collaborative business and data privacy: toward a cyber-control?
TRANSCRIPT
www.elsevier.com/locate/compind
Computers in Industry 56 (2005) 361–370
Collaborative business and data privacy: Toward a cyber-control?
Frederique Biennier *, Joel Favrel
PRISMa, INSA de Lyon, France
Received 1 February 2004; received in revised form 18 November 2004; accepted 31 January 2005
Abstract
The pervasive use of communication and information technologies can be seen as a driving force to develop distributed
organisations. As far as collaborative business is concerned, short-term e-collaboration can be developed. In this case, security
policies must be integrated in the common business process (BP) organisation so that trusted co-operation can be established.
For this purpose we propose to couple a generic authorisation workflow to the business process own workflow and to report all
the actions on the shared information systems. Nevertheless, reporting tools can be seen as threats on data privacy. We propose
here a multi-level architecture to provide both a sufficient security level and a personal data privacy protection.
# 2005 Elsevier B.V. All rights reserved.
Keywords: Virtual enterprise; Security; Data privacy; Process models
1. Context
Recent changes in the market have led enterprises
to overcome their own borders so that economical
partners are considered as members of a same
organisation: it leads to organisations as virtual
enterprise, extended enterprise or to the expansion of
alliance based strategies. Moreover, the pervasive
Abbreviations: BP, business process; eb-XML, electronic busi-
ness extended markup language; EDI, electronic data interchange;
IP, internet protocol; IS, information system; ISSO, information
system security officer; OCTAVE, operationnally critical threats
asset and vulnerability evaluation; PKI, public key infrastructure;
QoS, quality of service; SDL, system description language; SRA,
structured risk analysis; UML, unified modelling language; VE,
virtual enterprise; XML, extended markup language
* Corresponding author.
E-mail address: [email protected] (F. Biennier).
0166-3615/$ – see front matter # 2005 Elsevier B.V. All rights reserved
doi:10.1016/j.compind.2005.01.004
use of information and communication technologies
can also be a driving force to support organisational
mutations inside the enterprise: by bringing the right
information at the right time to different actors,
distributed decision systems can be set [25]. Such
distributed organisations are based on responsibil-
ities and competencies management so that actors
are rather autonomous for the tasks they are
responsible for.
To support such organisations, dedicated inter-
enterprise business process (BP) can be set [9], paying a
particular attention on public/private processes inter-
connection [8]. In order to provide more flexible
information systems (IS) interconnection, open archi-
tectures based on web technologies as Webflow [18] or
on web services [29] can be used. These component
based approaches fit well flexibility and reactivity
requirements involved by the C-business. Nevertheless,
.
F. Biennier, J. Favrel / Computers in Industry 56 (2005) 361–370362
both of them open the enterprise information system
and business process so that the IS security policy (i.e.
information access right, communication security, etc.)
must be taken into account [16]. For this purpose,
different standards and methods can be used to define a
convenient security policy (Section 2.1). As far as the
security policy implementation is concerned, different
security models can be used [15] so that IS (and
business process) consistency can be provided. Never-
theless, these necessary security features (authentica-
tion systems, message filters, etc.) provide also
consistent activity reports (workflow log files or
network reporting systems, etc.) that can be analysed
to rebuild the business processes execution [26]. As this
reporting activity is made on the value added process
itself and may lead to data privacy problems [31]
(Section 2.2).
As far as a virtual enterprise is concerned,
collaborative practices involve that the different
partners have to share parts of their own information
system. In this case,defining consistent security policies
rely mostly on access control systems. For this purpose,
we propose to couple a generic authorisation workflow
to business process specification (Section 3.1). Never-
theless, such a security policy implementation makes an
heavy use of reporting systems integrating large amount
of personal data. To solve both these security and data
privacy problems, we propose a multi-level architecture
used to separate the user authentication process from the
workflow reporting system. Thanks to a Kerberos like
architecture [28], reporting data cross-analysis can be
reduced so that data privacy requirements can be taken
into account (Section 3.2).
2. Security policy: protection versus cyber-control
As the information system consists in both tangible
(servers, physical devices, PC, etc.) and intangible (the
information system content, processes) parts of the
enterprise patrimony, different protection features
must be set: ‘‘Physical’’ protections are set for
physical equipment whereas ‘‘security services’’ have
to be defined to protect the intangible part:
� I
nformation confidentiality, i.e. the access must berestricted to only authorised users (for both internal
and external actors).
� I
nformation integrity, i.e. information contentprotection against malicious changes.
� I
nformation system availability.Implementing a convenient protection involves first
to take into account the specific needs of a company,
then to define and to implement a consistent security
policy and lastly to continuously evaluate the current
security level. For this purpose, methods and stan-
dardised security evaluation criteria are proposed (-
Section 2.1). Nevertheless, to reach a convenient
protection level, additional security services as access
controls, authentication services (used to identify ‘‘-
surely’’ users) and non-repudiation services must be
introduced. Making an intensive use of user identi-
fication and reporting systems, these protection me-
chanisms can also be seen as threats on data privacy.
Consequently, a particular attention must be paid on
data privacy management while the security policy is
defined (Section 2.2).
2.1. Building a security policy: standards and
methods
Adding security features to fit the security
requirements involves the addition of particular
components (hardware and software). To define a
proper security organisation, the additional costs
involved by the infrastructure must be compared to the
non-security costs computed according to the risk
level, depending on vulnerability and threats.
Technically, the security policy involves two major
stakes:
� C
ommunication network security: This point dealsboth with the Intranet security (access reduced to
authorised persons) and with the public commu-
nication network.
� I
nformation system security: Basically informationintegrity, confidentiality and access control [24].
Building a security policy is often reduced to the
implementation of a ‘‘secure infrastructure’’ [22]. This
reduced point of view provides only a technical an-
swer to the technical identified threats and technical
vulnerabilities (Table 1). Nevertheless, organisational
vulnerability must also be taken into account. Acco-
rding to this more global point of view, the stress is put
F. Biennier, J. Favrel / Computers in Industry 56 (2005) 361–370 363
Table 1
Technical answers to security troubles
Risk Mitigation Security services concerned
Unauthorised access Firewall filtering. Access control systems Confidentiality
Application level attack H-IDS probe on public servers. Access control systems Integrity, availability
Virus or Trojan horse attack Desktops anti-virus Integrity, availability
Password attack Reduced set of available services. IDS used to identify the threat Confidentiality, integrity, availability
Denial of service Firewall TCP configuration Availability
Address spoofing Local firewall address filtering (RFC 2827 and 1918) Confidentiality, integrity, availability
Packet sniffer Host-IDS Confidentiality
Network scan Host-IDS and protocol filtering Confidentiality, integrity, availability
Trust relation exploitation Private VLAN and restrictive trust model Confidentiality, integrity, availability
Port redirection Port filtering and host-IDS Confidentiality, integrity, availability
on the information system to be secured instead of on
the infrastructure to secure. Moreover, as enterprises
information systems are more or less interconnected
thanks to EDI, e-business tools, etc. the security policy
must include a global certification process: by this
way, global safe systems can be built. For this purpose
methods and standards have been defined since the
1980s, which aim at internationally recognised levels
of certification. Some of these standards are defined at
a national level (for example, TCSEC, Federal Crit-
eria, Canadian Criteria or BS 7799) whereas interna-
tional boards are involved in others (ITSEC, Common
Criteria, ISO 17799) (Fig. 1). The ISO standard de-
veloped recently (December 2000) [20] is quite dif-
ferent from the previous ones [11,12]. Risk oriented
instead of computer of information systems centred,
this standard consists in a generic method used to
define, implement and manage a consistent security
policy based on risk assessment.
Despite of its risk orientation, the ISO method lacks
of a systematic analysis of threats and vulnerabilities.
For this purpose, other methods must be used as the
operationally critical threats asset and vulnerability
evaluation method (OCTAVE), which provides a
Fig. 1. Standards chronology.
cross-analysis of the organisational point of view and
the technological solutions [2]. This method aims to
optimise security features use thanks to a three steps
process: threats identification, risks analysis and
actions scheduling. For this purpose, the OCTAVE
method provides a hierarchical description to guide
the vulnerability analysis [3] as well as an impact
evaluation according to six criteria (reputation,
financial, productivity, fines or legal penalties, safety
and other criteria). By this way, technological
‘‘actions’’ to reduce the risks consequences can be
proposed. Moreover, this risk analysis can be
combined with other methods as the structured risk
analysis (SRA) method used to compute more
precisely the non-security costs according to both
damage importance and attack probability [27].
Once defined, the global security policy has to be
integrated into the BP models. For this purpose, the
modelling approach should provide particular seman-
tics to describe security components, i.e. tag the
information security level (black/grey/white), define
secure channel, specify security protocols and key
generation systems, etc. as proposed in the UML Sec
extension, for example [21]. Moreover, reengineering
secured BP involves to integrate information protection
while processes are build. For this purpose, role-based
access controls can be set. Coupled to the enterprise
workflow specification and user authentication system
[23], such authorisation models needs to relate the
global security policy to role-based access control
rules [24]. Then, automated agents associated to user
can be introduced to secure workflow systems [19].
Apart from an access control point of view, BP
specification consistency must also be taken into
account. For this purpose, each BP can be split among
F. Biennier, J. Favrel / Computers in Industry 56 (2005) 361–370364
an ordered set of business transaction defined as a
‘‘contract’’ between two or more parties describing
business activities involved and security requirements.
Due to the multiplicity of BP, actors and security
constraints, formal specifications must be used to
check each transaction, atomic and non-atomic
activities consistency [1].
As far as virtual enterprises (VEs) are concerned,
trust based organisation favoured the emergence of a
consistent incrementally built secured organisation
[4]. In such virtual enterprises, different partners may
share sensitive information. Consequently, each
business process must be analysed to define public
and private parts leading to multi-level workflow
description used in a white/black boxes logic [8].
Moreover, a particular attention has to be paid on
reporting abilities to provide non-repudiation features
as well as a-posteriori access controls. In this case,
user identification must be certified and this can lead to
personal data storage and process so that data privacy
constraints must be taken into account while inter-
enterprises business processes are defined.
2.2. Data privacy: threats and protection
Personal data can be defined as a set of data related
to an identified person. At work with dedicated
software, while using internet browsers, etc. lots of
well identified information can be registered:
� A
uthenticated messages with a digital signatureusing a public key infrastructure (PKI) can be
collected and related to interchange contracts so
that workflow based processes can be partly rebuilt
by other enterprise partners.
� I
dentification information (login, IP address, com-puter name, etc.) are exchanged while browsing the
web. Moreover, cookies can be used to report the
activity on a particular server.
� P
roxy servers used to improve both the systemsecurity and the communication quality of service
(QoS) register all the web pages visited.
� D
ata access control systems can report bothidentification information and copies of the file
modification.
All these ‘‘cyber-control’’ processes are designed
to protect the information system against intrusions
(filtering on names or IP addresses, for example), to
provide a global safety towards system breakdown or
misused (for that purpose log files report and files
saving processes can be coupled to rebuild parts of
interrupted processes for example), to implement c-
ontrols on dematerialised processes (authentication
and non-repudiation processes). Moreover, some end-
users practices (as sharing a common mail account)
may also involve data privacy violation: by this way, a
process can ‘‘go on’’ even when one actor is not pr-
esent, but correspondence privacy (i.e. email protec-
tion) is not provided.
Data privacy protection must be taken into account
both for the data collection (users must be aware of the
personal information collected), the personal data
processing (internally and externally). Moreover,
particular security features must be set to provide a
sufficient safety and security level on these personal
data.
To provide an acceptable data privacy protection,
different strategies are set by different countries:
whereas a market self-regulation is promoted in the
US [17], legal protection is used in EEC [13] both for a
private use and a ‘‘professional’’ use [14] of
information and communication technologies. As
the privacy protection must be understood world
wide, particular agreements must be set by the foreign
sites in order to exchange personal data as the safe
harbour principle [32].
Despite of these ‘‘legal’’ differences, common
‘‘fair’’ practices are defined:
� T
ransparency: Users must be aware of the personaldata collection and processing.
� N
ecessity: The cyber-control must be used as acomplement of other security tools.
� E
quity: The goal of the personal data processingmust be recognised.
� P
roportionality: The cyber-control level must fit therisks.
Consequently, cross-processes on personal data
must be limited and involve particular agreements
from the different countries regulation institutions.
As far as virtual enterprises are concerned, legal
and contractual requirements (each transaction must
be authenticated and registered) involve an heavy use
of inter-enterprise authentication and non-repudiation
F. Biennier, J. Favrel / Computers in Industry 56 (2005) 361–370 365
services. To fit the data privacy fair practices as well as
the different enterprises security policy, common
business processes and agreement services must be
defined.
3. Security policy organisation in virtual
enterprises
The inter-enterprise business process engineering
specification has to satisfy opposite goals: respecting
each enterprise autonomy and patrimony while
building a consistent super-enterprise organisation
which involves a common information system and
well defined processes, able to support efficiently both
formal and informal collaboration.
Specifying an organisation involves to take into
account how its actors are organised, the role they take
in the common goal achievement as well as the way
they dynamically adapt the existing structure [30].
Depending on the autonomy let to the different actors,
two main descriptions can be set: tasks precise
specifications can be used for well formalised
processes whereas information flows and information
access rights are sufficient for less formalised or non-
formalised exploratory processes.
To define both the virtual enterprise and each partner
own security policies, we put the stress on the way
information is shared and acceded. This approach
involves first to define precisely consistent inter-
enterprise authorisation processes and then to integrate
them in the different business processes specification
(Section 3.1). Lastly, data privacy constraints must be
taken into account to implement a convenient
authentication system. For this purpose, a multi-level
architecture is proposed, separating the user identifica-
tion from the BP reporting system (Section 3.2). By this
way the privacy fair practices can be implemented.
3.1. Integration of security policy in inter-enterprise
BP model
Traditional security policy oriented methods focus
on a stand-alone security policy definition. As far as
the virtual enterprise is concerned, these approaches
have to be adapted to integrate the partnership
environment into account. We propose here a
complementary strategy to organise the VE business
process. Based on the VE security policy definition,
this approach puts the stress on the information access
control system and aim at preserving each enterprise
autonomy and information patrimony to support both
formal and informal collaboration.
To fit transparency requirements generic authorisa-
tion processes are defined, federating the different
security policies. For this, we propose to organise the
common business processes in a common meta-model
shared by the partners, describing globally the
distributed business process (Fig. 2). This architecture
is built around the actor description (person or part of
an enterprise). The security policy is defined at two
levels: first access controls on informational resources
are described second a multi-area infrastructure is
proposed. By developing adapted replication pro-
cesses, the access control system represents a
convenient basis for the global security system.
To identify surely the involved actor, the access
control system uses a PKI certification architecture
coupled to the organisation of access areas on the
information system. Access rights are described
thanks to ‘‘certificates’’, associated to a set of pieces
of information (called domain) and an accreditation
level (called a certification level according to the PKI
organisation). By this way, for each actor and each
requested piece of information access rights can be
computed and checked dynamically. The certification
process is defined by a workflow controlled by the
information system security officers (ISSO). Stored on
the different authentication servers, cross-controls on
access rights insure the global consistency of the
system.
As far as the distributed business process specifica-
tion is concerned, our description environment includes
both the formal and informal process specification. On
one hand, formal collaboration can be described
precisely thanks to a classical workflow approach.
Nevertheless, this inter-enterprise business process
organisation must respect the enterprise autonomy
constraint. For this purpose, a multi-level workflow
description relying on an embedded description of
treatments (i.e. providing different abstraction/service
levels) and on synchronisation points inside a treatment
is necessary. These points have been studied for a long
time in telecommunications software development and
have lead to the specification and development of
graphical and textual tools, like the functional
F. Biennier, J. Favrel / Computers in Industry 56 (2005) 361–370366
Fig. 2. Information control and business process description data model.
specification and description language (SDL) [10], to
organise treatments into services and to define precisely
synchronisation between treatments. These descrip-
tions consist of different automata with structured and
well-defined interactions (Fig. 3). Abstraction levels in
inter-enterprises business process models are integrated
thanks to macro-operations: depending on the actors
they involve, macro operations can be described
according to a more precise automaton or, if they
Fig. 3. Main SDL gra
involve different actors and responsibilities, they can
represent a more precise workflow. For example, Fig. 4
presents in a reflexive way the certification process
agreement.
On the other hand, informal collaboration is taken
into account thanks to an ad-hoc workflow organisa-
tion. Based on the segmentation of the information
systems into different domains, this data driven
approach describes the organisation thanks to infor-
phical elements.
F. Biennier, J. Favrel / Computers in Industry 56 (2005) 361–370 367
Fig. 4. SDL specification of the distributed certification process. The VE certification process is built according to a generic model of enterprise
validation process. Then, for each enterprise certification workflow can be developed. In our example, the enterprise xx certification workflow
involves the enterprise different information system security officers (ISSO) who may apply directly the enterprise certification rules or request a
strategic committee for a case-based certification.
mation flows and business process achievement is
monitored according to a strict definition of the
information life-cycle. For this purpose, we split each
part of information into a ‘‘logical information’’ and
contents which may evolve according to the informa-
tion status [5].
Access rights are devoted to the actors according to
the work they should do and to their certification level
F. Biennier, J. Favrel / Computers in Industry 56 (2005) 361–370368
Fig. 5. Data model storing the information validation workflow.
for the information domain. For this purpose, common
authorisation processes are defined thanks to certifica-
tion workflow stored on each authentication server
(see Fig. 5) so that the global security policy
consistency can be achieved [6].
This authorisation based security organisation
provides both transparency and authentication ser-
vices. Thanks to the use of the digital signature
provided by the PKI systems, non-repudiation services
are provided as well. Nevertheless, the reporting
systems involved can also be seen as a major threat on
actor personal data privacy.
3.2. Integration of the authorisation service in the
BP model
To fit the privacy fair practices, only simple
controls can be made and elementary log files can be
registered. As far as the authorisation-based archi-
tecture we proposed previously is concerned, the
reporting system can be used to rebuild parts of the
executed BP, i.e. provides a consistent cyber-control
on the actors own activities. Such a cyber-control
breaks data privacy requirements. Nevertheless,
workflow rebuilding processes must also be imple-
mented to control continuously the process efficiency,
the inter-enterprises collaborative practices, etc.
The main problem is that cross-processes with
identified data cannot be implemented without a
particular agreement given by regulation committees
(as set by the EEC directive). For this purpose, we
propose a multi-level architecture separating the
planned workflow organisation and the reporting
system thanks to an authentication service:
� B
usiness process management: In this ‘‘concep-tual’’ level, BPs are defined recursively so that
‘‘black box’’ or ‘‘white box’’ approaches can be
mixed without loosing the global consistency.
Thanks to ‘‘core processes’’, inspired by the eb-
XML (electronic business XML) core components,
reusing abilities are improved and the collaborative
business processes can be defined according to an
‘‘interface based’’ process. In this part, reports are
limited to anonymous processes.
� O
rganisational controls: BPs are turned into‘‘organisational processes’’. For this purpose, each
conceptual process is divided into a set of
‘‘collaborations’’ described according to elemen-
tary units called ‘‘transactions’’. Each transaction is
associated either to a part of the conceptual process
F. Biennier, J. Favrel / Computers in Industry 56 (2005) 361–370 369
(described in terms of core processes) or associated
to ‘‘exchange processes’’ defined according to the
collaboration framework. The way partners colla-
borate is defined contractually thanks to ‘‘organisa-
tion management BP’’ [7]. Actors (or groups) are
directly managed for the process planning while the
reporting system relates only tasks and transaction
execution to ‘‘authenticated users’’.
� A
uthentication service: This level implements theBP association with actors who have performed it.
Each transaction is associated to access controls
processes and collaboration profiles so that actors
can be certified. Then only these ‘‘authenticated
user’’ identifications are transmitted to the BP
reporting system. As each authentication identifica-
tion is given separately, the different tasks involving
the same actor cannot be directly related by the BP
reporting system. At a technical level, the authen-
ticated users are created and ‘‘forward’’ links are
made between these ‘‘authenticated user account’’
and the real actor account.
� C
ommunication level: This is the ‘‘operational’’level of our architecture. It consists of communica-
tion infrastructure management and/or configura-
tion data. The personal data collection and
processes are directly related to the infrastructure
use and not to the process involving this use.
Consequently, there is no cyber-control on actors
‘‘intellectual processes’’.
Such an architecture fits globally the fair practices
and may support cross-controls (by coupling different
files) if necessary. In this case, actors must explicitly
agree with such a cross-analysis process finality.
4. Conclusion
To fit personal data privacy requirements as well as
to integrate inter-enterprise security policies, we
propose to couple an authentication service to BP
and infrastructure reporting systems. By this way,
contractual collaboration constraints can be integrated
in the BP definition and security constraints are
fulfilled without integrating personal data in the
working process reporting system. Thanks to this
multi-level architecture a ‘‘personal’’ cyber-control
can be more or less avoided.
References
[1] V.S. Alagar, K. Periyasamy, Specification and verification of
secure business transaction systems, in: Proceedings of the
SOFSEM’2002, Lecture Notes in Computer Science 2540
(2002) 240–252.
[2] C. Alberts, A. Dorofee, An introduction to the OCTAVESM
Method, 2001, CERT White Paper available at http://www.cer-
t.org/octave/methodintro.html.
[3] C. Alberts, A. Dorofee, Octave threats profile, 2001, CERT
White Paper available at http://www.cert.org/archive/pdf/
OCTAVEthreatProfiles.pdf.
[4] M. Backes, B. Pfitzmann, M. Waidner, Security in business
process engineering, in: Proceedings of the BPM’2003, Lec-
ture Notes in Computer Science 2678 (2003) 168–183.
[5] F. Biennier, G. Beuchot, J. Favrel, Integration of the informa-
tion cycle of life in concurrent engineering, in: Proceedings of
the CE’96, Technomic, 1996, pp. 304–311.
[6] F. Biennier, Security integration in inter-enterprise business
process engineering, in: H.S. Jagdev, J.C. Wortmann, H.J. Pels
(Eds.), Collaborative Systems for Production Management,
Kluwer Academic Publishers, 2002, pp. 207–218.
[7] F. Biennier, J. Favrel, Collaborative BP engineering in alli-
ances of SMEs, in: L. Camarinha-Matos, H. Afsarmanesh
(Eds.), Processes and Foundations for Virtual Organizations,
Kluwer Academic Publishers, 2002, pp. 441–448.
[8] C. Bussler, The application of workflow technology in seman-
tic B2B integration, Distributed and Parallel Databases 12
(2002) 163–191.
[9] F. Cassati, A. Discenza, Modelling and managing interactions
among business processes, Journal of Systems Integration 10
(2001) 145–168.
[10] CCITT Red Book, vol. VI.10, Language for Description and
Functionnal Specification (SDL), Advices Z.100 to Z.104,
1985.
[11] Department of Defence (DoD), Trusted Computer Security
Evaluation Criteria-Orange Book, DOD 5200.28-STD Report,
1985.
[12] EEC, Information Technology Security Evaluation Criteria.
1991, Zip file downlable at http://www.cordis.lu/infosec/src/
crit.htm.
[13] EEC 95/46, Directive on the protection of individuals with
regard to the processing of personal data and on the free
movement of such data, Directive 95/46.
[14] EEC Article 29 work group, Data protection working party-
Opinion 8/2001 on the processing of personal data in the
employment context – Ref. 5062/En/Final WP48, 2001.
[15] S. Fisher-Hubner, IT-security and privacy, Lecture Notes in
Computer Science 1958, 2001, pp. 35–106.
[16] R.L. Franck, Security issues in the virtual corporation, Com-
puters and Security 15 (1996) 471–476.
[17] FTC (Federal Trade Commission), Privacy online: a report to
Congress, 1998 Report, 1998. Available at http://www.ftc.gov/
reports/privacy3/priv-23.htm.
[18] A. Grasso, J.L. Meunier, D. Pagani, R. Paraeschi, Distributed
coordination and workflow on the world wide web, The Journal
of Distributed Computing 6 (1997) 175–200.
F. Biennier, J. Favrel / Computers in Industry 56 (2005) 361–370370
[19] E. Gudes, A. Tubman, AutoWF—a secure web workflow
system using autonomous objects, Data and Knowledge Engi-
neering 43 (2002) 1–27.
[20] ISO, ISO/IEC 17799:2000 Standard-Information Technology.
Code of practice for information security management, 2000.
[21] J. Jurjens, UMLsec: extending uml for secure systems devel-
opment, in: Proceedings of the UML’2002, Lecture Notes in
Computer Science 2460 (2002) 412–425.
[22] G. Kovacich, The ISSO must understand the business and
management environment, Computer and security 16 (1997)
321–326.
[23] D. Li, S. Hu, S. Bai, in: Proceedings of the EDCIS’2002, A
uniform model for authorization and access control in enter-
prise information platform, Lecture Notes in Computer
Science 2480 (2002) 180–192.
[24] A. Lin, R. Brown, The application of security policy to role-
based access control and the common data security architec-
ture, Communication 23 (2000) 1584–1593.
[25] T.W. Malone, Is empowerment just a fad ? Control, decision
making and IT, Sloan Management Review (1997) 23–35.
[26] L. Maruster, J. Wortmann, A. Weijters, W. van der Aalst,
Discovering distributed processes in supply chains, in: H.S.
Jagdev, J.C. Wortmann, H.J. Pels (Eds.), Collaborative Sys-
tems for Production Management, Kluwer Academic Publish-
ers, 2002, pp. 219–230.
[27] N. Mc Evoy, A. Whitcombe, Structured risk analysis, in:
Proceedings of the InfraSec’2002, Lecture Notes in Computer
Science 2437 (2002) 88–103.
[28] B.C. Neuman, T. Ts’o, Kerberos: an authentication service for
computer networks, IEEE Communications 32 (9) (1994) 33–
38.
[29] M.P. Papazoglou, Web services and business transactions.
World Wide Web, Internet and Web Information Systems 6
(2003) 49–91.
[30] C. Rolland, S. Nurcan, G. Grosz, Enterprise knowledge devel-
opment: the process view, Information and Management 36
(1999) 165–184.
[31] P.B. Thompson, Privacy, secret and security, Ethics and Infor-
mation Technology 3 (2001) 13–19.
[32] US Department of Commerce, Safe Harbor Workbook 2003,
Available at http://www.export.gov/safeharbor/sh_workbook.
html.
Frederique Biennier is a full Professor
at the Information Technology and Com-
puting Department of the INSA de Lyon,
a French Engineering University. She
received her engineering degree (MSc)
in Computer Science in 1988 and the PhD
in Computer Science and Automatics in
1990. Her main teaching activities con-
cern telecommunication systems and ser-
vices, real time systems and industrial
engineering. Her main research areas
are related to virtual organisation focusing on distributed architec-
ture paying a particular attention on service oriented architecture,
business process intelligence and security management.
Joel Favrel is a professor at the Informa-
tion Technology and Computing Depart-
ment of the INSA. He graduated to an
engineer degree from this University in
1964 and obtained his PhD degree from
Lyon-1 University in 1968, before being
an Associate Professor at the Electrical
Engineering Department of the University
at Sherbrooke (P.Q., Canada) for 2 years.
He created, and he is currently the
Director of ‘‘PRISMa’’, Laboratory whose activities are dealing with
industrial engineering, architecture of information systems, virtual
enterprise and production system control. His main research interests
include enterprise modelling and integration, virtual enterprise and
collaborative work. He has been the advisor of more than 50 PhD
candidates. He is a member of IFIP, WG 5.7 and WG 5.12.