Workflow management systems, their security and access control mechanisms

Chehrazi, Golriz

January 2007

<p>This paper gives an overview of workflow management systems (WfMSs) and their security requirements with focus on access mechanisms. It is a descriptive paper in which we examine the state of the art of workflow systems, describe what security risks affect WfMSs in particular, and how these can be diminiuished.</p><p>WfMSs manage, illustrate and support business processes. They contribute to the performance, automation and optimization of processes, which is important in the global economy today. The security of process flows is important, since the sensitive business data need to be protected to inhibit illegal activities, such as blackmailing, imitation and fraud and to provide for good customer service.</p><p>This paper focuses on access mechanisms, because they are basic security mechanisms used by WfMSs assuring that only authorized users are provided access to data and resources. Also because of the unsecurity of the Internet, which is commonly used as infrastructure of Workflow systems, additional security mechanisms, such as PKIs, digital signatures and SSL have to be used to provide secure workflows.</p><p>Depending on the particular requirements in workflow systems, different extensional access control (AC) mechanisms have been developed to maintain security. But when it comes to commercially used WfMSs, the availability of the system is of utmost importance. It is the prerequisite for the system to be employed by companies. The problem is that there is always a trade-off between availability of the system and security. Because this trade off is generally solved in favor of availability, a major part of the developed AC mechanisms are not used in commercially used WfMS.</p><p>After the first part of this paper which is rather theoretical, we examine a commercial WfMS, namely IBM's MQ Workflow , and its security mechanisms. We show vulnerabilities of the system that could be abused by attackers. Afterwards, we show which security mechanisms, in particular, AC mechanisms are provided to secure against threats. We conclude with a summary, which highlights the difference between security concepts developed in the research area and those really implemented by the commercially used WfMS.</p>

workflow management systems

access control mechanisms

Computer engineering

Datorteknik

Workflow management systems, their security and access control mechanisms

Chehrazi, Golriz

January 2007

This paper gives an overview of workflow management systems (WfMSs) and their security requirements with focus on access mechanisms. It is a descriptive paper in which we examine the state of the art of workflow systems, describe what security risks affect WfMSs in particular, and how these can be diminiuished. WfMSs manage, illustrate and support business processes. They contribute to the performance, automation and optimization of processes, which is important in the global economy today. The security of process flows is important, since the sensitive business data need to be protected to inhibit illegal activities, such as blackmailing, imitation and fraud and to provide for good customer service. This paper focuses on access mechanisms, because they are basic security mechanisms used by WfMSs assuring that only authorized users are provided access to data and resources. Also because of the unsecurity of the Internet, which is commonly used as infrastructure of Workflow systems, additional security mechanisms, such as PKIs, digital signatures and SSL have to be used to provide secure workflows. Depending on the particular requirements in workflow systems, different extensional access control (AC) mechanisms have been developed to maintain security. But when it comes to commercially used WfMSs, the availability of the system is of utmost importance. It is the prerequisite for the system to be employed by companies. The problem is that there is always a trade-off between availability of the system and security. Because this trade off is generally solved in favor of availability, a major part of the developed AC mechanisms are not used in commercially used WfMS. After the first part of this paper which is rather theoretical, we examine a commercial WfMS, namely IBM's MQ Workflow , and its security mechanisms. We show vulnerabilities of the system that could be abused by attackers. Afterwards, we show which security mechanisms, in particular, AC mechanisms are provided to secure against threats. We conclude with a summary, which highlights the difference between security concepts developed in the research area and those really implemented by the commercially used WfMS.

workflow management systems

access control mechanisms

Computer Engineering

Datorteknik

Improving the Security of Building Automation Systems Through an seL4-based Communication Framework

Habeeb, Richard

22 March 2018

Existing Building Automation Systems (BASs) and Building Automation Networks (BANs) have been shown to have serious cybersecurity problems. Due to the safety-critical and interconnected nature of building subsystems, local and network access control needs to be finer grained, taking into consideration the varying criticality of applications running on heterogeneous devices. In this paper, we present a secure communication framework for BASs that 1) enforces rich access control policy for operating system services and objects, leveraging a microkernel-based architecture; 2) supports fine-grained network access control on a per-process basis; 3) unifies the security control of inter-device and intra-device communication using proxy processes; 4) tunnels legacy insecure communication protocols (e.g., BACnet) through a secure channel, such as SSL, in a manner transparent to legacy applications. We implemented the framework on seL4, a formally verified microkernel. We conducted extensive experiments and analysis to compare the performance and effectiveness of our communication systems against a traditional Linux-based implementation of the same control scenario. Our experiments show that the communication performance of our system is faster or comparable to the Linux-based architecture in embedded systems.

Cyber Physical Systems

Cybersecurity of Smart Buildings

High-Assurance Systems

Microkernel

Access Control Mechanisms

Computer Sciences