Chinese wall security for decentralized workflow management systems

摘要

Workflow systems are gaining importance as an infrastructure for automating inter-organizational interactions, such as those in Electronic Commerce. In such an environment, a centralized Workflow Management System is not desirable because: (ⅰ) it can be a performance bottleneck, and (ⅱ) the systems are inherently distributed, heterogeneous, and autonomous in nature. Decentralized execution of inter-organizational workflows may raise a number of security issues including those related to conflict-of-interest among competing organizations. In this paper, we first provide an approach to realize decentralized workflow execution, in which the workflow is divided into partitions, called self-describing workflows, and handled by a light weight workflow management component, called workflow stub, located at each organizational agent. Second, we identify the limitations of the traditional workflow model with respect to expressing the various types of join dependencies and extend the traditional workflow model suitably. Distinguishing the different types of dependencies among tasks is essential in the efficient execution of self-describing workflows. Finally, we recognize that placing the task execution agents that belong to the same conflict-of-interest class in one self-describing workflow may lead to unfair, and in some cases, undesirable results, akin to being on the wrong side of the Chinese wall. Therefore, to address the conflict-of-interest issues that arise in competitive business environments, we propose a decentralized workflow Chinese wall security model. We propose a restrictive partitioning solution to enforce the proposed model.