Posted by: Adam Deane | 10/12/2010

BPM and Security

WikiLeaksI’m loving all the commotion around WikiLeaks.

Personally, I don’t see anything wrong with it.
I don’t buy into the fearmongering of it damaging national security. More like damaging government’s egos…
Think of how many stolen documents go unreported.
It usually takes events like this to get the security services to get their act together.

Anyway.. how does that connect to BPM

There are a couple of hundred BPM vendors in our industry.
Most work along the lines of opening up the process bottlenecks in the enterprise, make the data more transparent, more visible.
While researching BPM vendor trends, I was surprised to find a vendor with a different approach to BPM: Security.
Sekimia encourages organisations to rely on BPM itself to derive Information Security and Business Continuity Management systems.

BPM and security is a topic rarely discussed.
Defending our systems from cyber attacks? Not our responsibility…
Disaster Recovery Plans ? that’s an IT issue…
Defending our systems from organisational espionage? Right. I’ll call James Bond!

BPM encourages organisations to move all their manual work to the automated software solutions.
BPM platforms are great targets for cyber attacks. Are we prepared?
Can organisational information from BPM platforms find its way to WikiLeak-like sites?
Are we giving enough thought to BPM security?

Enjoy your weekend


Responses

  1. Adam, I couldn’t agree with you more. Both on the subject of Wikileaks as well as BPM and ECM security. I was planning to write on the same subject also, but you beat me to it once again!!!

    We announced in 2003 a very strong user authentication functionality in addition to our INLINE security functionality of the Papyrus Platform. Most products and software systems use no more than OUTER SHELL PROTECTION. Today the GUI code mostly defines who can access which function and data of the application. In large businesses today it is very common that SOA WebServices are completely unprotected. Programmers who know how to use them can basically do what they like now. The same is true for most Java web applications. Programmers who know the API calls can access them freely. That means that once somebody has broken in, they can do whatever they want.

    In 2003, when we mailed out the information about the security features, we did not have a single response from our customers and prospects. We tried it again after bank archive data were stolen from Swiss and Liechtenstein banks in 2007 and sold to german tax authorities. STILL NO RESPONSE. Maybe Wikileaks will do the trick! This is what we mailed out: http://www.isis-papyrus.com/e10/pages/techinno/tisecurity/tisecurity01.htm

    In Papyrus each and every METHOD call has to be authorized to be accessible to a business user. There are no file services to hack into and worms and trojans can not access the Papyrus Platform, because it does not provide any API’s or other open interfaces. The problem is that program developers see all these security features and the alck of APIs as a hindrance to their programming effort. In Papyrus it is the ROLE/POLICY definition that protects that. Yes, it has to be used the right way. If all users are given the same role and policy then the seperation of access rights is bypassed. On the lowest level the Papyrus OO-DB can be encrypted, all communications are encrypted as well and nodes have to exchange authentication tickets to be allowed to access each others functions. Business content is much more prone to misuse than raw data, because it is understandable to a human.

    Thanks for bringing up the security subject from a non-vendor perspective. Maybe you will be believed more than me, WHO IS JUST TRYING TO SELL SOMETHING!

  2. It’s a balancing act. On one hand customers expect to have an API that is will enable integration with external systems. On the other hand, it opens up security issues.
    Web services, WCF, Database connections, code plugin-ins, authentication and permissions are security related issues that seldom get the full monty until the organiation’s first security breach. Then the organisation panics and closes everything.
    Finding the correct balance is the tough part.

  3. On my Oct. 24 Emerald Planet Television interview with host Dr. Sam Hancock, “Father of the Internet” Dr. Vinf, Nathaniel Palmer, and me, my whole interview segment centered on BPM for security and included an Appian slide showing security process flows. My paper “Transforming Security through Enterprise Architecture and BPM” published in two books selling worldwide. I am a great proponent of this approach and am working on two U.S. military contracts where I hope that we can use BPM for that purpose. I welcome like minds to further this and help make individuals, the private sector, and government more secure.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: