For your eyes only: A question of security

As the world faces security weaknesses inherent in an increasingly open and globalised world, we have all had to become far more security conscious, both as individuals and as IT systems users. Companies today are increasingly anxious to preserve and protect their privacy and the confidentiality of their online information, particularly when this pertains to `classified` or privileged, sensitive information, such as a client`s personal details, financial information or competitive `market intelligence`.

Furthermore, many corporates and individuals have also been the victims of a legion of nasty IT viruses, each of which is more virulent and destructive than the last, increasingly pushing the boundaries when it comes to `hacking` into supposedly secure firewalls.

According to the Workflow Management Coalition (WfMC), there are certain services where security concerns should be carefully considered within a workflow system or co-operating workflow systems. This refers to services particularly within the context of workflow interoperability (workflows spanning corporate boundaries), since "...this is where additional complexities arise due to the separation of security domains across different organisational boundaries, and the probable use of public interconnection infrastructure between the organisations".

These services include the following, some of which will be discussed below in more detail: Authentication, authorisation, access control, audit, data privacy, data integrity, non-repudiation, security management and administration.

According to the WfMC, this is "the process by which a computer system or a (human) system user unambiguously identifies themselves to another computer system, normally in the context of gaining access to various services which the authenticated party is authorised to use on that computer system".

The definition of workflow is essentially the "human to human automation of (business) processes". From this perspective, it differs substantially from traditional computing, where the user is typically identified once on connection, and, once authenticated, is then provided access to the appropriate areas of the system.

In the workflow environment, the identity and authentication of the user needs to be tested at every step of the workflow process. This is because, by the very nature of workflow, each new step could be forwarded to an entirely different person to the user who completed the previous one.

Typically, a workflow user will go through a process of authentication as part of the log-on activities that he or she is required to do, prior to work being assigned to them by a particular workflow service. However, once the issue of workflow interoperability is introduced, you now have a user whose identity has been verified within the local system - not necessarily across the other geographically dispersed workflow systems that might be participating in the process.

This is where electronic or digital `certificates` come into play, utilising passwords specific to the user, via Public Key Infrastructure (PKI), which sends a `key` across systems, verifying their identity prior to taking action on the data associated with that user. Essentially, this allows usernames and passwords to travel securely between different domains, allowing the user to log on to different workflow systems as appropriate.

The situation of an unattended terminal raises a whole new set of concerns, and arises from the fact that, once authentication has taken place and the user has successfully logged on, the system then has no way of knowing if that user is still active on their terminal and is actually the one dealing with the step within the workflow process that the system is expecting. This is typical of situations where a manager might leave his workflow `inbox` unattended while continuing with other tasks and could result in an unauthorised person being able to incorrectly authorise the processing of a particular work item.

This potential security hazard is addressed by enforcing the supply of an electronic signature of the manager, by way of prompting them for their system password, prior to releasing the work item to the next user in the process.

The WfMC defines the authorisation process as the "process of identifying to the computer system the various functions which a user (human and potentially a computer system) may undertake". This attempts to limit the extent of the user`s interaction to simply that which they need to know in order to do their work. Within a workflow context, users are usually authorised to play a particular `role` as defined within the process definition(s), which in the past was determined by the process definer who ultimately controlled what happened to a particular workflow item and the user`s interaction with it.

In a bid to improve the integrity of workflow implementation, many process definers are now attempting to remove the human element from the workflow process, and along with it the potential for error or fraud, by implementing so-called Straight Through Processing, which involves system-to-system workflows, otherwise known as application-to-application (A2A) workflows. This then allows the human users to be freed from processing these mundane tasks and they can then concentrate their efforts on processing the exceptions generated by the A2A workflow. This form of workflow is often associated with enterprise application integration (EAI) and is now referred to as business process management (BPM).

Further controls such as version control of process definitions are also now becoming commonplace, which allows changes to be made to a workflow definition, without overwriting the original definition. This allows process definers to dynamically modify existing processes, but provides transparent tracking in the event of any errors, deliberate or otherwise, in the authorisation process.

In certain workflow scenarios, particularly those supporting electronic trading of some variety, there may be a requirement for the non-repudiation of the originator`s message. This is to assure the recipient of the message (or workflow item) that the originator cannot deny the validity of the workflow item (or business transaction) that he or she has initiated.

The need for this arises in situations such as e-business sites on the Internet, where online orders might be placed via a workflow system, or in paperless supply chain environments where electronic requests are made. In these situations, Public Key techniques are used to ensure adequate proof of origin, and Private Key techniques provide privacy and assurance between the transacting parties.

Associated data integrity services ensure that the data transferred between the parties has not been modified in any way during the process of transfer. Strong data integrity will usually rely on cryptographic algorithms applying a message hash, for example, computed by a strong one-way algorithm. These message hashes, when associated with a public or private key, ensure that it is impossible for the data to be changed in any way during transit, since verification of the message hash is done via additional algorithms upon arrival at the target machine using the associated key.

This level of data integrity is usually only applied in certain very sensitive areas of workflow, for example in the financially oriented workflow contexts, where the integrity of data travelling between parties is critical.

Any security system, according to the WfMC, which relies on passwords, cryptographic keys or similar systems, will require a security administration domain providing mechanisms for the allocation, distribution, secure storage and, in due course, replacement of the passwords or keys. The main problematic area here is that of key distribution between the parties where cryptographically based security services are required in the context of workflow interoperability.

However, as the WfMC points out: "Where secure, interoperable workflow systems are established, it is reasonable to assume that such internetworking will be as the result of an agreed business process between the parties, within which such security provisions will be agreed and actioned."