Return to search

A framework to enforce privacy in business processes

Service-oriented architectures (SOA), and in particular Web services, have quickly become a popular paradigm to develop distributed applications. Nowadays, more and more organizations shift their core business to the Web services platform within which various interactions between the autonomous services occur. One of the widely accepted standards in the Web services platform is Business Process Execution Lan- guage for Web Services (BPEL4WS, or BPEL for short). BPEL defines a language to integrate Web services by creating composite Web services in the form of business processes following the service orchestration paradigm, and it enables organizations to focus on core competence and mission-critical operations while outsource every- thing else to reduce costs and time to market. However BPEL is deficient in privacy issues. The facts are: (1) service requestors?? personal information is fundamental to enable business processes (e.g., the mortgage approval business process); (2) privacy concerns have become one of the most important issues in Information Technology and has received increasing at- tention from organizations, consumers and legislators; (3) most organizations have recognized that dealing correctly and honestly with customers?? privacy concerns can have beneficial returns for their businesses, not only in terms of being compliant with laws and regulations but also in terms of reputation and potential business op- portunities. If not addressed properly, privacy concerns may become an impediment to the widespread adoption of BPEL. Privacy issues have many aspects, the privacy concerns of potential service re- questor (i.e., client) and the privacy concerns of service provider (i.e., organization) are two of them. Service requestor specifies his/her privacy concerns as privacy preference, while service provider defines and publishes its privacy policy to specify its privacy promises. Before requestor accesses certain service, he/she likes to know whether the service provider will respect his/her privacy preference. Otherwise, the requestor may seek the desired service from somewhere else. On the other hand,even though most organizations publish their privacy promises, it will be more convincing if customers are assured that such privacy promises are actually kept within the organizations. In this thesis, we propose a privacy enforcement framework for business processes. In particular, we focus on those that are automated using BPEL. The framework consists of two parts. One focuses on the service requestors?? perspective of privacy, the other concentrates on the privacy concerns of the business process owner (i.e., the service provider). More specifically, the first part of the framework is based on description logic, and allows to represent privacy concepts and perform some rea- soning about these concepts. The reasoning engine will check requestor??s privacy preference against the service provider??s published privacy promises before the re- questor accesses the desired service. The second part of the framework facilitates the service provider to enforce its privacy policy within all its business processes throughout the life cycle of personal data. The privacy enforcement can be achieved step by step: privacy inspection, privacy verification and privacy obligation man- agement. The first step, privacy inspection, aims to identify which activity needs the involvement of what personal data. The second step, privacy verification, is to verify the correctness of designed BPEL business processes in terms of privacy. The third step is to enforce the privacy by managing the fulfillment of the obligation during the execution of business process. The privacy enforcement framework presented in the thesis has been implemented. The first part of the framework is implemented in the Privacy Match Engine prototype. For the second part of the framework, as different parts of the privacy policy need to be enforced at different stages of the life cycle of business processes, the implementation consists of a privacy verification tool and a privacy obligation management system.

Identiferoai:union.ndltd.org:ADTP/235136
Date January 2008
CreatorsLi, Yin Hua, Computer Science & Engineering, Faculty of Engineering, UNSW
PublisherPublisher:University of New South Wales. Computer Science & Engineering
Source SetsAustraliasian Digital Theses Program
LanguageEnglish
Detected LanguageEnglish
Rightshttp://unsworks.unsw.edu.au/copyright, http://unsworks.unsw.edu.au/copyright

Page generated in 0.0022 seconds