BPM and Cloud Integration: A New Driver for Research in Security in Business Processes

BPM and Cloud IntegrationA New Driver for Research in Security in Business Processes

Achim D Bruckerachimbruckersapcom

SAP AG PampI ACES Vincenz-Priessnitz-Str 1 76131 Karlsruhe Germany

Guest Lecture Konzepte und Anwendung von WorkflowsystemenKarlsruhe Institute of Technology (KIT)

13022014

Abstract

Enterprise systems in general and process aware systems in particular arestoring and processing the most critical assets of a company To protectthese assets such systems need to implement a multitude of securityproperties Moreover such systems need often to comply to variouscompliance regulationsIn this talk we briefly discuss challenges of implementing large-scalesystems based on workflow-management in general and in particular thein the context of cloud based systems We will put a particular focus onsecurity requirements and discuss the gab between the ideal world ofprocess-aware information systems and the real world We conclude ourpresentation by discussing several research challenges in the area ofverifiable secure process aware information systems

copy 2014 SAP AG All Rights Reserved Page 2 of 33

Agenda

1 SAP and SAP PampI ACES

2 Process-aware Information Systems

3 Security Trust and Compliance of Business Processes

4 Research Directions and Challenges

5 Conclusion


Agenda


2 Process-aware Information SystemsThe Ideal WorldThe Real WorldCloud IntegrationSystem Complexity and Adoption Rate



5 Conclusion


Die SAP AG

bull Leader in Business Software

bull Vendor process-aware systems

bull More than 25 industries

bull 63 of the worldrsquos transaction revenuetouches an SAP system

bull 64 422 employees worldwide

bull HeadquartersWalldorf (and St Leon-Rot)

bull Location in Karlsruheca 500m from here


SAP PampI ACES Mission

Orchestrating the architecture definition and communicating the results consistentlyBuilding the best educated development organization in- and outside the companyMaking Security a key differentiator for choosing SAP

Mission

Architecture

Communication

Education

Security

Lead the way we jointly create and manage the architecture of ourproducts

Roll-out this architecture consistently to our field colleagues customersand partners

Drive education for developers internally amp externally - ensure that it is funto learn SAP renew education concepts and technology

Drive Product Security transform it to become a differentiator for SAP

Goals


SAP PampI ACES Organizational Structure

PampI

ACES

Chief Product

Security Officer

Prod Security

Data Protect

MampA

Product Security

Response

Product Security

Communication

Product Security

Research Code Analysis

Technology

Advisory Office

Training amp

Education COO


My Background

bull Senior Researcher at SAP AGbull Product Security Researchbull Code Analysis

bull BackgroundSecurity Formal Methods Software Engineering

bull Current work areas

bull Security in business processesbull Static code analysis (ua fuumlr JavaScript)bull Security Testing


Agenda





5 Conclusion


Ideal World Modeling

copy 2014 SAP AG All Rights Reserved 0 of 33

Ideal World Deployment and Execution


Real World Modeling

Process Models

bull BPMNBPEL

bull Configurable transactions

bull Custom Coding

bull Legacy Systems

bull External services

Security

bull Each system (OS DB IS)

bull own security infrastructurebull own logging infrastructure

bull Management solutions try tobridge this gap


Real World Deployment and Execution

Backend

bull AS Java AS ABAP

bull Business Process Engine

bull Legacy Systems


bull Sensors and product lines

Frontend

bull Desktop clients

bull Web-based clients

bull Mobile clients

bull Client side compositions(eg mash-ups)


End-to-End Business Process Integration

Prospect-to-Promoter

Source-to-Pay

Recruit-to-Retire

End-to-End Business Processes

Customers have complex on-premise landscapes

As customers adopt cloudsolutions hybrid landscapes willbecome a norm

Integration across the boundariesof cloud and on-premise is amust to prevent application silos

As companies adopt cloud real-time end-to-endbusiness process integration is critical


How the Future Might Look LikeC

loud

Solu

tions

Cloud + CRM

SAP CRM

SAP ERP

Two-tier CRM

Headquarters

Subsidiaries

On-

prem

ise

Solu

tions

Pre-Built and Maintained Integrations (iFlows)

Cloud for Customer

Cloud forCustomer

Cloud forCustomer

SAP CRM

SAP ERP

Cloud + ERP

SAP ERP

Cloud for Customer

Cloud + 3rd Party

3rd Party System

Cloud for Customer


Customer Example (12)

Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide

Migration from legacy HR system

gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll

100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)

SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife

Aetna helliphelliphellip

Other FI Systems

PayrollEmployeeCentral

EmployeeOrg Structure

FinancialPosting Active

Directory



Third-party ERP

Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems

Rapid implementation with small IT team

Delivered improved usability for fieldsales and collaboration between fieldsales and back office

Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)

SAP Cloudfor Sales

Field sales including mobility

BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)


Evolution of Source Code

bull Increase in

bull code size

bull code complexity

bull number of products

bull product versions


Support Lifecycle (Maintenance)



0

20000

40000

60000

80000

100000

120000

1998 2004 2012

No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33


0

20000

40000

60000

80000

100000

120000

140000

1998 2004 2012No of Systems No of Customers

Example (Maintenance Cycles)

Produkt Release EOL ext EOL

Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024

Maintenance fees typical 20 of the original price


Customer Requirements

Real-time businessprocess integration

End-to-endmonitoring and support

Single source of truth andmaster data synchronization

Data securityand compliance

Integrateduser experience

Rapid deployment

Support for complexlandscapes

Choice of integrationtechnology

LOB IT

Line of business


Agenda





5 Conclusion


Security in Business Processes An Example


Access Control

Goal

bull Control access toTasks Resources (Data)

The core

bull UsuallyUsers Roles Access Rights

bull In special casesData labeling

On top

bull Separation of Duty

bull Binding of Duty

bull Delegation


Protecting Data (and Goods)

Goal

bull Ensurebull confidentialitybull integrity (safety)

of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors


Compliance and Additional Requirements

Many regulated markets

bull Basel IIIII SoX PCI

bull HIPAA

Many customer-specific regulations

bull Own governance to mitigate risks

bull Own business code of conduct

bull Fraud detectionprevention

bull Non-observability

Customers are individually audited

bull No ldquoone certificate fits allrdquo solution

Security should not hinder business


Agenda





5 Conclusion


Our Research Over the Last Decade

Access Control for Processesbull RBAC-like models

bull Delegation models

bull Break-(the)-glass models

Model-driven Securitybull Modeling of Security

bull Generation of implementation configuration

bull Monitoring based on models

Process-level Verificationbull Compliance to security spec

bull Consistency of security configurations

Implementation-level Verificationbull Compliance of implementation to process level

security req


Research Challenges

Adaptabilitybull How to extend systems safely

bull Integration of legacy systems

Auditabilitybull Coherent audit across providerssystems

bull Reduction of audit costs

Cloud (SaaS)bull How to manage decentralized systems

bull How to capture behavior of the composition

bull Who is the attacker

Process level vs technical levelsbull Security is more than CIA

bull Ensuring secure implementation


Agenda





5 Conclusion


Conclusion

ldquo The most interesting challenges are still ahead of us

bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways

bull Many research is done on the process level

bull We now need to bring thebull process levelbull implementation level

closer together to provide end-to-end security

bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models


Thank you

Interested in an InternshipThesis at SAP

bull achimbruckersapcom

bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo

Bibliography I

Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta

Security validation of business processes via model-checking

In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag

Achim D Brucker and Isabelle Hang

Secure and compliant implementation of business process-driven systems

In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012

Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel

SecureBPMN Modeling and enforcing access control requirements in business processes

In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012


Bibliography II

Luca Compagna Pierre Guilleminot and Achim D Brucker

Business process compliance via security validation as a service

In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013

Christian Wolter Andreas Schaad and Christoph Meinel

Deriving XACML policies from business process models

In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007


copy 2014 SAP AG All rights reserved

No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries

Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages


SAP and SAP PampI ACES

Process-aware Information Systems

The Ideal World

The Real World

Cloud Integration

System Complexity and Adoption Rate

Security Trust and Compliance of Business Processes

Research Directions and Challenges

Conclusion

Abstract

Enterprise systems in general and process aware systems in particular arestoring and processing the most critical assets of a company To protectthese assets such systems need to implement a multitude of securityproperties Moreover such systems need often to comply to variouscompliance regulationsIn this talk we briefly discuss challenges of implementing large-scalesystems based on workflow-management in general and in particular thein the context of cloud based systems We will put a particular focus onsecurity requirements and discuss the gab between the ideal world ofprocess-aware information systems and the real world We conclude ourpresentation by discussing several research challenges in the area ofverifiable secure process aware information systems

copy 2014 SAP AG All Rights Reserved of 33

Agenda





5 Conclusion


Agenda





5 Conclusion


Die SAP AG











Mission

Architecture

Communication

Education

Security





Goals



PampI

ACES

Chief Product

Security Officer

Prod Security

Data Protect

MampA

Product Security

Response

Product Security

Communication

Product Security


Technology

Advisory Office

Training amp

Education COO


My Background






Agenda





5 Conclusion






Real World Modeling

Process Models

bull BPMNBPEL


bull Custom Coding

bull Legacy Systems


Security






Backend



bull Legacy Systems



Frontend



bull Mobile clients





Source-to-Pay

Recruit-to-Retire








loud

Solu

tions

Cloud + CRM

SAP CRM

SAP ERP

Two-tier CRM

Headquarters

Subsidiaries

On-

prem

ise

Solu

tions


Cloud for Customer

Cloud forCustomer

Cloud forCustomer

SAP CRM

SAP ERP

Cloud + ERP

SAP ERP

Cloud for Customer

Cloud + 3rd Party

3rd Party System

Cloud for Customer







SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife


Other FI Systems




Directory



Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion

Agenda





5 Conclusion


Agenda





5 Conclusion


Die SAP AG











Mission

Architecture

Communication

Education

Security





Goals



PampI

ACES

Chief Product

Security Officer

Prod Security

Data Protect

MampA

Product Security

Response

Product Security

Communication

Product Security


Technology

Advisory Office

Training amp

Education COO


My Background






Agenda





5 Conclusion






Real World Modeling

Process Models

bull BPMNBPEL


bull Custom Coding

bull Legacy Systems


Security






Backend



bull Legacy Systems



Frontend



bull Mobile clients





Source-to-Pay

Recruit-to-Retire








loud

Solu

tions

Cloud + CRM

SAP CRM

SAP ERP

Two-tier CRM

Headquarters

Subsidiaries

On-

prem

ise

Solu

tions


Cloud for Customer

Cloud forCustomer

Cloud forCustomer

SAP CRM

SAP ERP

Cloud + ERP

SAP ERP

Cloud for Customer

Cloud + 3rd Party

3rd Party System

Cloud for Customer







SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife


Other FI Systems




Directory



Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion

Agenda





5 Conclusion


Die SAP AG











Mission

Architecture

Communication

Education

Security





Goals



PampI

ACES

Chief Product

Security Officer

Prod Security

Data Protect

MampA

Product Security

Response

Product Security

Communication

Product Security


Technology

Advisory Office

Training amp

Education COO


My Background






Agenda





5 Conclusion






Real World Modeling

Process Models

bull BPMNBPEL


bull Custom Coding

bull Legacy Systems


Security






Backend



bull Legacy Systems



Frontend



bull Mobile clients





Source-to-Pay

Recruit-to-Retire








loud

Solu

tions

Cloud + CRM

SAP CRM

SAP ERP

Two-tier CRM

Headquarters

Subsidiaries

On-

prem

ise

Solu

tions


Cloud for Customer

Cloud forCustomer

Cloud forCustomer

SAP CRM

SAP ERP

Cloud + ERP

SAP ERP

Cloud for Customer

Cloud + 3rd Party

3rd Party System

Cloud for Customer







SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife


Other FI Systems




Directory



Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion

Die SAP AG











Mission

Architecture

Communication

Education

Security





Goals



PampI

ACES

Chief Product

Security Officer

Prod Security

Data Protect

MampA

Product Security

Response

Product Security

Communication

Product Security


Technology

Advisory Office

Training amp

Education COO


My Background






Agenda





5 Conclusion






Real World Modeling

Process Models

bull BPMNBPEL


bull Custom Coding

bull Legacy Systems


Security






Backend



bull Legacy Systems



Frontend



bull Mobile clients





Source-to-Pay

Recruit-to-Retire








loud

Solu

tions

Cloud + CRM

SAP CRM

SAP ERP

Two-tier CRM

Headquarters

Subsidiaries

On-

prem

ise

Solu

tions


Cloud for Customer

Cloud forCustomer

Cloud forCustomer

SAP CRM

SAP ERP

Cloud + ERP

SAP ERP

Cloud for Customer

Cloud + 3rd Party

3rd Party System

Cloud for Customer







SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife


Other FI Systems




Directory



Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion



Mission

Architecture

Communication

Education

Security





Goals



PampI

ACES

Chief Product

Security Officer

Prod Security

Data Protect

MampA

Product Security

Response

Product Security

Communication

Product Security


Technology

Advisory Office

Training amp

Education COO


My Background






Agenda





5 Conclusion






Real World Modeling

Process Models

bull BPMNBPEL


bull Custom Coding

bull Legacy Systems


Security






Backend



bull Legacy Systems



Frontend



bull Mobile clients





Source-to-Pay

Recruit-to-Retire








loud

Solu

tions

Cloud + CRM

SAP CRM

SAP ERP

Two-tier CRM

Headquarters

Subsidiaries

On-

prem

ise

Solu

tions


Cloud for Customer

Cloud forCustomer

Cloud forCustomer

SAP CRM

SAP ERP

Cloud + ERP

SAP ERP

Cloud for Customer

Cloud + 3rd Party

3rd Party System

Cloud for Customer







SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife


Other FI Systems




Directory



Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion


PampI

ACES

Chief Product

Security Officer

Prod Security

Data Protect

MampA

Product Security

Response

Product Security

Communication

Product Security


Technology

Advisory Office

Training amp

Education COO


My Background






Agenda





5 Conclusion






Real World Modeling

Process Models

bull BPMNBPEL


bull Custom Coding

bull Legacy Systems


Security






Backend



bull Legacy Systems



Frontend



bull Mobile clients





Source-to-Pay

Recruit-to-Retire








loud

Solu

tions

Cloud + CRM

SAP CRM

SAP ERP

Two-tier CRM

Headquarters

Subsidiaries

On-

prem

ise

Solu

tions


Cloud for Customer

Cloud forCustomer

Cloud forCustomer

SAP CRM

SAP ERP

Cloud + ERP

SAP ERP

Cloud for Customer

Cloud + 3rd Party

3rd Party System

Cloud for Customer







SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife


Other FI Systems




Directory



Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion

My Background






Agenda





5 Conclusion






Real World Modeling

Process Models

bull BPMNBPEL


bull Custom Coding

bull Legacy Systems


Security






Backend



bull Legacy Systems



Frontend



bull Mobile clients





Source-to-Pay

Recruit-to-Retire








loud

Solu

tions

Cloud + CRM

SAP CRM

SAP ERP

Two-tier CRM

Headquarters

Subsidiaries

On-

prem

ise

Solu

tions


Cloud for Customer

Cloud forCustomer

Cloud forCustomer

SAP CRM

SAP ERP

Cloud + ERP

SAP ERP

Cloud for Customer

Cloud + 3rd Party

3rd Party System

Cloud for Customer







SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife


Other FI Systems




Directory



Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion

Agenda





5 Conclusion






Real World Modeling

Process Models

bull BPMNBPEL


bull Custom Coding

bull Legacy Systems


Security






Backend



bull Legacy Systems



Frontend



bull Mobile clients





Source-to-Pay

Recruit-to-Retire








loud

Solu

tions

Cloud + CRM

SAP CRM

SAP ERP

Two-tier CRM

Headquarters

Subsidiaries

On-

prem

ise

Solu

tions


Cloud for Customer

Cloud forCustomer

Cloud forCustomer

SAP CRM

SAP ERP

Cloud + ERP

SAP ERP

Cloud for Customer

Cloud + 3rd Party

3rd Party System

Cloud for Customer







SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife


Other FI Systems




Directory



Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion





Real World Modeling

Process Models

bull BPMNBPEL


bull Custom Coding

bull Legacy Systems


Security






Backend



bull Legacy Systems



Frontend



bull Mobile clients





Source-to-Pay

Recruit-to-Retire








loud

Solu

tions

Cloud + CRM

SAP CRM

SAP ERP

Two-tier CRM

Headquarters

Subsidiaries

On-

prem

ise

Solu

tions


Cloud for Customer

Cloud forCustomer

Cloud forCustomer

SAP CRM

SAP ERP

Cloud + ERP

SAP ERP

Cloud for Customer

Cloud + 3rd Party

3rd Party System

Cloud for Customer







SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife


Other FI Systems




Directory



Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion


Backend



bull Legacy Systems



Frontend



bull Mobile clients





Source-to-Pay

Recruit-to-Retire








loud

Solu

tions

Cloud + CRM

SAP CRM

SAP ERP

Two-tier CRM

Headquarters

Subsidiaries

On-

prem

ise

Solu

tions


Cloud for Customer

Cloud forCustomer

Cloud forCustomer

SAP CRM

SAP ERP

Cloud + ERP

SAP ERP

Cloud for Customer

Cloud + 3rd Party

3rd Party System

Cloud for Customer







SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife


Other FI Systems




Directory



Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion



Source-to-Pay

Recruit-to-Retire








loud

Solu

tions

Cloud + CRM

SAP CRM

SAP ERP

Two-tier CRM

Headquarters

Subsidiaries

On-

prem

ise

Solu

tions


Cloud for Customer

Cloud forCustomer

Cloud forCustomer

SAP CRM

SAP ERP

Cloud + ERP

SAP ERP

Cloud for Customer

Cloud + 3rd Party

3rd Party System

Cloud for Customer







SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife


Other FI Systems




Directory



Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion


loud

Solu

tions

Cloud + CRM

SAP CRM

SAP ERP

Two-tier CRM

Headquarters

Subsidiaries

On-

prem

ise

Solu

tions


Cloud for Customer

Cloud forCustomer

Cloud forCustomer

SAP CRM

SAP ERP

Cloud + ERP

SAP ERP

Cloud for Customer

Cloud + 3rd Party

3rd Party System

Cloud for Customer







SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife


Other FI Systems




Directory



Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion






SAP ERP FI

On-Premise

Cloud

Aetna

Other FI Systems

Kronos

Aon Hewitt

JP MorganMetlife


Other FI Systems




Directory



Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion


Third-party ERP





SAP Cloudfor Sales


BW

On-Premise

Cloud

Third-Party ERP

SAP ERP (2)



bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion


bull Increase in

bull code size








0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion




0

20000

40000

60000

80000

100000

120000

1998 2004 2012



0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion


0

20000

40000

60000

80000

100000

120000

140000













Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion







Rapid deployment



LOB IT

Line of business


Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion

Agenda





5 Conclusion




Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion



Access Control

Goal


The core



On top



bull Delegation



Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion


Goal


of data (and goods)

The core

bull Need-to-Know

bull Fingerprints

bull Encryption

bull Sensors





bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion




bull HIPAA










Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion

Agenda





5 Conclusion












security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion











security req


Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion

Research Challenges











Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion

Agenda





5 Conclusion


Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion

Conclusion








Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion

Thank you




Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion

Bibliography I











Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion

Bibliography II














The Ideal World

The Real World

Cloud Integration




Conclusion







The Ideal World

The Real World

Cloud Integration




Conclusion

BPM and Cloud Integration: A New Driver for Research in Security in Business Processes

Technology

Transcript of BPM and Cloud Integration: A New Driver for Research in Security in Business Processes