BPM and Cloud Integration: A New Driver for Research in Security in Business Processes
-
Upload
achim-d-brucker -
Category
Technology
-
view
40 -
download
1
description
Transcript of BPM and Cloud Integration: A New Driver for Research in Security in Business Processes
BPM and Cloud IntegrationA New Driver for Research in Security in Business Processes
Achim D Bruckerachimbruckersapcom
SAP AG PampI ACES Vincenz-Priessnitz-Str 1 76131 Karlsruhe Germany
Guest Lecture Konzepte und Anwendung von WorkflowsystemenKarlsruhe Institute of Technology (KIT)
13022014
Abstract
Enterprise systems in general and process aware systems in particular arestoring and processing the most critical assets of a company To protectthese assets such systems need to implement a multitude of securityproperties Moreover such systems need often to comply to variouscompliance regulationsIn this talk we briefly discuss challenges of implementing large-scalesystems based on workflow-management in general and in particular thein the context of cloud based systems We will put a particular focus onsecurity requirements and discuss the gab between the ideal world ofprocess-aware information systems and the real world We conclude ourpresentation by discussing several research challenges in the area ofverifiable secure process aware information systems
copy 2014 SAP AG All Rights Reserved Page 2 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 3 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information SystemsThe Ideal WorldThe Real WorldCloud IntegrationSystem Complexity and Adoption Rate
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 4 of 33
Die SAP AG
bull Leader in Business Software
bull Vendor process-aware systems
bull More than 25 industries
bull 63 of the worldrsquos transaction revenuetouches an SAP system
bull 64 422 employees worldwide
bull HeadquartersWalldorf (and St Leon-Rot)
bull Location in Karlsruheca 500m from here
copy 2014 SAP AG All Rights Reserved Page 5 of 33
SAP PampI ACES Mission
Orchestrating the architecture definition and communicating the results consistentlyBuilding the best educated development organization in- and outside the companyMaking Security a key differentiator for choosing SAP
Mission
Architecture
Communication
Education
Security
Lead the way we jointly create and manage the architecture of ourproducts
Roll-out this architecture consistently to our field colleagues customersand partners
Drive education for developers internally amp externally - ensure that it is funto learn SAP renew education concepts and technology
Drive Product Security transform it to become a differentiator for SAP
Goals
copy 2014 SAP AG All Rights Reserved Page 6 of 33
SAP PampI ACES Organizational Structure
PampI
ACES
Chief Product
Security Officer
Prod Security
Data Protect
MampA
Product Security
Response
Product Security
Communication
Product Security
Research Code Analysis
Technology
Advisory Office
Training amp
Education COO
copy 2014 SAP AG All Rights Reserved Page 7 of 33
My Background
bull Senior Researcher at SAP AGbull Product Security Researchbull Code Analysis
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Security in business processesbull Static code analysis (ua fuumlr JavaScript)bull Security Testing
copy 2014 SAP AG All Rights Reserved Page 8 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 9 of 33
Ideal World Modeling
copy 2014 SAP AG All Rights Reserved Page 10 of 33
Ideal World Deployment and Execution
copy 2014 SAP AG All Rights Reserved Page 11 of 33
Real World Modeling
Process Models
bull BPMNBPEL
bull Configurable transactions
bull Custom Coding
bull Legacy Systems
bull External services
Security
bull Each system (OS DB IS)
bull own security infrastructurebull own logging infrastructure
bull Management solutions try tobridge this gap
copy 2014 SAP AG All Rights Reserved Page 12 of 33
Real World Deployment and Execution
Backend
bull AS Java AS ABAP
bull Business Process Engine
bull Legacy Systems
bull External services
bull Sensors and product lines
Frontend
bull Desktop clients
bull Web-based clients
bull Mobile clients
bull Client side compositions(eg mash-ups)
copy 2014 SAP AG All Rights Reserved Page 13 of 33
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Abstract
Enterprise systems in general and process aware systems in particular arestoring and processing the most critical assets of a company To protectthese assets such systems need to implement a multitude of securityproperties Moreover such systems need often to comply to variouscompliance regulationsIn this talk we briefly discuss challenges of implementing large-scalesystems based on workflow-management in general and in particular thein the context of cloud based systems We will put a particular focus onsecurity requirements and discuss the gab between the ideal world ofprocess-aware information systems and the real world We conclude ourpresentation by discussing several research challenges in the area ofverifiable secure process aware information systems
copy 2014 SAP AG All Rights Reserved Page 2 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 3 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information SystemsThe Ideal WorldThe Real WorldCloud IntegrationSystem Complexity and Adoption Rate
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 4 of 33
Die SAP AG
bull Leader in Business Software
bull Vendor process-aware systems
bull More than 25 industries
bull 63 of the worldrsquos transaction revenuetouches an SAP system
bull 64 422 employees worldwide
bull HeadquartersWalldorf (and St Leon-Rot)
bull Location in Karlsruheca 500m from here
copy 2014 SAP AG All Rights Reserved Page 5 of 33
SAP PampI ACES Mission
Orchestrating the architecture definition and communicating the results consistentlyBuilding the best educated development organization in- and outside the companyMaking Security a key differentiator for choosing SAP
Mission
Architecture
Communication
Education
Security
Lead the way we jointly create and manage the architecture of ourproducts
Roll-out this architecture consistently to our field colleagues customersand partners
Drive education for developers internally amp externally - ensure that it is funto learn SAP renew education concepts and technology
Drive Product Security transform it to become a differentiator for SAP
Goals
copy 2014 SAP AG All Rights Reserved Page 6 of 33
SAP PampI ACES Organizational Structure
PampI
ACES
Chief Product
Security Officer
Prod Security
Data Protect
MampA
Product Security
Response
Product Security
Communication
Product Security
Research Code Analysis
Technology
Advisory Office
Training amp
Education COO
copy 2014 SAP AG All Rights Reserved Page 7 of 33
My Background
bull Senior Researcher at SAP AGbull Product Security Researchbull Code Analysis
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Security in business processesbull Static code analysis (ua fuumlr JavaScript)bull Security Testing
copy 2014 SAP AG All Rights Reserved Page 8 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 9 of 33
Ideal World Modeling
copy 2014 SAP AG All Rights Reserved Page 10 of 33
Ideal World Deployment and Execution
copy 2014 SAP AG All Rights Reserved Page 11 of 33
Real World Modeling
Process Models
bull BPMNBPEL
bull Configurable transactions
bull Custom Coding
bull Legacy Systems
bull External services
Security
bull Each system (OS DB IS)
bull own security infrastructurebull own logging infrastructure
bull Management solutions try tobridge this gap
copy 2014 SAP AG All Rights Reserved Page 12 of 33
Real World Deployment and Execution
Backend
bull AS Java AS ABAP
bull Business Process Engine
bull Legacy Systems
bull External services
bull Sensors and product lines
Frontend
bull Desktop clients
bull Web-based clients
bull Mobile clients
bull Client side compositions(eg mash-ups)
copy 2014 SAP AG All Rights Reserved Page 13 of 33
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 3 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information SystemsThe Ideal WorldThe Real WorldCloud IntegrationSystem Complexity and Adoption Rate
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 4 of 33
Die SAP AG
bull Leader in Business Software
bull Vendor process-aware systems
bull More than 25 industries
bull 63 of the worldrsquos transaction revenuetouches an SAP system
bull 64 422 employees worldwide
bull HeadquartersWalldorf (and St Leon-Rot)
bull Location in Karlsruheca 500m from here
copy 2014 SAP AG All Rights Reserved Page 5 of 33
SAP PampI ACES Mission
Orchestrating the architecture definition and communicating the results consistentlyBuilding the best educated development organization in- and outside the companyMaking Security a key differentiator for choosing SAP
Mission
Architecture
Communication
Education
Security
Lead the way we jointly create and manage the architecture of ourproducts
Roll-out this architecture consistently to our field colleagues customersand partners
Drive education for developers internally amp externally - ensure that it is funto learn SAP renew education concepts and technology
Drive Product Security transform it to become a differentiator for SAP
Goals
copy 2014 SAP AG All Rights Reserved Page 6 of 33
SAP PampI ACES Organizational Structure
PampI
ACES
Chief Product
Security Officer
Prod Security
Data Protect
MampA
Product Security
Response
Product Security
Communication
Product Security
Research Code Analysis
Technology
Advisory Office
Training amp
Education COO
copy 2014 SAP AG All Rights Reserved Page 7 of 33
My Background
bull Senior Researcher at SAP AGbull Product Security Researchbull Code Analysis
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Security in business processesbull Static code analysis (ua fuumlr JavaScript)bull Security Testing
copy 2014 SAP AG All Rights Reserved Page 8 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 9 of 33
Ideal World Modeling
copy 2014 SAP AG All Rights Reserved Page 10 of 33
Ideal World Deployment and Execution
copy 2014 SAP AG All Rights Reserved Page 11 of 33
Real World Modeling
Process Models
bull BPMNBPEL
bull Configurable transactions
bull Custom Coding
bull Legacy Systems
bull External services
Security
bull Each system (OS DB IS)
bull own security infrastructurebull own logging infrastructure
bull Management solutions try tobridge this gap
copy 2014 SAP AG All Rights Reserved Page 12 of 33
Real World Deployment and Execution
Backend
bull AS Java AS ABAP
bull Business Process Engine
bull Legacy Systems
bull External services
bull Sensors and product lines
Frontend
bull Desktop clients
bull Web-based clients
bull Mobile clients
bull Client side compositions(eg mash-ups)
copy 2014 SAP AG All Rights Reserved Page 13 of 33
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information SystemsThe Ideal WorldThe Real WorldCloud IntegrationSystem Complexity and Adoption Rate
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 4 of 33
Die SAP AG
bull Leader in Business Software
bull Vendor process-aware systems
bull More than 25 industries
bull 63 of the worldrsquos transaction revenuetouches an SAP system
bull 64 422 employees worldwide
bull HeadquartersWalldorf (and St Leon-Rot)
bull Location in Karlsruheca 500m from here
copy 2014 SAP AG All Rights Reserved Page 5 of 33
SAP PampI ACES Mission
Orchestrating the architecture definition and communicating the results consistentlyBuilding the best educated development organization in- and outside the companyMaking Security a key differentiator for choosing SAP
Mission
Architecture
Communication
Education
Security
Lead the way we jointly create and manage the architecture of ourproducts
Roll-out this architecture consistently to our field colleagues customersand partners
Drive education for developers internally amp externally - ensure that it is funto learn SAP renew education concepts and technology
Drive Product Security transform it to become a differentiator for SAP
Goals
copy 2014 SAP AG All Rights Reserved Page 6 of 33
SAP PampI ACES Organizational Structure
PampI
ACES
Chief Product
Security Officer
Prod Security
Data Protect
MampA
Product Security
Response
Product Security
Communication
Product Security
Research Code Analysis
Technology
Advisory Office
Training amp
Education COO
copy 2014 SAP AG All Rights Reserved Page 7 of 33
My Background
bull Senior Researcher at SAP AGbull Product Security Researchbull Code Analysis
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Security in business processesbull Static code analysis (ua fuumlr JavaScript)bull Security Testing
copy 2014 SAP AG All Rights Reserved Page 8 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 9 of 33
Ideal World Modeling
copy 2014 SAP AG All Rights Reserved Page 10 of 33
Ideal World Deployment and Execution
copy 2014 SAP AG All Rights Reserved Page 11 of 33
Real World Modeling
Process Models
bull BPMNBPEL
bull Configurable transactions
bull Custom Coding
bull Legacy Systems
bull External services
Security
bull Each system (OS DB IS)
bull own security infrastructurebull own logging infrastructure
bull Management solutions try tobridge this gap
copy 2014 SAP AG All Rights Reserved Page 12 of 33
Real World Deployment and Execution
Backend
bull AS Java AS ABAP
bull Business Process Engine
bull Legacy Systems
bull External services
bull Sensors and product lines
Frontend
bull Desktop clients
bull Web-based clients
bull Mobile clients
bull Client side compositions(eg mash-ups)
copy 2014 SAP AG All Rights Reserved Page 13 of 33
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Die SAP AG
bull Leader in Business Software
bull Vendor process-aware systems
bull More than 25 industries
bull 63 of the worldrsquos transaction revenuetouches an SAP system
bull 64 422 employees worldwide
bull HeadquartersWalldorf (and St Leon-Rot)
bull Location in Karlsruheca 500m from here
copy 2014 SAP AG All Rights Reserved Page 5 of 33
SAP PampI ACES Mission
Orchestrating the architecture definition and communicating the results consistentlyBuilding the best educated development organization in- and outside the companyMaking Security a key differentiator for choosing SAP
Mission
Architecture
Communication
Education
Security
Lead the way we jointly create and manage the architecture of ourproducts
Roll-out this architecture consistently to our field colleagues customersand partners
Drive education for developers internally amp externally - ensure that it is funto learn SAP renew education concepts and technology
Drive Product Security transform it to become a differentiator for SAP
Goals
copy 2014 SAP AG All Rights Reserved Page 6 of 33
SAP PampI ACES Organizational Structure
PampI
ACES
Chief Product
Security Officer
Prod Security
Data Protect
MampA
Product Security
Response
Product Security
Communication
Product Security
Research Code Analysis
Technology
Advisory Office
Training amp
Education COO
copy 2014 SAP AG All Rights Reserved Page 7 of 33
My Background
bull Senior Researcher at SAP AGbull Product Security Researchbull Code Analysis
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Security in business processesbull Static code analysis (ua fuumlr JavaScript)bull Security Testing
copy 2014 SAP AG All Rights Reserved Page 8 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 9 of 33
Ideal World Modeling
copy 2014 SAP AG All Rights Reserved Page 10 of 33
Ideal World Deployment and Execution
copy 2014 SAP AG All Rights Reserved Page 11 of 33
Real World Modeling
Process Models
bull BPMNBPEL
bull Configurable transactions
bull Custom Coding
bull Legacy Systems
bull External services
Security
bull Each system (OS DB IS)
bull own security infrastructurebull own logging infrastructure
bull Management solutions try tobridge this gap
copy 2014 SAP AG All Rights Reserved Page 12 of 33
Real World Deployment and Execution
Backend
bull AS Java AS ABAP
bull Business Process Engine
bull Legacy Systems
bull External services
bull Sensors and product lines
Frontend
bull Desktop clients
bull Web-based clients
bull Mobile clients
bull Client side compositions(eg mash-ups)
copy 2014 SAP AG All Rights Reserved Page 13 of 33
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
SAP PampI ACES Mission
Orchestrating the architecture definition and communicating the results consistentlyBuilding the best educated development organization in- and outside the companyMaking Security a key differentiator for choosing SAP
Mission
Architecture
Communication
Education
Security
Lead the way we jointly create and manage the architecture of ourproducts
Roll-out this architecture consistently to our field colleagues customersand partners
Drive education for developers internally amp externally - ensure that it is funto learn SAP renew education concepts and technology
Drive Product Security transform it to become a differentiator for SAP
Goals
copy 2014 SAP AG All Rights Reserved Page 6 of 33
SAP PampI ACES Organizational Structure
PampI
ACES
Chief Product
Security Officer
Prod Security
Data Protect
MampA
Product Security
Response
Product Security
Communication
Product Security
Research Code Analysis
Technology
Advisory Office
Training amp
Education COO
copy 2014 SAP AG All Rights Reserved Page 7 of 33
My Background
bull Senior Researcher at SAP AGbull Product Security Researchbull Code Analysis
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Security in business processesbull Static code analysis (ua fuumlr JavaScript)bull Security Testing
copy 2014 SAP AG All Rights Reserved Page 8 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 9 of 33
Ideal World Modeling
copy 2014 SAP AG All Rights Reserved Page 10 of 33
Ideal World Deployment and Execution
copy 2014 SAP AG All Rights Reserved Page 11 of 33
Real World Modeling
Process Models
bull BPMNBPEL
bull Configurable transactions
bull Custom Coding
bull Legacy Systems
bull External services
Security
bull Each system (OS DB IS)
bull own security infrastructurebull own logging infrastructure
bull Management solutions try tobridge this gap
copy 2014 SAP AG All Rights Reserved Page 12 of 33
Real World Deployment and Execution
Backend
bull AS Java AS ABAP
bull Business Process Engine
bull Legacy Systems
bull External services
bull Sensors and product lines
Frontend
bull Desktop clients
bull Web-based clients
bull Mobile clients
bull Client side compositions(eg mash-ups)
copy 2014 SAP AG All Rights Reserved Page 13 of 33
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
SAP PampI ACES Organizational Structure
PampI
ACES
Chief Product
Security Officer
Prod Security
Data Protect
MampA
Product Security
Response
Product Security
Communication
Product Security
Research Code Analysis
Technology
Advisory Office
Training amp
Education COO
copy 2014 SAP AG All Rights Reserved Page 7 of 33
My Background
bull Senior Researcher at SAP AGbull Product Security Researchbull Code Analysis
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Security in business processesbull Static code analysis (ua fuumlr JavaScript)bull Security Testing
copy 2014 SAP AG All Rights Reserved Page 8 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 9 of 33
Ideal World Modeling
copy 2014 SAP AG All Rights Reserved Page 10 of 33
Ideal World Deployment and Execution
copy 2014 SAP AG All Rights Reserved Page 11 of 33
Real World Modeling
Process Models
bull BPMNBPEL
bull Configurable transactions
bull Custom Coding
bull Legacy Systems
bull External services
Security
bull Each system (OS DB IS)
bull own security infrastructurebull own logging infrastructure
bull Management solutions try tobridge this gap
copy 2014 SAP AG All Rights Reserved Page 12 of 33
Real World Deployment and Execution
Backend
bull AS Java AS ABAP
bull Business Process Engine
bull Legacy Systems
bull External services
bull Sensors and product lines
Frontend
bull Desktop clients
bull Web-based clients
bull Mobile clients
bull Client side compositions(eg mash-ups)
copy 2014 SAP AG All Rights Reserved Page 13 of 33
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
My Background
bull Senior Researcher at SAP AGbull Product Security Researchbull Code Analysis
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Security in business processesbull Static code analysis (ua fuumlr JavaScript)bull Security Testing
copy 2014 SAP AG All Rights Reserved Page 8 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 9 of 33
Ideal World Modeling
copy 2014 SAP AG All Rights Reserved Page 10 of 33
Ideal World Deployment and Execution
copy 2014 SAP AG All Rights Reserved Page 11 of 33
Real World Modeling
Process Models
bull BPMNBPEL
bull Configurable transactions
bull Custom Coding
bull Legacy Systems
bull External services
Security
bull Each system (OS DB IS)
bull own security infrastructurebull own logging infrastructure
bull Management solutions try tobridge this gap
copy 2014 SAP AG All Rights Reserved Page 12 of 33
Real World Deployment and Execution
Backend
bull AS Java AS ABAP
bull Business Process Engine
bull Legacy Systems
bull External services
bull Sensors and product lines
Frontend
bull Desktop clients
bull Web-based clients
bull Mobile clients
bull Client side compositions(eg mash-ups)
copy 2014 SAP AG All Rights Reserved Page 13 of 33
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 9 of 33
Ideal World Modeling
copy 2014 SAP AG All Rights Reserved Page 10 of 33
Ideal World Deployment and Execution
copy 2014 SAP AG All Rights Reserved Page 11 of 33
Real World Modeling
Process Models
bull BPMNBPEL
bull Configurable transactions
bull Custom Coding
bull Legacy Systems
bull External services
Security
bull Each system (OS DB IS)
bull own security infrastructurebull own logging infrastructure
bull Management solutions try tobridge this gap
copy 2014 SAP AG All Rights Reserved Page 12 of 33
Real World Deployment and Execution
Backend
bull AS Java AS ABAP
bull Business Process Engine
bull Legacy Systems
bull External services
bull Sensors and product lines
Frontend
bull Desktop clients
bull Web-based clients
bull Mobile clients
bull Client side compositions(eg mash-ups)
copy 2014 SAP AG All Rights Reserved Page 13 of 33
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Ideal World Modeling
copy 2014 SAP AG All Rights Reserved Page 10 of 33
Ideal World Deployment and Execution
copy 2014 SAP AG All Rights Reserved Page 11 of 33
Real World Modeling
Process Models
bull BPMNBPEL
bull Configurable transactions
bull Custom Coding
bull Legacy Systems
bull External services
Security
bull Each system (OS DB IS)
bull own security infrastructurebull own logging infrastructure
bull Management solutions try tobridge this gap
copy 2014 SAP AG All Rights Reserved Page 12 of 33
Real World Deployment and Execution
Backend
bull AS Java AS ABAP
bull Business Process Engine
bull Legacy Systems
bull External services
bull Sensors and product lines
Frontend
bull Desktop clients
bull Web-based clients
bull Mobile clients
bull Client side compositions(eg mash-ups)
copy 2014 SAP AG All Rights Reserved Page 13 of 33
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Ideal World Deployment and Execution
copy 2014 SAP AG All Rights Reserved Page 11 of 33
Real World Modeling
Process Models
bull BPMNBPEL
bull Configurable transactions
bull Custom Coding
bull Legacy Systems
bull External services
Security
bull Each system (OS DB IS)
bull own security infrastructurebull own logging infrastructure
bull Management solutions try tobridge this gap
copy 2014 SAP AG All Rights Reserved Page 12 of 33
Real World Deployment and Execution
Backend
bull AS Java AS ABAP
bull Business Process Engine
bull Legacy Systems
bull External services
bull Sensors and product lines
Frontend
bull Desktop clients
bull Web-based clients
bull Mobile clients
bull Client side compositions(eg mash-ups)
copy 2014 SAP AG All Rights Reserved Page 13 of 33
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Real World Modeling
Process Models
bull BPMNBPEL
bull Configurable transactions
bull Custom Coding
bull Legacy Systems
bull External services
Security
bull Each system (OS DB IS)
bull own security infrastructurebull own logging infrastructure
bull Management solutions try tobridge this gap
copy 2014 SAP AG All Rights Reserved Page 12 of 33
Real World Deployment and Execution
Backend
bull AS Java AS ABAP
bull Business Process Engine
bull Legacy Systems
bull External services
bull Sensors and product lines
Frontend
bull Desktop clients
bull Web-based clients
bull Mobile clients
bull Client side compositions(eg mash-ups)
copy 2014 SAP AG All Rights Reserved Page 13 of 33
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Real World Deployment and Execution
Backend
bull AS Java AS ABAP
bull Business Process Engine
bull Legacy Systems
bull External services
bull Sensors and product lines
Frontend
bull Desktop clients
bull Web-based clients
bull Mobile clients
bull Client side compositions(eg mash-ups)
copy 2014 SAP AG All Rights Reserved Page 13 of 33
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
End-to-End Business Process Integration
Prospect-to-Promoter
Source-to-Pay
Recruit-to-Retire
End-to-End Business Processes
Customers have complex on-premise landscapes
As customers adopt cloudsolutions hybrid landscapes willbecome a norm
Integration across the boundariesof cloud and on-premise is amust to prevent application silos
As companies adopt cloud real-time end-to-endbusiness process integration is critical
copy 2014 SAP AG All Rights Reserved Page 14 of 33
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
How the Future Might Look LikeC
loud
Solu
tions
Cloud + CRM
SAP CRM
SAP ERP
Two-tier CRM
Headquarters
Subsidiaries
On-
prem
ise
Solu
tions
Pre-Built and Maintained Integrations (iFlows)
Cloud for Customer
Cloud forCustomer
Cloud forCustomer
SAP CRM
SAP ERP
Cloud + ERP
SAP ERP
Cloud for Customer
Cloud + 3rd Party
3rd Party System
Cloud for Customer
copy 2014 SAP AG All Rights Reserved Page 15 of 33
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Customer Example (12)
Large manufacturing company withSAP ERP multiple legacy HR andother financial applications worldwide
Migration from legacy HR system
gt120 third-party interfaces ndashIntegration of third-party cloudsolutions to Employee Central (EC)and EC Payroll
100 of SAP-to-SAP integrations and30 of all integrations covered byprepackaged integration flows(iFlows)
SAP ERP FI
On-Premise
Cloud
Aetna
Other FI Systems
Kronos
Aon Hewitt
JP MorganMetlife
Aetna helliphelliphellip
Other FI Systems
PayrollEmployeeCentral
EmployeeOrg Structure
FinancialPosting Active
Directory
copy 2014 SAP AG All Rights Reserved Page 16 of 33
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Customer Example (22)
Third-party ERP
Industrial manufacturer with multiplesubsidiaries on different SAP ERPclients as well as third-party ERPsystems
Rapid implementation with small IT team
Delivered improved usability for fieldsales and collaboration between fieldsales and back office
Integration of accounts materials salesquotes and sales ordersSAP ERP (1) SAP ERP (2)
SAP Cloudfor Sales
Field sales including mobility
BW
On-Premise
Cloud
Third-Party ERP
SAP ERP (2)
copy 2014 SAP AG All Rights Reserved Page 17 of 33
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Evolution of Source Code
bull Increase in
bull code size
bull code complexity
bull number of products
bull product versions
copy 2014 SAP AG All Rights Reserved Page 18 of 33
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Support Lifecycle (Maintenance)
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
1998 2004 2012
No of Systems No of Customerscopy 2014 SAP AG All Rights Reserved Page 19 of 33
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Support Lifecycle (Maintenance)
0
20000
40000
60000
80000
100000
120000
140000
1998 2004 2012No of Systems No of Customers
Example (Maintenance Cycles)
Produkt Release EOL ext EOL
Windows XP 2001 2009 2014Windows 8 2012 2018 2023Red Hat Ent Linux 2012 2020 2023SAP ERP 2004 2020 gt 2024
Maintenance fees typical 20 of the original price
copy 2014 SAP AG All Rights Reserved Page 19 of 33
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Customer Requirements
Real-time businessprocess integration
End-to-endmonitoring and support
Single source of truth andmaster data synchronization
Data securityand compliance
Integrateduser experience
Rapid deployment
Support for complexlandscapes
Choice of integrationtechnology
LOB IT
Line of business
copy 2014 SAP AG All Rights Reserved Page 20 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 21 of 33
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Security in Business Processes An Example
copy 2014 SAP AG All Rights Reserved Page 22 of 33
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Access Control
Goal
bull Control access toTasks Resources (Data)
The core
bull UsuallyUsers Roles Access Rights
bull In special casesData labeling
On top
bull Separation of Duty
bull Binding of Duty
bull Delegation
copy 2014 SAP AG All Rights Reserved Page 23 of 33
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Protecting Data (and Goods)
Goal
bull Ensurebull confidentialitybull integrity (safety)
of data (and goods)
The core
bull Need-to-Know
bull Fingerprints
bull Encryption
bull Sensors
copy 2014 SAP AG All Rights Reserved Page 24 of 33
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Compliance and Additional Requirements
Many regulated markets
bull Basel IIIII SoX PCI
bull HIPAA
Many customer-specific regulations
bull Own governance to mitigate risks
bull Own business code of conduct
bull Fraud detectionprevention
bull Non-observability
Customers are individually audited
bull No ldquoone certificate fits allrdquo solution
Security should not hinder business
copy 2014 SAP AG All Rights Reserved Page 25 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 26 of 33
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Our Research Over the Last Decade
Access Control for Processesbull RBAC-like models
bull Delegation models
bull Break-(the)-glass models
Model-driven Securitybull Modeling of Security
bull Generation of implementation configuration
bull Monitoring based on models
Process-level Verificationbull Compliance to security spec
bull Consistency of security configurations
Implementation-level Verificationbull Compliance of implementation to process level
security req
copy 2014 SAP AG All Rights Reserved Page 27 of 33
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Research Challenges
Adaptabilitybull How to extend systems safely
bull Integration of legacy systems
Auditabilitybull Coherent audit across providerssystems
bull Reduction of audit costs
Cloud (SaaS)bull How to manage decentralized systems
bull How to capture behavior of the composition
bull Who is the attacker
Process level vs technical levelsbull Security is more than CIA
bull Ensuring secure implementation
copy 2014 SAP AG All Rights Reserved Page 28 of 33
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Agenda
1 SAP and SAP PampI ACES
2 Process-aware Information Systems
3 Security Trust and Compliance of Business Processes
4 Research Directions and Challenges
5 Conclusion
copy 2014 SAP AG All Rights Reserved Page 29 of 33
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Conclusion
ldquo The most interesting challenges are still ahead of us
bull Real systems are large and complexbull many programming languages or frameworksbull many security technologiesbull highly distributedbull implement business processes in many different ways
bull Many research is done on the process level
bull We now need to bring thebull process levelbull implementation level
closer together to provide end-to-end security
bull Cloud solutions create new challengesbull data protection across different providersbull new attacker models
copy 2014 SAP AG All Rights Reserved Page 30 of 33
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Thank you
Interested in an InternshipThesis at SAP
bull achimbruckersapcom
bull wwwsapcomjobs and search for locationldquoKarlsruherdquo or rsquolsquostudentrdquo
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Bibliography I
Wihem Arsac Luca Compagna Giancarlo Pellegrino and Serena Elisa Ponta
Security validation of business processes via model-checking
In Uacutelfar Erlingsson Roel Wieringa and Nicola Zannone editors ESSoS volume 6542 ofLecture Notes in Computer Science pages 29ndash42 Heidelberg 2011 Springer-Verlag
Achim D Brucker and Isabelle Hang
Secure and compliant implementation of business process-driven systems
In Marcello La Rosa and Pnina Soffer editors Joint Workshop on Security in BusinessProcesses (sbp) volume 132 of Lecture Notes in Business Information Processing (lnbip)pages 662ndash674 Springer-Verlag 2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel
SecureBPMN Modeling and enforcing access control requirements in business processes
In ACM symposium on access control models and technologies (SACMAT) pages123ndash126 acm Press 2012
copy 2014 SAP AG All Rights Reserved Page 32 of 33
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
Bibliography II
Luca Compagna Pierre Guilleminot and Achim D Brucker
Business process compliance via security validation as a service
In Manuel Oriol and John Penix editors ieee Sixth International Conference on SoftwareTesting Verification and Validation (icst) pages 455ndash462 ieee Computer Society 2013
Christian Wolter Andreas Schaad and Christoph Meinel
Deriving XACML policies from business process models
In Mathias Weske Mohand-Said Hacid and Claude Godart editors WISE Workshopsvolume 4832 of Lecture Notes in Computer Science pages 142ndash153 Springer-Verlag2007
copy 2014 SAP AG All Rights Reserved Page 33 of 33
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-
copy 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2014 SAP AG All Rights Reserved Page 34 of 33
- SAP and SAP PampI ACES
- Process-aware Information Systems
-
- The Ideal World
- The Real World
- Cloud Integration
- System Complexity and Adoption Rate
-
- Security Trust and Compliance of Business Processes
- Research Directions and Challenges
- Conclusion
-