Derivation of trust federation for collaborative business processes

Service Oriented Architecture (SOA) is considered to be an important enabler of Internet of Services. By adopting SOA in development, business services can be offered, mediated, and traded as web services, so as to support agile and dynamic business collaborations on the Internet. Business collaboration is often implemented as cross-enterprise processes and involves more than one business entity which agrees to join the collaboration. To enable trustworthy and secure provision of services and service composition across enterprise boundaries, trust between business participants must be established, that is, user identities and access rights must be federated, to support business functions defined in the business processes. This paper proposes an approach which derives trust federation from formally described business process models, such as BPMN and WS-CDL processes, to automate security configuration of business collaborations. The result of the derivation is trust policies which identify trust relationships between business participants and can be enforced in enterprises’ service runtimes with support of a policy deployment infrastructure.     

面向服务的工作流访问控制模型研究

随着企业全球化、企业业务联合与分化的发展,企业组织结构更加动态化,企业业务流程经常发生变更,这都增加了工作流访问控制的复杂性.针对此问题,从工作流访问控制模型与流程模型分离的角度,提出一种面向服务的工作流访问控制模型——SOWAC模型.服务是流程任务的抽象执行和实施访问控制的基本单元,用服务的访问控制替代流程任务的访问控制.说明了SOWAC模型的组成元素及实施实例,提出一种基于服务授权历史的动态责任分离约束方法,并给出SOWAC模型在工作流系统中的实际应用.     

Security architecture for virtual organizations of business web services

Virtual organizations (VO) temporarily aggregate resources of different domains to achieve a common goal. Web services are being positioned as the technological framework for achieving this aggregation in the context of cross-organizational business applications. Numerous architectures have been proposed for securing VOs, mostly for scientific research, such that they do not address all the requirements of business-oriented applications. This paper describes these additional requirements and proposes a novel architecture and approach to managing VO access control policies. Business users can focus on designing business processes, exposing web services and managing their VO partnerships, while the architecture supports and secures the web service interactions involved.     

Coordinating multiple agents for workflow-oriented process orchestration

Distributed component-based services and semantic web services are promising technologies for next generation inter-enterprise integration. The dynamic nature of this domain presents a complex problem for tools that intend to support this cross-organizational integration. However, the autonomy and adaptation of software agents represent a viable solution for the composition and enactment of cross-organizational services. Currently, there are few studies that measure the impact of the dynamic environmental effects on service composition. On an on-going basis, composite services or workflow processes of web services may be constantly changing in terms of responsiveness of services, accessibility of services and their meta-information, business process schema changes, etc. These conditions impact what interactions a team of agents must undergo to achieve a specific process derived of composite web services. This paper describes an approach, model, and supporting software toward the efficient design of interaction protocols for coordinating agent teams in the business process orchestration domain. This approach considers several environmental conditions related to the dynamism of the Internet.     

基于Pi演算的跨组织工作流建模研究

传统的工作流建模方法主要用于描述组织内部流程,因而难以描述跨组织工作流面向流程、组合、抽象、涉及多个自治系统通信合作的新特点.针对此问题,提出了一种基于Pi演算的跨组织工作流建模方法,利用Pi演算的并发计算操作符,将跨组织业务流程建模为一组自治且并发执行的组织内子流程的组合,子流程建模为组织内本地流程定义和组织间控制约束的组合.基于Pi演算的弱互相似理论,验证了两个跨组织子流程外部行为的相等性,用于帮助组织内私有流程的外部抽象.基于该方法建立的跨组织工作流模型在子流程间建立了一种松耦合的关系,适用于动态的跨组织环境,同时基于严格的形式化方法,便于分析和验证.     

面向SOA的密码服务安全框架研究

SOA环境下用户管理的分布性、业务协作的动态性、以及服务的开放性给密码服务带来了极大的安全挑战。文章建立了一种安全框架,该框架定义了完整的安全服务集合和接口,可满足密码服务安全接入、访问控制、安全共享的特殊要求,为面向SOA的密码服务提供了安全保障。     

基于SAML的真单点登录框架

随着企业信息化进程的推进,企业业务系统不断地增加.陆续加入的业务系统往往采用不同实现技术和安全策略,并且各自维护独立的认证授权体系,这样很容易形成"信息孤岛".为消除这种系统访问控制孤立,基于统一认证的单点登录(SingleSignOn)系统应运而生.然而,现有的单点登录模型在安全性、扩展性、可维护性等方面都存在诸多不足.本文基于安全断言标记语言SAML,设计了一个安全性高、互操作性好、松耦合的的统一认证单点登录框架,主要包括身份提供者过滤器和服务提供者过滤器模块、单点登录交互协议和安全保障机制.     

A visual language and environment for enterprise system modelling and automation

ObjectiveWe want to support enterprise service modelling and generation using a more end user-friendly metaphor than current approaches, which fail to scale to large organisations with key issues of “cobweb” and “labyrinth” problems and large numbers of hidden dependencies.MethodWe present and evaluate an integrated visual approach for business process modelling using a novel tree-based overlay structure that effectively mitigate complexity problems. A tree-overlay based visual notation (EML) and its integrated support environment (MaramaEML) supplement and integrate with existing solutions. Complex business architectures are represented as service trees and business processes are modelled as process overlay sequences on the service trees.ResultsMaramaEML integrates EML and BPMN to provide complementary, high-level business service modelling and supports automatic BPEL code generation from the graphical representations to realise web services implementing the specified processes. It facilitates generated service validation using an integrated LTSA checker and provides a distortion-based fisheye and zooming function to enhance complex diagram navigation. Evaluations of EML show its effectiveness.ConclusionsWe have successfully developed and evaluated a novel tree-based metaphor for business process modelling and enterprise service generation. Practice implications: a more user-friendly modelling approach and support tool for business end users.     

Goal-based business service composition

As organizations operate under a highly dynamic business world, they can only survive by optimizing their business processes (BPs) and outsourcing complementary functionality to their core business. To this end, they adopt service-orientation as the underlying mechanism enabling BP optimization and evolution. BPs are now seen as business services (BSs) that span organization boundaries and ought to satisfy cross-organizational objectives. As such, various BS design approaches have been proposed. However, these approaches cannot re-use existing business and software services (SSs) to realize the required BS functionality. Moreover, non-functional requirements and their impact on BS design are not considered. This research gap is covered by a novel, goal-oriented method able to discover those BS and SS compositions fulfilling the required BS functional and non-functional goals at both the business and IT level. This method coherently integrates the design steps involved and properly handles the lack of required BS components. It also advances the state-of-the-art in service composition by being able to both select the best composition plan and the best services realizing the plan tasks based on novel plan and service selection criteria.     

Business processes oriented heterogeneous systems integration platform for networked enterprises

Supply chains, dynamic alliances, e-business, extended enterprises, and virtual organizations are typical networked enterprises which are formed based on partner companies’ core competencies. Different partners have different infrastructures; the interoperability among heterogeneous systems is the solid foundation for the networked enterprise to work seamlessly and effectively. Due to the distributed and heterogeneous characteristics of different partner companies, it is a big challenge to implement a satisfying and cost effective solution in the networked enterprise.Aiming at the problems of system integration and cross-system interoperability, Service-Oriented Architecture (SOA) provides a new integration pattern and relative system infrastructure. The key for the development and implementation of SOA is services encapsulation and orchestration of applications through certain mechanism to operate a complex business. However, cross infrastructures services access protection and relative services orchestration are still the bottleneck for the SOA implementation.This paper develops a business processes oriented heterogeneous systems integration platform with relative methodology for networked enterprises integration. The platform is a space distributed and management centralized platform for networked enterprises. The service access agent (SAA) mechanism is developed to realize cross-domains identity authentication, service authorization, and information transmission security. Every Web service or SAA in the platform has a unique ID. The interoperating process only relies on IDs, which endows the platform with a loose coupling feature. Aiming at service orchestration, a graphic service process modelling method is developed, with which the developed process model can link atom Web services and form a complex service. The Java based service orchestration tool provides an ESB (Enterprise Service Bus) independent service orchestration and deployment. Those services that are results of orchestration can be orchestrated as an atom service in another orchestrating process. Thus, the platform can support orchestration decomposition. The structure approach of the business process modelling based platform implementation is developed, which provides a guideline for platform installation, services modelling, service encapsulation, service orchestration, and service deployment. Two cases are provided to illustrate the usage of the platform in industries. The development of this platform is an open source project.     

Semantic enrichment process: An approach to software component reuse in modernizing enterprise systems

In today’s dynamic business environments, organizations are under pressure to modernize their existing software systems in order to respond to changing business demands. Service oriented architectures provide a composition framework to create new business functionalities from autonomous building blocks called services, enabling organizations to quickly adapt to changing conditions and requirements. Characteristics of services offer the promise of leveraging the value of enterprise systems through source code reuse. In this respect, existing system components can be used as the foundation of newly created services. However, one problem to overcome is the lack of business semantics to support the reuse of existing source code. Without sufficient semantic knowledge about the code in the context of business functionality, it would be impossible to utilize source code components in services development. In this paper, we present an automated approach to enrich source code components with business semantics. Our approach is based on the idea that the gap between the two ends of an enterprise system—(1) services as processes and (2) source code—can be bridged via similarity of data definitions used in both ends. We evaluate our approach in the framework of a commercial enterprise systems application. Initial results indicate that the proposed approach is useful for annotating source code components with business specific knowledge.     

A Trust-Based Context-Aware Access Control Model for Web-Services

A key challenge in Web services security is the design of effective access control schemes that can adequately meet the unique security challenges posed by the Web services paradigm. Despite the recent advances in Web based access control approaches applicable to Web services, there remain issues that impede the development of effective access control models for Web services environment. Amongst them are the lack of context-aware models for access control, and reliance on identity or capability-based access control schemes. Additionally, the unique service access control features required in Web services technology are not captured in existing schemes. In this paper, we motivate the design of an access control scheme that addresses these issues, and propose an extended, trust-enhanced version of our XML-based Role Based Access Control (X-RBAC) framework that incorporates trust and context into access control. We outline the configuration mechanism needed to apply our model to the Web services environment, and provide a service access control specification. The paper presents an example service access policy composed using our framework, and also describes the implementation architecture for the system.This is an extended version of the paper that has been presented at the 3rd International Conference on Web Services (ICWS), San Diego, 6–9 July 2004.Recommended by: Athman Bouguettaya and Boualem Benatallah     

基于OAuth2协议的服务与服务之间的安全认证

随着SOA技术的发展与普及应用,基于SOA的Web的服务安全问题日益突出,特别是企业内部不同服务之间的认证,通常情况下服务之间的访问都具有很高的访问权限,基于OAuth2协议的服务与服务之间的安全认证的解决方案,能够大大提高服务与服务之间的安全通信.     

Adaptive integration activity management for on demand business process collaboration

Today businesses are interacting and collaborating more often in the context of a business value chain involving a variety of partners to deliver products and services. Business to business (B2B) connectivity, Enterprise Application Integration (EAI) and general business collaboration processes are becoming more critical in operating and managing efficient enterprises. The required level of inter and intra enterprise integration is generally a large undertaking and involves substantial development and customization efforts. In this paper, we propose an adaptive integration activity management approach based on web services technologies to reduce code changes associated with business process integration in a distributed collaboration environment. Specifically, we present a concept of activity chain to capture non-deterministic process flows as well as deterministic process flows in a uniform manner. Then an Activity Ontology is introduced to capture the integration requirements that include adaptation behaviors, action properties, business rules, and access control policy references. The unique ontology representation and management of the integration activities provides a uniform way to integrate additional internal and external business applications to reduce the need for pre-defined and hard-wired integration methods and to minimize code changes to existing components in an existing business collaboration and integration (B2B/EAI) infrastructure. In addition, a Petri-Net modeling exercise of the proposed integration activity management is performed to help better understand the actual system and improve the system design beforehand.     

Ontology-based access control model for security policy reasoning in cloud computing

There are many security issues in cloud computing service environments, including virtualization, distributed big-data processing, serviceability, traffic management, application security, access control, authentication, and cryptography, among others. In particular, data access using various resources requires an authentication and access control model for integrated management and control in cloud computing environments. Cloud computing services are differentiated according to security policies because of differences in the permitted access right between service providers and users. RBAC (Role-based access control) and C-RBAC (Context-aware RBAC) models do not suggest effective and practical solutions for managers and users based on dynamic access control methods, suggesting a need for a new model of dynamic access control that can address the limitations of cloud computing characteristics. This paper proposes Onto-ACM (ontology-based access control model), a semantic analysis model that can address the difference in the permitted access control between service providers and users. The proposed model is a model of intelligent context-aware access for proactively applying the access level of resource access based on ontology reasoning and semantic analysis method.     

企业资源信息安全动态访问控制的状态转换控制模型研究

通常的信息安全访问控制机制是静态的,它们很少随着时间而改变,而企业资源的访问是随时间动态变化的,对企业资源的访问控制也需要动态变化.本文提出了基于状态转换控制的动态资源访问控制机制,说明如何使得访问机制根据工作流而动态变化,根据工作流的状态分配访问权限.通过静态访问控制机制与动态访问控制机制的对比,可以看到动态权限需要比静态机制更小的权限分配,这满足了信息安全的最小权限分配原则.     

Out-of-band federated authentication for Kerberos based on PANA

Nowadays, network operators and educational and research communities are extending the access to their Internet application services to external end users by deploying, with other domains, the so-called identity federations. In these federations, end users use the identity and authentication credentials registered in their home organizations for accessing resources managed by a remote service provider. However, current identity federation solutions focus mainly on assisting network access and web services, while a significant number of services are left aside (e.g., SSH, FTP, Jabber, etc.). Taking advantage of the widespread adoption of Kerberos by current application services, this paper presents a solution to provide federated access to any kind of application service by using existing Authentication, Authorization and Accounting (AAA) infrastructures. The solution bootstraps a security association, in the service provider which enables the acquisition of a Kerberos credential to access the service. To link the end user authentication with the AAA infrastructure and the bootstrapping of the security association the solution uses the so-called Protocol for Carrying Authentication for Network Access (PANA).     

面向跨企业多方协同应用的Web服务安全模型

现有的Web服务安全工具仅提供单个服务的安全策略配置功能,忽略了业务流程层面的安全需求。为此,提出一种面向跨企业多方协同应用的Web服务安全模型,将Web服务安全建模、部署与监控过程,融合到企业业务流程管理过程中。在此基础上构造基于Secure-WSCDL的建模工具、转换工具和监控工具,实现SOA架构下业务模型与安全建模在软件工程生命周期中的同步。通过简化的国际贸易进出口流程实例,验证了该模型与相应工具的有效性。     

A multi-perspective knowledge-based system for customer service management

The e-business arena is a dynamic, complex and demanding environment. It is essential to make optimal reuse of knowledge of customer services across various functional units of the enterprise. On the other hand, it is also important to ensure that the customer service staff can access and be trained up with dynamically updated knowledge that meets the changing business environment of an enterprise in customer services. However, conventional way of customer service management (CSM) is inadequate to achieve the multi-perspective of an enterprise for achieving knowledge acquisition, knowledge diffusion, business automation and business performance measurement so as to drive the continuous improvement of the customer service quality. In this paper, a multi-perspective knowledge-based system (MPKBS) is proposed for CSM. The MPKBS incorporates various artificial intelligence technologies such as case-based reasoning (CBR) and adaptive time-series model which are used for decision analysis, performance measurement and monitoring. A prototype customer service portal has been built based on the MPKBS and implemented successfully in a consultancy business.