The combination of the above listed business and
technological essential elements forms the design
context.
Once the context is established, we identify the
business and technological risks that may harm the
essentials elements. For example, the ‘unavailability
of the travel reservation business processes’ risk can
result from various unwanted events caused by the
unavailability of:
Partners (partners prefer other travel agencies or
stop providing specific services)
Trip, hotel, or transportation services (due to
denial of service attacks e.g. XML-DOS)
Components of the infrastructure (due to denial of
service attacks).
Finally, the identified risks are assessed based on
their likelihood and consequences. In fact, the risk
analysis process provides information on whether
risk needs to be treated as well as the most
appropriate cost-effective treatment. Given that, high
availability of the ‘travel reservation’ business
process is needed, the unavailability of this process
should be treated by implementing security
measures to reduce the impact and / or probability of
occurrence of unwanted incidents, for example, we
implement:
Protection level agreements specifying the
availability of services between partners (business
level)
Security pattern 'Message inspector gateway
pattern’ to intercept the traffic and filter the
requests at the service’s level.
Filtering mechanisms (firewall, routers, etc.) at the
infrastructure level.
5 CONCLUSIONS
Securing collaborative business processes from the
early design phases is highly necessary. Security
parameters must be taken into account as any other
functional parameter. In this work, we have
presented a service security conceptual Model for
improving security awareness in service design
methods. As a reference model to manage
information security in service-based infrastructures,
it also can be used to develop security design
patterns.
In our future work, we are working to support the
service security conceptual with the development of
ontologies, defining the essential elements and their
relationships and the development of a risk treatment
reasoning system to simulate risks and infer security
measures, with respect to global security objectives.
REFERENCES
Alberts, C., 2003. Managing Information Security Risks :
the OCTAVE Approach, Boston: Addison-Wesley.
ANSSI, 2010. EBIOS: Expression des Besoins et
Identification des Objectifs de Sécurité. Available at:
http://www.ssi.gouv.fr/
Badr, Y., Biennier, F., and Tata, S., 2010. The Integration
of Corporate Security Strategies in Collaborative
Business Processes. IEEE Transactions on Services
Computing, 4(3), pp. 243–254.
Bou Nassar, P., Badr, Y., Biennier, F., Barbar, K., 2012.
Securing Collaborative Business Processes: A
Methodology for Security Management in Service-
Based Infrastructure. Advances in Production
Management Systems (APMS), pp. 480-487
OASIS, 2006. OASIS Reference Model for Service
Oriented Architecture 1.0. Available at:
http://docs.oasis-open.org/soa-rm/v1.0/.
Colombo, M., Di Nitto, E., Di Penta, M., Distante, D.,
Zuccalà, M, 2005. Speaking a Common Language: A
Conceptual Model for Describing Service-Oriented
Systems. Service-Oriented Computing, 2005, p.48–60.
Emig, C., Krutz, K., Link, S., Momm, C., and Abeck, S.
2008. Model-Driven Development of SOA Services.
Cooperation and Management, Universität Karlsruhe
(TH), Internal Research Report.
Erl, T., 2005. Service-Oriented Architecture : Concepts,
Technology, and Design, Upper Saddle River NJ:
Prentice Hall Professional Technical Reference.
OASIS, 2008. OASIS Reference Architecture for Service
Oriented Architecture Version 1.0. Available at:
http://docs.oasis-open.org/soa-rm/soa-ra/v1.0/.
Hafner, M., 2009. Security engineering for service-
oriented architectures, Berlin: Springer.
ISO/IEC 27001, 2005. Information Technology, Security
Techniques, Information Security Management
Systems and Requirements.
Kreger, H., Jeff, E., 2009. Navigating the SOA Open
Standards Landscape Around Architecture.
OMG, 2009. SOA Modeling Language (SoaML).
Available at: http://www.omg.org/spec/SoaML/
Lund, M., 2010. Model-Driven Risk Analysis : the
CORAS Approach, Berlin: Springer.
Papazoglou, M. P., Van Den Heuvel, W. J., 2006. Service-
Oriented Design And Development Methodology.
International Journal of Web Engineering and
Technology, 2(4), p.412–442.
The Open Group, 2010. Ontologies for SOA. Available at:
http://www.opengroup.org/projects/soa-ontology.
The Open Group, 2009. SOA Integration Maturity.
Available at: http://www.opengroup.org/projects/
osimm.
ICEIS2013-15thInternationalConferenceonEnterpriseInformationSystems
354