related tasks Linked to Pool Security properties Enforced by Dynamic 33

34 Separation-of-duties Separation of duties Two or more different actor should be responsible for the completion of a task or set of related tasks Linked to Pool Security properties Enforced by Dynamic 34

35 Non-delegation Non-Delegation A set of actions should be executed only by the actor assigned. Linked to Activities Security properties Enforced by 35

36 SecBPMN2-ml Pilots Captain Co-pilot Start1 Analyze request take-off No Errors? Generate request take-off Yes Report errors Request take-off Add personal data Communicate personal data Add captain's personal data Send request take-off End1 Store response Request Rejection Authorization Tower control operator Start2 Analyze request take-off Wait request Yes No Errors? Examine captain data Examine copilot data No Errors? Yes Send rejection Send authorization End2 Legend Activity Start End Intermediate Exclusive gateway Message Parallel gateway Data object Sequence flow Message flow Data association Swimlane Pool Pool Non-delegation Separation of duties Bind of duties 36

37 SecBPMN2-Q 37

38 SecBPMN2-Q A modeling language Security constraints for SecBPMN2 processes Security constraints expressed as policies Pattern/Antipattern matching Check for security annotation 38

39 SecBPMN2-Q Extend BPMN 2.0 with three new relations Walk, Negative walk, Negative flow 39

40 Formalization Formally define abstract syntax Implemented in K, executed in DVL K Definition 1 (BPMN 2.0 Business Process). A BPMN 2.0 business process is a tuple (A, E, G, D, P, controlflow, dataassociation, executor) where: (a) A is a finite set of activities, (b) E E s [ E e [ E i is a finite set of events, E s \ E e \ E i = ;, (c) G is a finite set of gateways, (d) D is a finite set of data objects, (e) P P pool [ P swimlane is a finite set of participants,p pool \ P swimlane = ;, (f) controlflow (A [ G [ E\E s ) (A [ G [ E\E e ) is the control flow association, (g) dataassociation D A {input, output} is the data association, (h) executor P (A [ E [ G) is the executor association. to the activity Analize request take-off. 1 fluents : 2 controlflow (T1,T2) requires activity (T1), activity (T1). 3 messageflow(t1,t2,m) requires activity (T1), activity (T1), message(m). 4 initially : 5 controlflow (add captain personal data, send request take off ). 6 messageflow(send request take off, analyze request take off, request ). 7 nondel ( analyze request take off ). Listing 1: A K specification of part of the SecBPMN2-ml business process in Fig. 2 1 goal : 2 executed ( analyze request take off, tower control operator ), 3 executed ( store response, A), 4 sent (X, store response, authorization ), 5 nondel ( analyze request take off ). 6 path1 7? (10). 8 caused path1_1 after exec ( analyze request take off ). 9 caused path1 after exec (X), path1_1. Listing 2: Example of a K goal generated from Fig. 3 40

41 Security policies Pattern matching: check a given sequence of task for the presence of the constituents of some pattern in BPs. 41

42 Security policies Pattern/Antipattern: check the presence/absence of the pattern in all business processes. 42

43 Security policies Security annotations: search for an element with the same type with the same label with the same annotation linked 43

44 Security wild card: search for any element with the same type and any label 44

45 Security policies Walk relation: search for any walk between two tasks 45

46 Security policies Confidentiality 46

47 Security policies Integrity 47

48 Security policies 48

49 Verification of security policies Automated verification Checks all security policies against all business processes 49

50 Example of a query result 50

51 Limitations BPMN 2.0 not fully covered Fixed set of security annotations Security policy verification not immediate to understand The set of supported security annotations cannot be extended by the end-user BPMN 2.0 is very rich and complex by himself 51

52 For the next time Bring your own pc Download and install STS-tool And install also the SecBPMN2 plugin directly from the marketplace that comes within STS-tool 52

53 Thank you 53

54 Ackgnowledge Original slides by Mattia Salnitri 54