• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
The Security Framework for Workflow Management Systems
 

The Security Framework for Workflow Management Systems

on

  • 217 views

2013-09-25@Department of Computer Science, University of Taipei

2013-09-25@Department of Computer Science, University of Taipei

Dr. Hsiao Yu-Cheng
swanky.hsiao@gmail.com

Statistics

Views

Total Views
217
Views on SlideShare
217
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    The Security Framework for Workflow Management Systems The Security Framework for Workflow Management Systems Presentation Transcript

    • The Security Framework for Workflow management systems Dr. Hsiao Yu-Cheng swanky.hsiao@gmail.com Department of Computer Science and Information Engineering National Taiwan Normal University
    • Outlines Introduction of Workflow Management Systems (WfMSs) Challenges of WfMS in the Cloud Our Solution Implementation Conclusion 2
    • Introduction of Workflow Management Systems (WfMSs)  Definition:  Software systems that support coordination and cooperation among members of an organization whilst they perform complex business tasks.  Business tasks are modeled as workflow processes that are automated by the WfMS.  An activity is a logic step within a workflow, which includes the information about the starting and stopping conditions.  A person who participates in the execution of an activity is called a participant of that activity.  A workflow process instance represents a state of execution of a workflow process definition by the WfMS, and is usually controlled by the workflow engine. 3
    • Type of Engine-based WfMSs  Centralized WfMS  Focus on executing workflow processes within a single organization at one location in a single workflow engine.  Distributed WfMS  Establish multiple workflow engines  Balance the load among the workflow engines as the number of users increases.  Reduce the communication time between the participants in the activity and the workflow engines. 4
    • Centralized WfMS  A workflow process is executed by a single workflow engine that communicates with all of the participants in the activity. A1 A2 A3 A6A4 A5 Workflow engine Start of workflow End of workflow Activity Flow control edge Participant Workflow engine Process instance migration User communication 5
    • Distributed WfMS  Multiple workflow engines in different places.  Can be used to build up the cross-enterprise WfMS that controls the execution of cross-enterprise workflow processes. A1 A2 A3 A6A4 A5 Workflow engine 2 Workflow engine 3 Workflow engine 1 Start of workflow End of workflow Activity Flow control edge Participant Workflow engine Public network Public network Public network Process instance migration User communication 6
    • Outlines Introduction of Workflow Management Systems (WfMSs) Challenges of WfMS in the Cloud Our Solution Implementation Conclusion 7
    • Problems and Difficulties for Engine-based WfMS in the Cloud Security  Authentication  Refers to reliably verifying the identity of the task execution agents.  Confidentiality  Refers to unauthorized disclosure of information including the workflow specification, and the workflow instances during its execution.  Seems ok. 8
    • Problems and Difficulties for Engine-based WfMS in the Cloud (Cont’d)  Security  Data integrity  Refers to the unauthorized modification of information, again including the workflow specification as well as the data manipulated during the execution of a workflow instance.  Nonrepudiation  Refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract.  Just guaranteed by SLA? 9
    • Problems and Difficulties for Engine-based WfMS in the Cloud (Cont’d)  Scalability  Reasons for scalable WfMS in the Cloud  Participants are dynamically.  Multi-tenancy WfMS requirement.  How to store huge amount of process instances?  Traditional way:  Store and manage process instances in relational database.  What is the appropriate form of process instances? 10
    • Problems and Difficulties for Engine-based WfMS in the Cloud (Cont’d)  Cross-Enterprise  Only when we can solve the security and scalability problem.  The process instances should guarantee nonrepudiation.  SLA seems not enough.  Other  Secured process instance migration  User control migration  Process instance replication in different clouds  User control replication 11
    • Outlines Introduction of Workflow Management Systems (WfMSs) Challenges of WfMS in the Cloud Our Solution Implementation Conclusion 12
    • Our Solution – DRA4WfMS  Document Routing Architecture for WfMS (DRA4WfMS)  Engine-less WfMS  Supports a purely distributed operational model without needing a workflow engine to act as a trusted centralized point of coordination.  XML-based document-routing system.  Security framework  Implements the main required security features such as authentication, confidentiality, data integrity, and nonrepudiation.  Applying element-wise encryption and a cascade-based method to embed digital signatures.  Dynamic security policy  Managing and controlling data accesses according to the dynamic behavior of workflow processes. 13
    • Operational Models of DRA4WfMS  Basic operational model  Only support authentication, confidentiality, data integrity, and nonrepudiation.  Advanced operational model  Also support workflow monitor. 14
    • Basic operational model of the DRA4WfMS 15 AEA (Activity Execution Agent) AEA AEA Start End Execution result of the activity Digital signature embedded by the workflow participant Workflow definition Digital signature embedded by the workflow designer Synchronous communication A1 A2 A3
    • Advanced operational model of the DRA4WfMS AEA AEA Start Execution result of the activity Digital signature embedded by the workflow participant Time stamp embedded by the timestamp server Workflow definition Digital signature embedded by the workflow designer (1) (2) TFC Server (Timestamp and Flow- Control Server) Synchronous communication Secured initial DRA4WfMS document TFC Server … A1 A2 16
    • Architecture and XML-based syntax of a DRA4WfMS document Header section Application definition section Unique process id Workflow definition section Security definition section A digital signature Activity execution result section 17 <?xml version="1.0"?> <DRA4WfMS:DRA4WfMS xmlns:DRA4WfMS="http://www.DRA4WfMS.org/2010"> <UID Id="X1"/> <APDefinition Id="X2"> <!--Workflow Definition section--> <WorkflowDefinition> <Participants>...</Participants> <Activities>...</Activities> <Transitions>...</Transitions> </WorkflowDefinition> <!--Security definition section--> <SecurityDefinition> <SignatureKeyIssuer C=".." S=".." L=".." O=".." OU=".." CN=".."/> <KeyDefinitions>...</KeyDefinitions> <AlgorithmDefinitions>...</AlgorithmDefinitions> <EncryptionDefinitions>...</EncryptionDefinitions> </SecurityDefinition> <Signature Id="Y"> ... </Signature > </APDefinition> <!--Activity execution result section--> <CERs> <CER Id="CER:Aid:Index"> ... </CER> ... </CERs> </DRA4WfMS:DRA4WfMS>
    • Process instance of DRA4WfMS  Each process instance contains the execution results of previous executed activities.  Guarantee nonrepudiation.  Element-wise encryption.  Self-protected  Without requiring an access-control server. 18
    • 19 Applying DRA4WfMS in Cloud computing environment A1 download the document from portal servers AEA A1 (1) (2) (3) (4) (5) DRA4WfMS documents pool DRA4WfMS Cloud system Portal servers …… (6) AEA A2 Return the result document Stores it in the pool of DRA4WfMS documents
    • Outlines Introduction of Workflow Management Systems (WfMSs) Challenges of WfMS in the Cloud Our Solution Implementation Conclusion 20
    • Implementation  DRA4WfMS API  Implemented by the Java programming language.  Ready for download  http://www.csie.ntnu.edu.tw/~ghhwang/DRA4WfMS/DRA4WfMS_EXAMPLES.zip  DRA4WfMS cloud system in the HBase database of Apache Hadoop  Store process instance in HBase.  Provide the following operations:  Search DRA4WfMS documents  Retrieve a DRA4WfMS document  Store a DRA4WfMS document  Notify the subsequent participants  Perform workflow monitoring or statistical analyses 21
    • Two workflow processes for conducting experiments Start of workflow End of workflow Activity Connection edge Condition TFC Server A B1 B2 C D Accept Attachment is insufficient. (A) A B1 B2 C D Accept (B) Attachment is insufficient . AND- split AND- join AND- split AND- join Initial document Initial document 22
    • Result parameters for the workflow shown in Fig. A 23
    • Result parameters for the workflow shown in Fig. B : Time required to decrypt and verify signatures in the AEA and TFC server (in seconds) : Time required to encrypt and embed signatures in the AEA (in seconds) : Time required to encrypt and embed signatures in the TFC server (in seconds) : Size of the generated file (in bytes) 24
    • Outlines Introduction of Workflow Management Systems (WfMSs) Challenges of WfMS in the Cloud Our Solution Implementation Conclusion 25
    • Conclusion  We propose a secured WfMS for the cloud computing environment.  Document Routing Architecture for WfMS (DRA4WfMS)  Does not require a workflow engine to control the execution of activities  Avoid the security problems that may arise in engine-based distributed WfMSs.  Element-wise encryption and Cascade-based method of embedding digital signatures  Make DRA4WfMS document self-protected without requiring an access-control server.  Security requirements such as authentication, confidentiality, data integrity, and nonrepudiation do not need to rely on service-level agreements between users and cloud service providers.  Different enterprises or organizations can simultaneously use a single DRA4WfMS cloud system.  Easy to implement a cross-enterprise WfMS in the DRA4WfMS cloud system. 26
    • THANK YOU! 27