BPM, ECM, ESB, and Security
Friday, January 26th 2007 | Ismael Ghalimi
What makes enterprise architecture both difficult and fascinating is that it’s all about dealing with a multi-dimensional problem. Focus on one or two dimensions, and the others quickly become orthogonal considerations, usually relegated to a later time, actually never really implemented. More often than not, security is one of these dimensions that does not get the attention it deserves. Dealing with security is a little bit like cleaning your house: when its clean, nobody can really tell how much work had to be done for getting there, and only when things get dirty do people start noticing. This post from security architect James McGovern is a good summary of the problem at hand, and gives me an opportunity to answer a question that was asked following the publishing of this post on the intersection of BPM and ECM: what about security?
Among other things, a security architect is usually interested by authentication and entitlement. The first is there to ensure that you really are who you say you are, while the second gives you permission to conduct some actions upon specific resources once you have been identified and your credentials have been defined. From an architecture standpoint, authentication has been largely solved with Single Sign-On architectures. It does not mean that companies have deployed it yet, nor that Web resources are supporting it—I wish they were—it just means that the standards have been set, implementations have been developed, and best practices have been defined. Entitlement is another story altogether.
Entitlement, which is also known as authorization, is a complex problem to solve, because it covers a broad range of actions that can be conducted upon a broad range of resources. While the scale and complexity of a Single Sign-On infrastructure typically grows linearily with the number of systems and users having access to them, the scale and complexity of an entitlement infrastructure grows exponentially with the number of resources and services it is controlling access to. Because of such inherent complexity, standards for entitlement or authorization are fairly complex too. For some time, one of the references in the space was the Role Based Access Control model developed by the National Institute of Standards and Technology (NIST). Eventually, it got superseded by the eXtensible Access Control Markup Language (XACML) developed by OASIS, which is one of the most complex specifications I ever came across.
From an architecture standpoint, I believe that XACML is using the right model to solve the problem at hand. As James explains in his post, it defines several components such as a Policy Administration Point (PAP) which allows for centralized administration, Policy Decision Point (PDP) which defines how rules/conflicts are resolved and the Policy Enforcement Point (PEP) which is responsible for the actual enforcement of all policies. The technology is good, but the challenge has been in getting multiple vendors to adopt it. If history is any indication, what happened for authentication will happen again for entitlement. Because vendors of enterprise systems and applications had different ways of authenticating users and did not agree on a common standard, other vendors had to step in and provide generic solutions that could connect to a variety of existing systems. For authentication, such solutions came from traditional security vendors such as RSA. For entitlement, I believe that solutions will come from ESB vendors, for SOA is providing a compelling event for their deployment. They might also come from BPM vendors, for business processes provide the right set of scenarios for defining meaningful entitlement policies.
This brings us back to the original question, which is to understand how the security model used by an ESB will mesh with the one adopted by a BPM system. Security, alongside discoverability and resusability, is one of the services that should be offered by a good ESB, and entitlement is one of its critical elements. XACML is quite a good fit for the ESB model, in the sense that it would allow service owners to specificy rules and policies for granting access to services managed by the ESB. Things get a little bit more complex for a BPM system, for the reason that entitlement can be implicitely defined and transparently enforced when using the right process modeling methodology and notation. In this respect, the BPMS acts as some kind of process firewall.
The idea for a process firewall is pretty simple: model your process in BPMN using multiple swimlanes—one for each participant, be it a human being, an external system, or another process. The very action of breaking your process down into participants implicitely defines who can do what, which is also called authorization, or entitlement. Essentially, entitlement definition becomes a simple by-product of process design, and it’s one that comes out for free, with the right level of granularity. If you adopt this approach and make the assumption that all your services will only be consumed by processes deployed on the BPMS, setting up your ESB for policy enforcement becomes trivial: no service can be used by any other system than the BPMS, and let the BPMS do whatever it wants. With such a model, the BPMS becomes your PAP, your PDP, and your PEP, all in one. Pretty cool, isn’t it?
Of course, this model is overly simplistic, and most real-world deployments would include services that are used by many other systems than the BPMS. In this case, the ESB becomes the primary PAP, PDP, and PEP, and is extended by the BPMS, which acts as a secondary PAP, PDP, and PEP. If you adopt such a model, two options become available to you: one is to use the BPMS to circumvent the entitlement rules defined by the ESB, the other is to use the BPMS to refine them. According to the first option, a given role might not be able to perform a certain action upon a given resource based on the rules defined in the ESB, but would be allowed to perform it within the context of a specific process managed by the BPMS. According to the second option, the ESB might define broad entitlement rules for a set of resources, and let the BPMS define narrower scenarios whereby particular roles perform some actions upon a subset of these resources, again within the context of a specific process. The first could be characterized as an exception definition mechanism, while the second is a specialization technique for the definition of fine-grain entitlement rules. I believe that both could be used side by side, and that there would be significant benefits in so doing.
The way an ECM system would fit into this picture is quite interesting as well. Access control is a critical feature of any ECM to be deployed within an enterprise environment, and sharing the same entitlement architecture with the BPMS and the ESB would provide significant benefits. For documents that would be attached to process instances, the entitlement architecture would define who gets to do what with the document, at different points in the process execution, which is something that is very difficult to do with a standalone ECM that has no notion of process context. Also, using the ECM’s native access control infrastructure would allow the definition of proper entitlement rules for the manipulation of process artifacts, such as process models, service definitions, or user interfaces, while coupling it to the BPMS’ process deployment infrastructure would allow the definition of rules that are directly related to different points in the process’ lifecycle, such as development, testing, deployment, or update. For more on the intersection between BPM and ECM, you can refer to this article.
As far as I know, no BPM vendor has ever adopted such a model in combination with an ECM and an ESB. Nevertheless, the technology exists today for building such a thing, and all we need is enough customer interest for getting it done. This is something that Intalio is actively pursuing today, and I would expect that we will be in a position to announce interesting developments in this area sometime this year.
In the meantime, I wish you all a very good week-end.
Entry filed under: BPM 2.0, SOA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ismael,
I believe that you have oversimplified things a lot. In the real world, not every enterprise can do a wholesale migration from current systems to Web-based systems. Some systems will never get migrated anytime soon, if ever. The death of COBOL has been predicted more than 20 years ago, but it is still going strong and got objectified. Many banking transactions are conducted behind the scene through CICS and IMS databases for their optimized performance on IBM System 390 architecture (batch machine).
Your method of assigning one person to a business per process is impractical. Remember that process consists of activities and activity entails tasks. With high volume of transactions and specialization of work, a group of individual would perform similar, but not always identical tasks concurrently. Moreover, senior staff and supervisors, in general, have more authority and can do more than junior staff members. For example, a supervisor can write off certain amounts on the spot with a customer, but not a junior staff member.
You seem to over promote the capabilities of BPMN and BPMS with theoretical but impossible practices. Most of the current BPMSes with BPMN can not even handle EDI, let alone other enterprise activities such as production (or manufaturing), strategic management, innovation, etc. If BPMN and BPMS are that powerful and can handle everything under the sun, DoD and ISO would have abandoned SysML and PSL a long time ago! Don’t forget OMG, OASIS, and the like are not de jure standard bodies such as ISO, IEEE, ANSI, EIA, BSI, EMAC, CSA, etc.
I believe that I have repeated myself many times over throughout this blog under different articles. This is my last time to suggest to you not over promoting the capabilities of BPMN and BPMS. They are still in their infancy. If they are matured enough, security would have been incorporated in its first release! Leaving out security in a software product is a sign of inexperience!
Best regards
-Francis
Francis,
I did not suggest that all existing systems should be replaced by Web-based alternatives. On the contrary, I am promoting a model that can let both play side by side.
As far as processes are concerned, I believe that you should re-read the BPMN specification, and actually try to implement some processes with Intalio. This would give you a better appreciation for what is possible. Our model certainly does not assign one process per person, therefore the comments you made in your second paragraph do not really apply.
Regarding standards, we all agree that having BPMN and BPEL become de jure standards would be better for everyone. But guess what? This takes time, and it needs support from many parties that are using the technology in order to make it mature to the level where it can become a de jure standard. It seems to me that you’re saying: it’s not ready, so I won’t use it. That’s perfectly fine, but it does not mean that the approach does not have value. It just means that it needs more work, and the sooner we start, the sooner we’ll be done with it.
There is a life after the mainframe!
Best regards
-Ismael
Ismael,
I couldn’t agree with you more that there is life after the Mainframe. The Mainframe was designed and optimized to do batch processing that automate book-keeping tasks in the 60’s. It was amazing that when I visited IBM’s birthplace, Endicott, back in 1988, the research engineer in the lab came out and said that the 360, 370, and 390 architectures were designed and optimized for batch or sequential processing. For online real-time processing, one should choose something else. Examples were IBM System 88 (Stratus with IBM’s label), or even DEC! At that time, I was on contract with Rogers AT&T cellular phone services provider in Canada as Chief Architect. The problem needed to be solved was how to handle the call’s detailed records (or toll tickets) sent from a telephone switch. The IBM 3745, the largest communication controller at the time, couldn’t handle the speed and volume of data sent from a telephone switch! A viable solution at that time was to get either a Tandem or a Stratus to handle the volume of data off-loaded by a telephone switch via asynchronous trasmission mode. Although a telephone switch could transmit data in HDLC mode, IBM’s communication controller could only handle SDLC mode at 2,400 bits per second. The asynchronous transmission software never worked on the communication controller!
I am not convinced that BPMN can handle the type of real-time modelling as you believe it could. If it does, activities on SysML and PSL should be terminated. DoD, MOD, NIST, OMG, NATO, etc. are wasting their time in evolving those standards.
Didn’t you say to use one swimlane per person to model the process? That is impractical. As I mentioned elsewhere in this blog, BPMN is rich in symbology but poor on supporting the time-honored hierarchy of process, activity, and task! When you can demonstrate to me how you can model the process hierarchy, then I will be convinced that BPMN can handle real-life process control such as SCADA (Supervisory Control and Data Acquisiton)!
When a standard is really good, a large organization can always fast track it. Examples are: Microsoft on C# with ECMA and DoD on EVM with ANSI/EIA!
Best regards
-Francis
Francis,
What I said is you use one swimlane for each abstract participant in the process (ERP system, account manager). Then you can have multiple actual actors (SAP R/3 instance in Germany, John Doe) bound to each participant at runtime. This is no different than what is done with UML activity diagrams by the way. And BPMN does actually support the process, activity, task hierarchy you mentioned. An end-to-end process is designed as a collection of independent processes modeled through swimlanes, and each process contains activities. In turn, each activity can contain multiple activities through recursive nesting, and some of these activities can be task assigned to roles, usually held by human beings.
Best regards
-Ismael
Ismael,
In response to your reply, please refer to comment #11 of this article. I do not want to repeat myself many times over in different articles.
Best regards
-Francis
Francis,
Please see my answers there too.
Best regards
-Ismael
Ismael,
What you describe is comparable to the trust relationship we (usually) have between a database and an enterprise application. Nevertheless, DBAs are complaining that they cannot use their audit tools anymore. Is this the future for all of us, application developpers? And what about data security? To me, there is something that is often missed when talking about security: the data axis.
Even if in most cases people consider this is an applicative issue (I do, most of the time), what about the fact that if authorizations are centrally managed it can apply as well to the fact that a particular user may or may not be able to see such data in this application, based on rules shared with another application, or depending on data in another application. It’s a little bit like this guy can see data A only if he has this role, and can see data B as well, and data A and B are managed by two different applications.
Beside the fact that integrating a centrally managed authorization system is an applicative issue, I have a hard time figuring how this is going to work in a pure BPEL environment like the one you describe. And I am not only talking about technical stuff, I am talking about having a clear, concise, and standard way of defining this kind of interaction using BPMN.
McGovern is right in saying that something needs to be done, otherwise BPMS vendors will start defining their own way, thus breaking the compatibility/interoperability promise of BPMN/BPEL.
Regards
-Claude
[…] Most companies worry about what competitors are doing […]
Hi Francis,
I’m not sure why you have such a lack of faith in what Ismael describes here. I would agree in principle with everything he has to say. The description is simple because at this granularity, it is. However, I do have my own spin on where the application of security should be located within a BPMS. My take is that it should reside in the process engine and the rules set through administration. I will not go into details, but I have a white paper on the subject.
By the way Ismael, I would suggest a third dimension to your view of authentication and entitlement; that being behaviour. A role only indicates what your job is, not what you can do for that role. You don’t want a manager to approve their own expenses, but he will need to for his employees.
Francis: I notice that you’re a bit hung up on the notion of one person per swimlane, when in actual fact it is one role per swimlane, moderated by information on behaviour that could preclude someone with that role from a particular process instance. Now, while BPEL does not directly support this, it can be constructed with processes.
You feel that Ismael is over promoting BPMN and BPMS; you might be near the mark for the former, but not for the later. Don’t forget that BPMN is based on mathematical principles. I cannot agree with your suggestion that security should have been incorporated in its first release. Did that happen with Microsoft Windows or with Web Services?
How do you use process hierarchy? Is that your starting point? Is this going to be the one and only way to design processes? Hierarchy is very top down, a functional decomposition. Far better is to understand the end-to-end process and use sub-processing, just as Ismael describes (comment 4 above).
Regarding your comments on the previous posting, the approach of using process owners is a long standing one (Michael Hammer & James Champy). The point (1) that you made is close to the truth; a process owner is the business organisation unit. The problem is that a process can cross multiple business units. Who is the process owner then? You have to appoint someone with authority to take on that responsibility.
2 & 3. I agree that software should be easy to use. However, I would suggest that it be fit for purpose first. I concur that a BPMS is not necessarily user friendly (Intalio excepted…), but who is building the system? Once it is in place, the business owners (business analysts) can readily maintain and improve the business process with the process tools. If the system is poorly designed, it is not the fault of the BPMS. A BPMS is not just the processes and the process engine, but a collection of components, including BAM and portal. Loose one, and that particular BPMS is broken.
4. You’re absolutely correct, software can be built anyway you like. BPM is just one way, but also one of the best ways of doing it, and is standards based. It also gives you the potential to share processes between different systems.
I still am of the opinion that BPEL is best used to interface to systems like manufacturing processes. I don’t see that manufacturing processes are business processes, despite of the similarity. I am sure that some minor extensions to BPEL would allow this however. A BPMS is designed to integrate with other systems, so use it that way. Otherwise it’s a bit like suggesting using BPEL rather that PL/SQL!
All the best
-Bob
Claude,
You’re bringing a very important question, which is the data dimension in business processes. To a large extent, it is ignored by BPEL, which only cares about the outer shell of data, incarnated by the XML schemas used for any given WSDL interface. Beyond such a shell, a proper system would need a way to express rules on data, especially for security purposes. One could argue that such a thing should be handled by some Master Data Management (MDM) system (using SAP’s terminology), and that all data manipulations handled by the BPMS should actually be deferred to the MDM layer. I discussed this with the executive in charge of MDM at SAP, but I do not believe that SAP is going down this path yet, for it would require deep integration between components that are managed by totally separate teams. Nevertheless, I believe that to be the best way of handling the kind of scenarios you’re describing. How about we work on this together through a D3 project?
Best regards
-Ismael
Bob,
We’re on the same page.
Best regards
-Ismael
Francis,
There’s no such thing in BPMN as one pool per user. Pools are used to define participants, which can represent a system, a service, an application, a user, a role, an organization, another process. In short, a pool represents any entity that is involved in performing tasks in an end-to-end process.
A BPMN diagram can represent a “myCompany” pool that has one task that could be “GenerateProfit”. This would be a valid BPMN diagram, although I’m not sure it would help much. A pool can as well represent “Francis Ip”, who is requested to give a call to his boss as soon as possible.
In an end-to-end business process, there are different levels of granularity, from the high level view that business decision makers can work on when defining business strategy and organisational structures, down to defining robust, secure, fail-safe transactional calls to the ERP. Sub-processes, and what we call reusable processes at Intalio, provide the capability to work at these different layers, and link them to each other in a very natural way, so that business analysts and process analysts can cover processes end-to-end.
In addition, even when considering a specific layer where dozens of pools could be used, it is still possible to hide some of them, or look at the process from one specific perspective, filtering information as necessary. This is where the tool can provide interesting functionality to help scaling business models beyond the typical flow charts that you can see on many organizations’ walls.
When you combine all of this, BPMN can definitely be used to model real, large, and complex business processes used in many industries, including defense, healthcare, and manufacturing, to name a few, where you seem to have doubts it can be used. If you’re still not convinced, please come attend one of our training sessions, and we’ll show you this in more details.
Francis,
It does not take BPMN to find security holes in database management systems. Security is a serious issue for all systems and organizations, and it’s been so for a long time, and will probably remain so for many more years to come. I don’t understand how BPMN or the BPMS could create new security issues that did not exist at all before, nor why they could not be overcome.
I certainly understand that BPM is a paradigm shift, and it’s a challenge for most of us to undertake it. Every paradigm shift brings its share of fear. How many people were concerned about the Internet, or Java, or even relational databases at a time when hierarchical database systems where the standard? It does not mean that Internet killed newspapers or TV, nor that Java killed C++, and BPMN does not mean the death of other older notations. But at the end of the day, either people will adopt it and overcome the difficulties, or they will stay where they feel more comfortable, or they will move on to something else.
Jacques-Alexandre,
It is an interesting point that you make about secure, fail-safe transactional calls to back end systems. This is exactly what I’m involved with at the moment. Providing such sub-processes provides a nice, clean interface that business folks can use without any concern about underlying IT requirements.
What is interesting is that not many people talk about patterns when it comes to processes and yet, I notice that they exist everywhere. In fact I tend to use Facade and Proxy patterns quite a lot in my thinking and design work.
Do you know of anyone who discusses process in these terms? I’m sure that if people did for process that which has been done for general programming, it would be quite fruitful. You might even manage to make a few converts on the way.
Cheers
-Bob
Jacques-Alexandre & Bob,
Process management has been around for about a century, influenced mostly by Frederick Winslow Taylor, the father of sicentific management. Structured methodologies (SADT, IDEF, and DFD) in the 70’s aimed at improving all enterprise processes, not just one or two sets of functional processes. Business processes are one set of functional processes. CAD/CAM were already in force in those days with real-time process control (SCADA) in manufacturing (or production) processes. Read my article posted in this blog almost a year ago, Business User Perspective on UML, BPMN, and BPMS.
C2 in the Orange Book (by DoD) has been the baseline for computing security since the 60’s. Now C2 is also called Common Criteria (ISO 15408). In addition to Operating Systems such as IBM’s AIX or Windows 2000, Oracle’s products are also C2 certified, as they circumvent OS security by taking direct control of physical hard disks, and do their own clustering of computers. Broadly speaking, there are general group policies, and explicit allocation of computing resources to individuals. Meaning, every person has a unique token in using computing resources when authenticated. For instance, Jacques, Bob, and I may belong to the same security class, but there may be resources that I can access, but Jacques and Bob cannot until I grant them the right on each one. W3C has had WS-Security for a long time, but I am not sure how it stacks up against ISO 15408 though! The swimlane or pool in BPMN would work for group policies. When it gets down to an individual, you need the layering capability. Ismael said in a comment of another article that Intalio’s Process Designer did provide such a capability.
Jacques and Bob, I don’t know how many years of experience you have in terms of real-time process control and security. My first real-time process control project was QEW Freeway Surveillance in Ontario back in 1974! My first encounter of stringent requirements for security was a suite of turnkey Patient Registration and A/D/T Systems that I delivered to a world famous teaching hospital back in 1980 in Hamilton, Canada. That was my first management consulting assignment!
Jacques, you are a pretty good marketing man. I, however, cannot afford to pay for a training course. If I had the money, I would go for the PDUs first, as required by the PMP certificate exam. Getting a PMP designation is more profitable to me than knowing how to use a particular software package.
I tend to adhere to de jure standards, ISO in particular, as they are more universal than consortium standards! For instance, PL/1 in North America and Algol in Europe were the de facto standard programming languages in the 60’s and 70’s. Where are they now? Another example, IBM had EBCDIC and SDLC for character encoding and packet switching respectively. Moving to UNIX and Java, IBM had to abandon both of them. Moreover, IBM doesn’t talk about SNA anymore, but Internet! IBM had a grand vision of offering integrated Computer, Telecom, and Satellite products and services in the early 80’s. It bought a telephone manufacturing company (I forgot the name now) that competed against Northern Telecom (now Nortel) and AT&T (now Lucent). There was no way that IBM could integrate its proprietary schemes with CCITT (now ITU) standards-based products and services. In those days, I worked with IBM Canada’s national support SEs to configure underlying IT infrastructures for clients. I always asked tough questions on behalf of clients. One time, one of the 3 consulting SEs came to visit me and told me the roadmap of OS/2. In general, the job for a consulting SE is to advise the President of IBM Canada what businesses IBM Canada should get into. They don’t go out to visit customers. I was the exception. It was a coincidence that the consulting SE who visited me was the CE at the Ministry that I used to work for before I got into the management consulting arena. We never met each other in those days, but we did know the same group of people who worked in the data center at the time. In one of my consulting assignments, I had national support SEs from IBM, DEC, and Tandem to work for a client at the same time! In several occasions, I also worked with the CEOs of software (e.g. Sentry at Chicago) and computer (e.g. Stratus of Canada) vendors! I always challenged a vendor’s overhyped product capabilities. In one of my consulting assignments, I sent an RFP to several vendors—IBM, DEC, Tandem, and Wang. In that RFP, each vendor had to deliver a working prototype, and demonstrate that the products submitted in the proposal could meet the requirements as stipulated in the prototype specification of the RFP. In other words, I go by real-life working products, not claims, even if you are as large as IBM or HP!
Best regards
-Francis
P.S. I am getting tired of repeating myself many times over in different articles! In essence, retrofitting security into a software product is a very expensive undertaking. Moreover, if security is not incorporated in the first general release of a software product, it only means that the vendor is inexperienced!
Hi Francis,
I understand your frustration on repetition, but I’ve not had the advantage of seeing your other writings, sorry. I never intended to contradict you about vendors and security. I’m just not so surprised that it happens. History repeats itself.
Please believe that I take everything that you say very seriously, and comment only after considerable reflection of my own perspectives. I certainly cannot match your extensive experience in this field, though our work experience would seem to have similar spans.
All the very best
-Bob
I have written a basic security article on ECM security planning, and will write follow on articles as well. Please post some thoughts.
Steve,
It is very simple, when choosing a product. It depends on what platform the product was developed and implemented. If it is .Net, I know that it can capitalize on Windows’ security model, because it has been C2 certified. If the product is Java based, I would ask for a Critical Criteria—C2 (ISO standard) certification before I would touch it. Java runs in its own world! Many open-source products never had security in mind! It is an all or nothing proposition.
Best regards
-Francis
Francis,
Part 2 in this article: some expansion beyond basic tenets as areas of focus.
Steve,
What you wrote is nothing new. It has been addressed by the DoD (Department of Defense) in the Orange Book (Trusted Computing) back in the 60’s. Have you visited the C2 site (ISO standard)?
Best regards
-Francis
Trackback this post | Subscribe to the comments via RSS Feed
Leave a Comment