Abstract
A key problem in the deployment of large-scale, reliable cloud computing concerns the difficulty to certify the compliance of business processes operating in the cloud. Standard audit procedures such as SAS-70 and SAS-117 are hard to conduct for cloud-based processes. The paper proposes a novel approach to certify the compliance of business processes with regulatory requirements. The approach translates process models into their corresponding Petri net representations and checks them against requirements also expressed in this formalism. Being based on Petri nets, the approach provides well-founded evidence on adherence and, in case of noncompliance, indicates the possible vulnerabilities.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Accorsi R, Wonnemann C (2011) Strong non-leak guarantees for workflow models. ACM, SAC, pp. 308–314
Atluri V, Chun SA, Mazzoleni P (2001) A Chinese wall security model for decentralized workflow systems. ACM conference on computer and communications security. ACM, New York, pp 48–57
BDSG (2009) Bundesdatenschutzgesetz. German Federal Ministry of Justice
Breaux TD, Antón AI (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Software Eng 34(1):5–20
Breaux TD (2009) Legal requirements acquisition for the specification of legally compliant information systems. PhD thesis, North Carolina State University
Cabanillas C, Resinas M, Ruiz-Cortés A (2010) Hints on how to face business process compliance. In: Resinas M, Ruiz-Cortés A, Pastor JA, Sancho MR (eds) Proc JISBD 4, pp 26–32
Chow R, Golle P, Jakobsson M, Shi E, Staddon J, Masuoka R, Molina J (2009) Controlling data in the cloud: outsourcing computation without outsourcing control. In: Proc 2009 ACM workshop on cloud computing security. ACM, New York, pp 85–90
COMPAS (2008) Compliance-driven models, languages, and architectures for services. EU FP7 Project 215175, deliverable 2.1 “State of the art in the field of compliance languages”
CSA (2009) Security guidance for critical areas of focus in cloud computing. Cloud Security Alliance. http://www.cloudsecurityalliance.org/. Accessed 2010-06-29
CSA (2010) Top threats to cloud computing. Cloud Security Alliance. http://www.cloudsecurityalliance.org/. Accessed 2010-06-29
Curtis B, Kellner MI, Over J (1992) Process modeling. Comm ACM 35(9):75–90
Dijkman R, Dumas M, Ouyang C (2008) Semantics and analysis of business process models in BPMN. Information & Software Technology 50(12):1281–1294
Ehrig M, Koschmider A, Oberweis A (2007) Measuring similarity between semantic business process models. ACS CRPIT 67:71–80
Etro F (2009) The economic impact of cloud computing on business creation, employment and output in Europe. Review of Business and Economics 54(2):179–218
European Commission (1995) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data
ENISA (2009) Cloud computing—benefits, risks and recommendations for information security. European Network Information and Security Agency
Ghose A, Koliadis G (2007) Auditing business process compliance. Springer LNCS 4749:168–180
GLB (1999) Gramm-Leach-Bliley Act. In: Congress of the USA
Governatori G, Hoffmann J, Sadiq SW, Weber I (2009) Detecting regulatory compliance for business process models through semantic annotations. Springer LNBPI 14:5–17
Hayes B (2009) Cloud computing. Comm ACM 51(7):9–11
HIPAA (1996) Health insurance portability and accountability act. In: Congress of the USA
Höhn S (2009) Model-based reasoning on the achievement of business goals. In: ACM symposium on applied computing. ACM, New York, pp 1589–1593
Huang H, Kirchner H (2009) Component-based security policy design with colored Petri nets. Springer LNCS 5700:21–42
IIG (2010) BW2PN: BPEL+WSDL to Petri net transformation. Software tool developed at the University of Freiburg, IIG Telematics. http://www.telematik.uni-freiburg.de/comcert/. Accessed 2010-06-29
Katt B, Zhang X, Hafner M (2009) Towards a usage control policy specification with Petri nets. Springer LNCS 5871:905–912
Lampson B (1973) A note on the confinement problem. Commun ACM 16(10):613–615
Liu Y, Müller S, Xu K (2007) A static compliance-checking approach framework for business process models. IBM System Journal 46(2):335–361
Liu R, Kumar A (2005) An analysis and taxonomy of unstructured workflows. Springer LNCS 3649:268–284
Lohmann N, Verbeek E, Dijkman RM (2009) Petri net transformations for business processes—A survey. Springer LNCS 5460:46–63
Lowis L, Accorsi R (2010) Vulnerability analysis in SOA-based business processes. IEEE Transactions on Services Computing (in press)
Meda HS, Sen AK, Bagchi A (2010) On detecting data flow errors in workflows. Journal of Data and Information Quality 2(1):1–31
Monakova G, Kopp O, Leymann F, Moser S, Schäfers K (2009) Verifying business rules using a SMT solver for BPEL processes. GI LNI 147:81–94
Murata T (1989) Petri nets: properties, analysis and applications. Proc IEEE 77(4):541–580
Organisation for Economic Co-Operation and Development (OECD) (1980) OECD guidelines on the protection of privacy and transborder flows of personal data
Oryx (2010) The Oryx project. http://bpt.hpi.uni-potsdam.de/Oryx/WebHome. Accessed 2010-06-29
Ouyang C, Verbeek E, van der Aalst WMP, Breutel S, Dumas M, ter Hofstede AHM (2005) WofBPEL: a tool for automated analysis of BPEL processes. Springer LNCS 3826:484–489
Park J, Sandhu R (2004) The UCONABC usage control model. ACM Transactions on Information and System Security 7:128–174
Pretschner A, Hilty M, Basin D (2006) Distributed usage control. Comm ACM 49:39–44
Sadiq S, Governatori G, Namiri K (2007) Modeling control objectives for business process compliance. Business process management. Springer LNCS 4714:149–164
Saha D (2008) A hitchhiker’s guide to galaxy a.k.a. Netweaver business process modelling. http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/10947. Accessed 2010-06-29
Schneider F (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3(1):30–50
SOX (2002) Sarbanes-Oxley act. In: Congress of the USA
Stohr EA, Zhao JL (2001) Workflow automation: overview and research issues. Information Systems Frontiers 3(3):281–296
Svirskas A, Courbis C, Molva R, Bedžinskas J (2007) Compliance proofs for collaborative interactions using aspect-oriented approach. IEEE Congress on Services 1:33–40
TMG (2009) Telemediengesetz. German Federal Ministry of Justice
Trčka N, van der Aalst WMP, Sidorova N (2009) Data-flow anti-patterns: discovering data-flow errors in workflows. Springer LNCS 5565:425–439
van der Aalst WMP (1998) The application of Petri nets to workflow management. Journal of Circuits, Systems, and Computers 8(1):21–66
van der Aalst WMP (2003) Challenges in business process management: verification of business processing using Petri nets. Bulletin of the EATCS 80:174–199
van Dongen BF, Jansen-Vullers MH, Verbeek HMW, van der Aalst WMP (2007) Verification of the SAP reference models using EPC reduction, state-space analysis, and invariants. Computers in Industry 58(6):578–601
Wagner G (2002) How to design a general rule markup language. GI LNI 14:19–37
Wong PYH, Gibbons J (2008) Verifying business process compatibility. In: International conference on quality software. IEEE, pp 126–131
Author information
Authors and Affiliations
Corresponding author
Additional information
Accepted after three revisions by Prof. Dr. Müller.
This article is also available in German in print and via http://www.wirtschaftsinformatik.de: Accorsi R, Lowis L, Sato Y (2011) Automatisierte Compliance-Zertifizierung Cloud-basierter Geschäftsprozesse. WIRTSCHAFTSINFORMATIK. doi: 10.1007/s11576-011-0269-z.
Rights and permissions
About this article
Cite this article
Accorsi, R., Lowis, L. & Sato, Y. Automated Certification for Compliant Cloud-based Business Processes. Bus Inf Syst Eng 3, 145–154 (2011). https://doi.org/10.1007/s12599-011-0155-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12599-011-0155-7