Business Process Security Analysis - Design Time, Run Time, Audit Time

This paper reports on approaches and tool support for security and compliance analysis of executable business processes, so-called workflows, employed in the GESINE project. Specifically, focusing on the business layer and the corresponding workflow entities along the business process management lifecycle (i.e., workflow model, instance and event log), the techniques reported on in this paper cover the design time, run time and audit time analysis. Their goal is to verify the adherence to security requirements, such as the four-eyes principle and separation and binding of duties. Altogether, the complementary techniques described in this paper enable a holistic approach to ensure the security of workflows.