research-article

Aligning Business Process Access Control Policies with Enterprise Architecture

Authors:

Roman Pilipchuk,

Stephan Seifermann,

Robert HeinrichAuthors Info & Claims

CECC 2018: Proceedings of the Central European Cybersecurity Conference 2018

Article No.: 17, Pages 1 - 4

https://doi.org/10.1145/3277570.3277588

Published: 15 November 2018 Publication History

Abstract

Access control policies are a fundamental building block in meeting security and privacy requirements in organizations across business processes, enterprise architectures, and software architectures. Usage of different models for business processes and software makes eliciting and enforcing access control policies hard. Approaches like enterprise architecture management target complex mutual interdependencies between business and IT models but can be hard to apply. We suggest an approach to derive access control requirements from business processes and test compliance of software designs by data flow analyses. As a result, business processes and software designs are aligned w.r.t. access control requirements.

References

[1]

S. Alpers et al. 2018. Identifying Needs for a Holistic Modelling Approach to Privacy Aspects in Enterprise Software Systems. In ICISSP'18. 74--82.

[2]

AXELOS. 2011. ITIL Edition 2011. Retrieved 22.03.18 from https://www.axelos.com/best-practice-solutions/itil/what-is-itil

[3]

Tom DeMarco. 1979. Structured analysis and system specification. Prentice-Hall.

Digital Library

[4]

P. Epstein et al. 2001. Engineering of role/permission assignments. In Seventeenth Annual Computer Security Applications Conference. 127--136.

Digital Library

[5]

G. M. Giaglis. 2001. A Taxonomy of Business Process Modeling and Information Systems Modeling Techniques. Int J Flex Manuf Syst 13, 2 (2001), 209--228.

[6]

R. Heinrich et al. 2015. Integrating business process simulation and information system simulation for performance prediction. SoSyM (2015), 1--21.

Digital Library

[7]

R. Heinrich et al. 2016. The CoCoME Platform for Collaborative Empirical Research on Information System Evolution. Technical Report 2. Karlsruhe.

[8]

Gartner Inc. 2009. Gartner Identifies Ten Enterprise Architecture Pitfalls. Retrieved 04.07.18 from https://www.gartner.com/newsroom/id/1159617

[9]

J. Jürjens. 2005. Secure systems development with UML. Springer.

Digital Library

[10]

S. Kotusev. 2017. Critical Questions in Enterprise Architecture Research. IJEIS 13, 2 (2017), 50--62.

Digital Library

[11]

T. Lodderstedt et al. 2002. SecureUML: A UML-Based Modeling Language for Model-Driven Security. In UML'02. 426--441.

Digital Library

[12]

J. Löhe et al. 2014. Overcoming implementation challenges in enterprise architecture management: a design theory for architecture-driven IT Management (ADRIMA). ISeB 12, 1 (2014), 101--137.

Digital Library

[13]

P. H. Nguyen et al. 2015. An extensive systematic review on the Model-Driven Development of secure systems. IST 68 (2015), 62--81.

Digital Library

[14]

Federal Republic of Germany. 2015. IT Security Act. Retrieved 22.03.18 from http://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&jumpTo=bgbl115s1324.pdf

[15]

R. Pilipchuk et al. 2017. Defining a Security-Oriented Evolution Scenario for the CoCoME Case Study. In EMLS'17 (Softwaretechnik Trends), Vol. 37. 60--77.

[16]

R. H. Reussner et al. 2016. Modeling and Simulating Software Architectures -- The Palladio Approach. MIT Press.

Digital Library

[17]

The Open Group. {n. d.}. TOGAF Standard, Version 9.2. http://pubs.opengroup.org/architecture/togaf9-doc/arch/. accessed 16.05.18.

[18]

European Union. 2016. General Data Protection Regulation (GDPR). Retrieved 22.03.18 from http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

[19]

L. Urbaczewski et al. 2006. A Comparison of Enterprise Architecture Frameworks. IIS 7, 2 (2006), 18--23.

[20]

U.S. Department of Health & Human Services. 2015. Health Information Privacy. https://www.hhs.gov/hipaa. accessed 30.08.18.

Cited By

Heinrich RStrittmatter MReussner R(2021)A Layered Reference Architecture for Metamodels to Tailor Quality Modeling and AnalysisIEEE Transactions on Software Engineering10.1109/TSE.2019.290379747:4(775-800)Online publication date: 1-Apr-2021
https://doi.org/10.1109/TSE.2019.2903797
Zhou ZZhi QMorisaki SYamamoto S(2020)A Systematic Literature Review on Enterprise Architecture Visualization MethodologiesIEEE Access10.1109/ACCESS.2020.29958508(96404-96427)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2995850

Index Terms

Aligning Business Process Access Control Policies with Enterprise Architecture
1. Security and privacy
  1. Systems security
2. Software and its engineering
  1. Software creation and management
    1. Designing software
      1. Software design engineering

Recommendations

Enterprise architecture patterns for business process support analysis

The field of enterprise architectures lacks architecture patterns that would support analysis of a given enterprise architecture, comparison of different enterprise architecture solutions and provide guidelines for development of a target enterprise ...
Coping with Access Control Requirements in the Context of Mutual Dependencies between Business and IT
CECC 2018: Proceedings of the Central European Cybersecurity Conference 2018

IT security is ever more important due to rising cybercrime incidents, obligatory security laws and the need for organization-wide security strategies. Consequently, the business level of an organization, service design managers and compliance managers ...
Integrating Business Models and Enterprise Architecture
EDOCW '14: Proceedings of the 2014 IEEE 18th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations

Companies today interact in an increasingly competitive environment and seek to leverage the potentials of IT for generating new business models and for changing existing ones. For these business models, companies have to align the respective business ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

CECC 2018: Proceedings of the Central European Cybersecurity Conference 2018

November 2018

109 pages

ISBN:9781450365154

DOI:10.1145/3277570

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

University of Maribor

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 November 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

https://data.crossref.org/fundingdata/funder/10.13039/501100006604

Conference

CECC 2018

CECC 2018: Central European Cybersecurity Conference 2018

November 15 - 16, 2018

Ljubljana, Slovenia

Acceptance Rates

CECC 2018 Paper Acceptance Rate 19 of 30 submissions, 63%;

Overall Acceptance Rate 38 of 65 submissions, 58%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
153
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)1

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Heinrich RStrittmatter MReussner R(2021)A Layered Reference Architecture for Metamodels to Tailor Quality Modeling and AnalysisIEEE Transactions on Software Engineering10.1109/TSE.2019.290379747:4(775-800)Online publication date: 1-Apr-2021
https://doi.org/10.1109/TSE.2019.2903797
Zhou ZZhi QMorisaki SYamamoto S(2020)A Systematic Literature Review on Enterprise Architecture Visualization MethodologiesIEEE Access10.1109/ACCESS.2020.29958508(96404-96427)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2995850

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents