Mark Strembeck

BusinessActivities Framework - Brief Description:
Business information systems must comply with certain laws and regulations, such as the Basel II/III Accord, the International Financial Reporting Standards (IFRS), the Markets in Financial Instruments Directive (MiFID), the French financial security law (LSF), the Health Insurance Portability and Accountability Act (HIPAA), or the Sarbanes-Oxley Act (SOX). Many requirements resulting from such regulations relate to business-level security concerns. Such security concerns are often relevant in the context of an organization's business processes. While the need to integrate business processes and security models has been repeatedly identified in research and practice, standard modeling languages do not provide corresponding language elements. However, the definition of process-related security models is an important prerequisite for the thorough implementation and enforcement of corresponding policies and constraints in a software system.

CIM, PIM, PSM layers

The BusinessActivities Framework aims to support the specification, consistency & conformance checking, implementation, and enforcement of process-related security properties at the CIM, PIM, and PSM layers. In the model-driven development (MDD) context, a computation-independent model (CIM) defines a certain domain (or subdomain) at a generic level. The CIM is independent of a particular modeling language or technology. A CIM can be used to build a platform-independent model (PIM) of the corresponding domain. While it is independent of any platform, and thereby neutral from an implementation point of view, the PIM is typically specified in a particular modeling language (for example via MOF-based languages such as BPMN or UML) and describes the structure of a system, the elements/results that are produced by a system, or the control and object flow in a system. Finally, a platform-specific model (PSM) describes the realization/implementation of a software system via platform-specific technologies and tools. The BusinessActivities Framework aims to provide continuous traceability for security properties from the CIM to the PSM layer.

Overview

At the CIM layer, we provide generic metamodels for process-related security properties that can be used to extend arbitrary process modeling languages. At the PIM layer, we provide domain-specific modeling languages (DSMLs) (e.g. via domain-specific UML extensions) that allow to model process-related security properties. At the PSM layer, we provide tools and platform support for the implementation, checking, and enforcement of process-related security properties (see, e.g., BusinessActivity library and runtime engine, tool support for secure object flows in SOAs, tool support for conformance checking of process-related RBAC models). Moreover, the BusinessActivities framework is integrated with our work on role engineering.


Related Papers and Articles:

Copyright policy:The papers obtained from this Web site are included by the contributing authors as a means to ensure timely dissemination of scholarly and technical work on a non-commercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that they have offered their works here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without the explicit permission of the copyright holder.
S. Schefer-Wenzl, M. Strembeck: Model-driven Specification and Enforcement of RBAC Break-Glass Policies for Process-Aware Information Systems, In: Information and Software Technology (IST), Vol. 56, No. 10, October 2014 (doi, pdf)
B. Hoisl, S. Sobernig, M. Strembeck: Comparing Three Notations for Defining Scenario-based Model Tests: A Controlled Experiment, In: Proc. of the 9th International Conference on the Quality of Information and Communications Technology (QUATIC), IEEE, Guimaraes, Portugal, September 2014 (ps, pdf)
D. Hopfmüller, S. Schefer-Wenzl, M. Strembeck: Kaskadierender Widerruf von Delegationen in prozessbasierten Informationssystemen, In: Proc. of 44. Jahrestagung der Gesellschaft für Informatik (GI), INFORMATIK 2014, Lecture Notes in Informatics (LNI), Vol. 232, Stuttgart, Germany, September 2014 (ps, pdf, extended version)
S. Schefer-Wenzl, M. Strembeck: Modeling Support for Role-Based Delegation in Process-Aware Information Systems, In: Business & Information Systems Engineering (BISE), Vol. 6, No. 4, August 2014 (doi)
S. Schefer-Wenzl, M. Strembeck: Modellierungsunterstützung für die rollenbasierte Delegation in prozessgestützten Informationssystemen, In: Wirtschaftsinformatik, Vol. 56, No. 4, August 2014 (doi)
S. Schefer-Wenzl, H. Bukvova, M. Strembeck: A Review of Delegation and Break-Glass Models for Flexible Access Control Management, In: Proc. of the 6th Workshop on Applications of Knowledge-Based Technologies in Business (AKTB), Lecture Notes in Business Information Processing (LNBIP), Vol. 183, Springer, Larnaca, Cyprus, May 2014 (ps, pdf)
B. Hoisl, S. Sobernig, M. Strembeck: Modeling and Enforcing Secure Object Flows in Process-driven SOAs: An Integrated Model-driven Approach, In: Software and Systems Modeling (SoSyM), Vol. 13, No. 2, May 2014 (doi, pdf)
P. Gaubatz, W. Hummer, U. Zdun, M. Strembeck: Enforcing Entailment Constraints in Offline Editing Scenarios for Real-time Collaborative Web Documents, In: Proc. of the 29th ACM Symposium On Applied Computing (SAC), Gyeongju, Korea, March 2014 (ps, pdf)
B. Hoisl, S. Sobernig, M. Strembeck: Natural-Language Scenario Descriptions for Testing Core Language Models of Domain-specific Languages, In: Proc. of the 2nd International Conference on Model-Driven Engineering and Software Development (MODELSWARD), Lisbon, Portugal, January 2014 (ps, pdf)
M. Strembeck, S. Rinderle-Ma: Security and Privacy in Business Processes: A Posteriori Analysis Techniques, In: Information Technology (it), Vol. 55, No. 6, December 2013 (doi)
W. Hummer, P. Gaubatz, M. Strembeck, U. Zdun, S. Dustdar: Enforcement of Entailment Constraints in Distributed Service-Based Business Processes, In: Information and Software Technology (IST), Vol. 55, No. 11, November 2013 (doi, pdf)
S. Schefer-Wenzl, M. Strembeck: Modeling Context-Aware RBAC Models for Mobile Business Processes, In: International Journal of Wireless and Mobile Computing (IJWMC), Vol. 6, No. 5, 2013 (doi, pdf)
M. Leitner, S. Schefer-Wenzl, S. Rinderle-Ma, M. Strembeck: An Experimental Study on the Design and Modeling of Security Concepts in Business Processes, In: Proc. of the 6th IFIP WG 9.1 Working Conference on The Practice of Enterprise Modeling (POEM), Lecture Notes in Business Information Processing (LNBIP), Vol. 165, Springer, Riga, Latvia, November 2013 (ps, pdf)
S. Sobernig, B. Hoisl, M. Strembeck: Requirements-driven Testing of Domain-specific Core Language Models using Scenarios, In: Proc. of the 13th International Conference on Quality Software (QSIC), IEEE, Nanjing, China, July 2013 (ps, pdf)
P. Gaubatz, W. Hummer, U. Zdun, M. Strembeck: Supporting Customized Views for Enforcing Access Control Constraints in Real-time Collaborative Web Applications, In: Proc. of the 13th International Conference on Web Engineering (ICWE), Lecture Notes in Computer Science (LNCS), Vol. 7977, Springer, Aalborg, Denmark, July 2013 (ps, pdf)
T. Quirchmayr, M. Strembeck: On the Impact of Concurrency for the Enforcement of Entailment Constraints in Process-driven SOAs, In: Proc. of the 10th International Workshop on Security in Information Systems (WOSIS), Angers, France, July 2013 (ps, pdf, extended version)
S. Schefer-Wenzl, S. Sobernig, M. Strembeck: Evaluating a UML-based Modeling Framework for Process-related Security Properties: A Qualitative Multi-Method Study, In: Proc. of the 21st European Conference on Information Systems (ECIS), Utrecht, The Netherlands, June 2013 (ps, pdf)
S. Schefer-Wenzl, M. Strembeck: Generic Support for RBAC Break-Glass Policies in Process-Aware Information Systems, In: Proc. of the 28th ACM Symposium on Applied Computing (SAC), Coimbra, Portugal, March 2013 (ps, pdf)
B. Hoisl, S. Sobernig, M. Strembeck: Higher-Order Rewriting of Model-to-Text Templates for Integrating Domain-specific Modeling Languages, In: Proc. of the International Conference on Model-Driven Engineering and Software Development (MODELSWARD), Barcelona, Spain, February 2013 (ps, pdf)
B. Hoisl, M. Strembeck, S. Sobernig: Towards a Systematic Integration of MOF/UML-Based Domain-Specific Modeling Languages, In: Proc. of the 16th International Conference on Software Engineering and Applications (SEA), Las Vegas, NV, USA, November 2012 (ps, pdf)
S. Schefer-Wenzl, M. Strembeck: A UML Extension for Modeling Break-Glass Policies, In: Proc. of the 5th International Workshop on Enterprise Modelling and Information Systems Architectures (EMISA), Lecture Notes in Informatics (LNI), Vol. 206, Vienna, Austria, September 2012 (ps, pdf)
B. Hoisl, S. Sobernig, S. Schefer-Wenzl, M. Strembeck, A. Baumgrass: Design Decisions for UML and MOF based Domain-specific Language Models: Some Lessons Learned, In: Proc. of the 2nd Workshop on Process-based approaches for Model-Driven Engineering (PMDE), Kgs. Lyngby, Denmark, July 2012 (ps, pdf)
B. Hoisl, M. Strembeck: A UML Extension for the Model-driven Specification of Audit Rules, In: Proc. of the 2nd International Workshop on Information Systems Security Engineering (WISSE), Lecture Notes in Business Information Processing (LNBIP), Vol. 112, Springer, Gdansk, Poland, June 2012 (ps, pdf)
S. Schefer-Wenzl, M. Strembeck: Modeling Context-Aware RBAC Models for Business Processes in Ubiquitous Computing Environments, In: Proc. of the 3rd International Conference on Mobile, Ubiquitous, and Intelligent Computing (MUSIC), Vancouver, Canada, IEEE, June 2012 (ps, pdf)
S. Schefer-Wenzl, M. Strembeck, A. Baumgrass: An Approach for Consistent Delegation in Process-Aware Information Systems, In: Proc. of the 15th International Conference on Business Information Systems (BIS), Lecture Notes in Business Information Processing (LNBIP), Vol. 117, Springer, Vilnius, Lithuania, May 2012 (ps, pdf)
S. Schefer, M. Strembeck, J. Mendling, A. Baumgrass: Detecting and Resolving Conflicts of Mutual-Exclusion and Binding Constraints in a Business Process Context, In: Proc. of the 19th International Conference on Cooperative Information Systems (CoopIS), Lecture Notes in Computer Science (LNCS), Vol. 7044, Springer, Crete, Greece, October 2011 (ps, pdf, extended version)
A. Baumgrass, T. Baier, J. Mendling, M. Strembeck: Conformance Checking of RBAC Policies in Process-Aware Information Systems, In: Proc. of the Workshop on Workflow Security Audit and Certification (WfSAC), Lecture Notes in Business Information Processing (LNBIP), Vol. 100, Springer, Clermont-Ferrand, France, August 2011 (ps, pdf)
S. Schefer, M. Strembeck, J. Mendling: Checking Satisfiability Aspects of Binding Constraints in a Business Process Context, In: Proc. of the Workshop on Workflow Security Audit and Certification (WfSAC), Lecture Notes in Business Information Processing (LNBIP), Vol. 100, Springer, Clermont-Ferrand, France, August 2011 (ps, pdf)
B. Hoisl, M. Strembeck: Modeling Support for Confidentiality and Integrity of Object Flows in Activity Models, In: Proc. of the 14th International Conference on Business Information Systems (BIS), Lecture Notes in Business Information Processing (LNBIP), Vol. 87, Springer, Poznan, Poland, June 2011 (ps, pdf, extended version)
S. Schefer, M. Strembeck: Modeling Support for Delegating Roles, Tasks, and Duties in a Process-Related RBAC Context, In: Proc. of the International Workshop on Information Systems Security Engineering (WISSE), Lecture Notes in Business Information Processing (LNBIP), Vol. 83, Springer, London, GB, June 2011 (ps, pdf)
M. Strembeck, J. Mendling: Modeling Process-related RBAC Models with Extended UML Activity Models, In: Information and Software Technology (IST), Vol. 53, No. 5, May 2011 (doi, pdf)
S. Schefer, M. Strembeck: Modeling Process-Related Duties with Extended UML Activity and Interaction Diagrams, In: Proc. of the International Workshop on Flexible Workflows in Distributed Systems, Workshops der wissenschaftlichen Konferenz Kommunikation in verteilten Systemen (WowKiVS), Electronic Communications of the EASST, Vol. 37, Kiel, Germany, March 2011, (ps, pdf, extended version)
M. Strembeck, J. Mendling: Generic Algorithms for Consistency Checking of Mutual-Exclusion and Binding Constraints in a Business Process Context, In: Proc. of the 18th International Conference on Cooperative Information Systems (CoopIS), Lecture Notes in Computer Science (LNCS), Vol. 6426, Springer, Crete, Greece, October 2010 (ps, pdf, extended version)
M. Strembeck, U. Zdun: An Approach for the Systematic Development of Domain-Specific Languages, In: Software: Practice and Experience (SP&E), Vol. 39, No. 15, October 2009 (doi, pdf)
U. Zdun, M. Strembeck: Reusable Architectural Decisions for DSL Design: Foundational Decisions in DSL Development, In: Proc. of the 14th European Conference on Pattern Languages of Programs (EuroPLoP), Irsee Monastery, Germany, July 2009 (ps, pdf)


Contact:
Mark Strembeck
Mark Strembeck