Your SlideShare is downloading. ×
0
The Security Framework for
Workflow management systems
Dr. Hsiao Yu-Cheng
swanky.hsiao@gmail.com
Department of Computer Sc...
Outlines
Introduction of Workflow
Management Systems (WfMSs)
Challenges of WfMS in the Cloud
Our Solution
Implementati...
Introduction of Workflow
Management Systems (WfMSs)
 Definition:
 Software systems that support coordination and coopera...
Type of Engine-based WfMSs
 Centralized WfMS
 Focus on executing workflow processes within a
single organization at one ...
Centralized WfMS
 A workflow process is executed by a single workflow
engine that communicates with all of the participan...
Distributed WfMS
 Multiple workflow engines in different places.
 Can be used to build up the cross-enterprise WfMS that...
Outlines
Introduction of Workflow
Management Systems (WfMSs)
Challenges of WfMS in the Cloud
Our Solution
Implementati...
Problems and Difficulties for
Engine-based WfMS in the Cloud
Security
 Authentication
 Refers to reliably verifying the...
Problems and Difficulties for
Engine-based WfMS in the Cloud (Cont’d)
 Security
 Data integrity
 Refers to the unauthor...
Problems and Difficulties for
Engine-based WfMS in the Cloud (Cont’d)
 Scalability
 Reasons for scalable WfMS in the Clo...
Problems and Difficulties for
Engine-based WfMS in the Cloud (Cont’d)
 Cross-Enterprise
 Only when we can solve the secu...
Outlines
Introduction of Workflow
Management Systems (WfMSs)
Challenges of WfMS in the Cloud
Our Solution
Implementati...
Our Solution – DRA4WfMS
 Document Routing Architecture for WfMS (DRA4WfMS)
 Engine-less WfMS
 Supports a purely distrib...
Operational Models of DRA4WfMS
 Basic operational model
 Only support authentication, confidentiality, data
integrity, a...
Basic operational model
of the DRA4WfMS
15
AEA
(Activity Execution Agent)
AEA
AEA
Start End
Execution result
of the activi...
Advanced operational model
of the DRA4WfMS
AEA
AEA
Start
Execution result
of the activity
Digital signature
embedded by th...
Architecture and XML-based syntax of a
DRA4WfMS document
Header section
Application
definition section
Unique process id
W...
Process instance of DRA4WfMS
 Each process instance contains the execution
results of previous executed activities.
 Gua...
19
Applying DRA4WfMS in Cloud
computing environment
A1 download the
document from portal
servers
AEA
A1
(1) (2)
(3)
(4)
(5...
Outlines
Introduction of Workflow
Management Systems (WfMSs)
Challenges of WfMS in the Cloud
Our Solution
Implementati...
Implementation
 DRA4WfMS API
 Implemented by the Java programming language.
 Ready for download
 http://www.csie.ntnu....
Two workflow processes for
conducting experiments
Start of
workflow
End of
workflow
Activity Connection
edge
Condition
TFC...
Result parameters for the workflow
shown in Fig. A
23
Result parameters for the workflow
shown in Fig. B
: Time required to decrypt and verify signatures in the AEA and TFC se...
Outlines
Introduction of Workflow
Management Systems (WfMSs)
Challenges of WfMS in the Cloud
Our Solution
Implementati...
Conclusion
 We propose a secured WfMS for the cloud computing
environment.
 Document Routing Architecture for WfMS (DRA4...
THANK YOU!
27
Upcoming SlideShare
Loading in...5
×

The Security Framework for Workflow Management Systems

223

Published on

2013-09-25@Department of Computer Science, University of Taipei

Dr. Hsiao Yu-Cheng
swanky.hsiao@gmail.com

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
223
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "The Security Framework for Workflow Management Systems"

  1. 1. The Security Framework for Workflow management systems Dr. Hsiao Yu-Cheng swanky.hsiao@gmail.com Department of Computer Science and Information Engineering National Taiwan Normal University
  2. 2. Outlines Introduction of Workflow Management Systems (WfMSs) Challenges of WfMS in the Cloud Our Solution Implementation Conclusion 2
  3. 3. Introduction of Workflow Management Systems (WfMSs)  Definition:  Software systems that support coordination and cooperation among members of an organization whilst they perform complex business tasks.  Business tasks are modeled as workflow processes that are automated by the WfMS.  An activity is a logic step within a workflow, which includes the information about the starting and stopping conditions.  A person who participates in the execution of an activity is called a participant of that activity.  A workflow process instance represents a state of execution of a workflow process definition by the WfMS, and is usually controlled by the workflow engine. 3
  4. 4. Type of Engine-based WfMSs  Centralized WfMS  Focus on executing workflow processes within a single organization at one location in a single workflow engine.  Distributed WfMS  Establish multiple workflow engines  Balance the load among the workflow engines as the number of users increases.  Reduce the communication time between the participants in the activity and the workflow engines. 4
  5. 5. Centralized WfMS  A workflow process is executed by a single workflow engine that communicates with all of the participants in the activity. A1 A2 A3 A6A4 A5 Workflow engine Start of workflow End of workflow Activity Flow control edge Participant Workflow engine Process instance migration User communication 5
  6. 6. Distributed WfMS  Multiple workflow engines in different places.  Can be used to build up the cross-enterprise WfMS that controls the execution of cross-enterprise workflow processes. A1 A2 A3 A6A4 A5 Workflow engine 2 Workflow engine 3 Workflow engine 1 Start of workflow End of workflow Activity Flow control edge Participant Workflow engine Public network Public network Public network Process instance migration User communication 6
  7. 7. Outlines Introduction of Workflow Management Systems (WfMSs) Challenges of WfMS in the Cloud Our Solution Implementation Conclusion 7
  8. 8. Problems and Difficulties for Engine-based WfMS in the Cloud Security  Authentication  Refers to reliably verifying the identity of the task execution agents.  Confidentiality  Refers to unauthorized disclosure of information including the workflow specification, and the workflow instances during its execution.  Seems ok. 8
  9. 9. Problems and Difficulties for Engine-based WfMS in the Cloud (Cont’d)  Security  Data integrity  Refers to the unauthorized modification of information, again including the workflow specification as well as the data manipulated during the execution of a workflow instance.  Nonrepudiation  Refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract.  Just guaranteed by SLA? 9
  10. 10. Problems and Difficulties for Engine-based WfMS in the Cloud (Cont’d)  Scalability  Reasons for scalable WfMS in the Cloud  Participants are dynamically.  Multi-tenancy WfMS requirement.  How to store huge amount of process instances?  Traditional way:  Store and manage process instances in relational database.  What is the appropriate form of process instances? 10
  11. 11. Problems and Difficulties for Engine-based WfMS in the Cloud (Cont’d)  Cross-Enterprise  Only when we can solve the security and scalability problem.  The process instances should guarantee nonrepudiation.  SLA seems not enough.  Other  Secured process instance migration  User control migration  Process instance replication in different clouds  User control replication 11
  12. 12. Outlines Introduction of Workflow Management Systems (WfMSs) Challenges of WfMS in the Cloud Our Solution Implementation Conclusion 12
  13. 13. Our Solution – DRA4WfMS  Document Routing Architecture for WfMS (DRA4WfMS)  Engine-less WfMS  Supports a purely distributed operational model without needing a workflow engine to act as a trusted centralized point of coordination.  XML-based document-routing system.  Security framework  Implements the main required security features such as authentication, confidentiality, data integrity, and nonrepudiation.  Applying element-wise encryption and a cascade-based method to embed digital signatures.  Dynamic security policy  Managing and controlling data accesses according to the dynamic behavior of workflow processes. 13
  14. 14. Operational Models of DRA4WfMS  Basic operational model  Only support authentication, confidentiality, data integrity, and nonrepudiation.  Advanced operational model  Also support workflow monitor. 14
  15. 15. Basic operational model of the DRA4WfMS 15 AEA (Activity Execution Agent) AEA AEA Start End Execution result of the activity Digital signature embedded by the workflow participant Workflow definition Digital signature embedded by the workflow designer Synchronous communication A1 A2 A3
  16. 16. Advanced operational model of the DRA4WfMS AEA AEA Start Execution result of the activity Digital signature embedded by the workflow participant Time stamp embedded by the timestamp server Workflow definition Digital signature embedded by the workflow designer (1) (2) TFC Server (Timestamp and Flow- Control Server) Synchronous communication Secured initial DRA4WfMS document TFC Server … A1 A2 16
  17. 17. Architecture and XML-based syntax of a DRA4WfMS document Header section Application definition section Unique process id Workflow definition section Security definition section A digital signature Activity execution result section 17 <?xml version="1.0"?> <DRA4WfMS:DRA4WfMS xmlns:DRA4WfMS="http://www.DRA4WfMS.org/2010"> <UID Id="X1"/> <APDefinition Id="X2"> <!--Workflow Definition section--> <WorkflowDefinition> <Participants>...</Participants> <Activities>...</Activities> <Transitions>...</Transitions> </WorkflowDefinition> <!--Security definition section--> <SecurityDefinition> <SignatureKeyIssuer C=".." S=".." L=".." O=".." OU=".." CN=".."/> <KeyDefinitions>...</KeyDefinitions> <AlgorithmDefinitions>...</AlgorithmDefinitions> <EncryptionDefinitions>...</EncryptionDefinitions> </SecurityDefinition> <Signature Id="Y"> ... </Signature > </APDefinition> <!--Activity execution result section--> <CERs> <CER Id="CER:Aid:Index"> ... </CER> ... </CERs> </DRA4WfMS:DRA4WfMS>
  18. 18. Process instance of DRA4WfMS  Each process instance contains the execution results of previous executed activities.  Guarantee nonrepudiation.  Element-wise encryption.  Self-protected  Without requiring an access-control server. 18
  19. 19. 19 Applying DRA4WfMS in Cloud computing environment A1 download the document from portal servers AEA A1 (1) (2) (3) (4) (5) DRA4WfMS documents pool DRA4WfMS Cloud system Portal servers …… (6) AEA A2 Return the result document Stores it in the pool of DRA4WfMS documents
  20. 20. Outlines Introduction of Workflow Management Systems (WfMSs) Challenges of WfMS in the Cloud Our Solution Implementation Conclusion 20
  21. 21. Implementation  DRA4WfMS API  Implemented by the Java programming language.  Ready for download  http://www.csie.ntnu.edu.tw/~ghhwang/DRA4WfMS/DRA4WfMS_EXAMPLES.zip  DRA4WfMS cloud system in the HBase database of Apache Hadoop  Store process instance in HBase.  Provide the following operations:  Search DRA4WfMS documents  Retrieve a DRA4WfMS document  Store a DRA4WfMS document  Notify the subsequent participants  Perform workflow monitoring or statistical analyses 21
  22. 22. Two workflow processes for conducting experiments Start of workflow End of workflow Activity Connection edge Condition TFC Server A B1 B2 C D Accept Attachment is insufficient. (A) A B1 B2 C D Accept (B) Attachment is insufficient . AND- split AND- join AND- split AND- join Initial document Initial document 22
  23. 23. Result parameters for the workflow shown in Fig. A 23
  24. 24. Result parameters for the workflow shown in Fig. B : Time required to decrypt and verify signatures in the AEA and TFC server (in seconds) : Time required to encrypt and embed signatures in the AEA (in seconds) : Time required to encrypt and embed signatures in the TFC server (in seconds) : Size of the generated file (in bytes) 24
  25. 25. Outlines Introduction of Workflow Management Systems (WfMSs) Challenges of WfMS in the Cloud Our Solution Implementation Conclusion 25
  26. 26. Conclusion  We propose a secured WfMS for the cloud computing environment.  Document Routing Architecture for WfMS (DRA4WfMS)  Does not require a workflow engine to control the execution of activities  Avoid the security problems that may arise in engine-based distributed WfMSs.  Element-wise encryption and Cascade-based method of embedding digital signatures  Make DRA4WfMS document self-protected without requiring an access-control server.  Security requirements such as authentication, confidentiality, data integrity, and nonrepudiation do not need to rely on service-level agreements between users and cloud service providers.  Different enterprises or organizations can simultaneously use a single DRA4WfMS cloud system.  Easy to implement a cross-enterprise WfMS in the DRA4WfMS cloud system. 26
  27. 27. THANK YOU! 27
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×