workflowbusiness-process-managementbpmnactiviti

Security Features in Activiti

I'm collecting security features provided in Activiti Process Engine such as Authentication, Authorization, Database Security (file encryption, Https Connection). I need to know more about security features of Activiti which make a Business Process secure.

For example; If a packet is shipped to a customer by a courier company, what real time security measurements should be taken in consideration and what Activiti provides while executing this process model?

All I have is; Activiti has

What else? Can any body help me with that? What are the by default features provided by Activiti and what can be done with extra user code or plugins? Any document/research paper?

Solution

  • As nobody answered me and I did my own research finding out some security controls provided by Activiti, I would like to share my experience. I started with two existing security catalogs provided as standards;

    1. NIST (SP 800-53)
    2. Common Criteria (ISO 15408)

    and tried to find out controls from above mentioned catalogs which are provided(exactly or partially) by Activiti as security functions. The initial draft includes;

    1. User Authentication [Ref: Common Criteria (ISO 15408); p. 94, NIST (SP 800-53); p. 128]
    2. User Identification [Ref: Common Criteria (ISO 15408); p. 99, NIST (SP 800-53); p. 128]
    3. Account Management [Ref: NIST (SP 800-53); p. 77]
    4. Security Management Roles (CC)/Separation of Duties (NIST) [Ref: Common Criteria (ISO 15408); p. 116, NIST (SP 800-53), p. 82]
    5. Least Privilege [Ref: NIST (SP 800-53), p. 83]
    6. Remote Access [Ref: NIST (SP 800-53), p. 88]
    7. Roll Back [Ref: Common Criteria (ISO 15408); p. 79]
    8. Stored Data Integrity (CC)/ Media Storage (NIST) [Ref: Common Criteria (ISO 15408); p. 81, NIST (SP 800-53); p. 146]
    9. Media Access [Ref: NIST (SP 800-53); p. 145]
    10. Internal TOE Transfer (CC)/ Transmission Integrity (NIST) [Ref: Common Criteria (ISO 15408); p. 74, NIST (SP 800-53); p. 185]
    11. Transmission Confidentiality [Ref: NIST (SP 800-53); p. 186]

    I hope it might help somebody.

    Salman