Business processes are valuable resources for enterprises to maintain their competitiveness. They are characterized by describing the set of activities that enterprises perform to reach their objectives. On the other hand, security is also an essential element in current competitiveness. Enterprises invest resources in keeping their assets protected and worry about maintaining their customers’ trust. In this way, aspects such as confidentiality, integrity, and availability are important in relation to enterprise activities. In this work, we will define business processes that incorporate the viewpoint of the business analyst regarding security. The result is a secure business process model that is used for software creation under a model-driven approach. In this work, we will show the main aspects of this proposal, taking into consideration a case study that allows us to show its applicability.
TopIntroduction
Current globalized enterprises must constantly evolve to maintain their competitiveness. The enterprise performance has been linked to the capability that each enterprise has to adapt itself to the changes that arise in the market. In this context, Business Processes (BP) have become valuable resources that have been used to maintain competitiveness. Business processes, defined as a set of procedures or activities which collectively pursue a business objective or policy goal (WfMC, 1999), are a good answer to the complexity of this environment, represented by the speed required by new products and the growing number of actors involved in the organization’s activities.
Another characteristic of the current competitive environment is the intensive use of communication and information technologies. This has let enterprises expand their businesses but it has increased their vulnerability. As a consequence of this, and with the increase in the list of vulnerabilities and sophisticated threats as well as in the number of attacks on systems, it is highly probable that sooner or later an intrusion may be successful (Quirchmayr, 2004).
Although the importance of business process security is widely accepted, until now the business analyst perspective in relation to security has hardly been dealt with. In the majority of cases, the identification of security requirements has been somewhat confused owing to the fact that, in general, there has been a tendency to identify functional security requirements. These types of requirements vary according to the type of application. On the other hand, security requirements do not vary at a high level of abstraction. The reason for this is that at this level the assessment and vulnerability of the assets is the same (Firesmith, 2004). Moreover, if we consider that empirical studies show that it is common at the business process level for customers and end users to be able to express their security needs (Lopez, Montenegro, Vivas, Okamoto, & Dawson, 2005), then it will be possible to obtain a high level of security requirements which are easily identifiable to those who model business processes. In addition, requirements specification usually results in a specification of the software system which should be as exact as possible (Artelsmair & Wagner, 2003), since effective business process models facilitate discussion among the different stakeholders in the business, allowing them to agree on the key fundamentals as well as to work towards common goals (Eriksson & Penker, 2001).
Concerning software engineering, at present, it is greatly influenced by the Model Driven Architecture (MDA) (Object Management Group, 2003), a new paradigm which claims to work at the model and metamodel level. Among the objectives pursued, we can find the separation between business-neutral descriptions and platform dependent implementations, the expression of specific aspects of a system under development with specialized domain-specific languages, the establishment of precise relations between these different languages within a global framework and, in particular, the capability to express operational transformations between them (Bézivin, 2004). The MDA approach is composed of the following perspectives: (i) the computation independent viewpoint (represented by the Computation Independent Model or CIM) which focuses on the environment of the system, (ii) the platform independent viewpoint (represented by the Platform Independent Model or PIM) which focuses on the operation of a system while hiding the details necessary for a particular platform, and (iii) the platform specific viewpoint (represented by the Platform Specific Model or PSM) which combines the platform independent viewpoint with an additional focus on the detail of the use of a specific platform by a system (Object Management Group, 2003). Because these models represent a different abstraction from the same system, an integration/transformation mechanism is required to establish how to go from one level (e.g. CIM) to another (e.g. PIM). Thus, transformations are a core element in the MDA. According to MDA, a transformation is the process of converting one model into another model belonging to the same system.