Gestionnaire contextualisé de sécurité pour des « Process 2.0 ». (Contextualized security management for "Process 2.0")

To fit the market evolution (mass customization, integration of "productservice" logic, service sector development ...), companies and especially SMEs / SMIs are more and more involved in collaborative strategies, requiring organizational adaptation to fit this openness constraints and increase agility (i.e. the ability to adapt and fit the structural changes) and to fit such “openness” challenges. These more or less ephemeral collaborative strategies involve both sharing a common project and / or common culture and building a common collaborative process which will be the operational support of this collaboration. However, the current technological tools (information system components, workflow tools) are mostly designed for IT specialists and the solution development delay does not fit the collaboration duration requirement. Consequently, IT is often seen as a braking force to set collaboration. At the same time the development of technologies based on Internet and Web 2.0 provides easily integrated tools that can be used by non-specialists. While the Web 2.0 allows sharing data (images, knowledge, CV, micro-blogging, etc...) and while SOA aims at increasing service re-using rate and service interoperability, no process sharing strategies are developed. To overcome this limit, we propose to share processes as well to set a "process 2.0" framework allowing sharing activities. This will support an agile collaborative process enactment by searching and composing services depending on the required business organization and the service semantics. Coupled with the cloud computing deployment opportunity, this strategy will lead to couple more strongly Business, SaaS and PaaS levels. However, this challenges security constraints management in a dynamic environment. The development of security policies is usually based on a systematic risks analysis, reducing them by adopting appropriate countermeasures. These approaches are complex and as a consequence difficult to implement by end users. Moreover risks are assessed in a "closed" and static environment so that these methods do not fit the dynamic business services composition approach, as services can be composed and run in different business contexts (including the functionalities provided by each service, the organization (Who does what?), the coordination between these services and also the kind of data (strategic or no...) that are used and exchanged) and runtime environment (public vs private platform...). By analyzing these contextual information, we can define specific security constraints to each business service, specify the convenient security policies and implement appropriate countermeasures. In addition, it is also Cette thèse est accessible à l'adresse : http://theses.insa-lyon.fr/publication/2013ISAL0132/these.pdf © [W.F. Ouedraogo], [2013], INSA de Lyon, tous droits réservés necessary to be able to propagate the security policies throughout the process to ensure consistency and overall security during the process execution. To address these issues, we propose to study the definition of security policies coupling Model Driven Security and Pattern based engineering approach to generate and deploy convenient security policies and protection means depending on the (may be untrusted) runtime environment. To this end, we propose a set of security patterns which meet the business and platform related security needs to set the security policies. The selection and the implementation of these security policies will be achieved thank to contextbased patterns. Simple to understand by non-specialists, these patterns will be used by the model transformation process to generate these policies in a Model@Runtime strategy so that security services will be selected and orchestrated at runtime to provide a constant quality of protection (independent of the deployment). Mots-Clés: Business process – Web Service – SOA – SOA security – Risk analysis – MDA – MDS –Security patterns – Cloud computing – XaaS– Cloud Security Cette thèse est accessible à l'adresse : http://theses.insa-lyon.fr/publication/2013ISAL0132/these.pdf © [W.F. Ouedraogo], [2013], INSA de Lyon, tous droits réservés