Tutorial 4: Software as a Service (SaaS): Security Strategy, Risk Management, Static Analysis and Assessment Tool
Patrick C. K. Hung, University of Ontario Institute of Technology (UOIT), Canada
Wendy Hui, College of Information Technology, Zayed University, Abu Dhabi, U.A.E

Abstract:

Software as a Service (SaaS) is an emerging software design, implementation and delivery model. The main property of SaaS is that the software requesters do not own the software itself but rather use it through an Application Programming Interface (API) accessible over the Web. The software providers own the software and SaaS is generally priced on a per-user basis, sometimes with a minimum number of users. Since 1998, the Extensible Markup Language (XML) has become a fundamental platform to build technologies on the Web. XML is used to represent fine-grained data that originates in repositories in machine readable format by providing structure and the possibility of adding type information. A Web service is a software system that supports interoperable application-to-application interaction over the Web.

Web services are fundamentally based on a set of XML standards, such as Web Services Description Language (WSDL), Simple Object Access Protocol (SOAP), and Universal Description, Discovery and Integration (UDDI). Each service makes its functionality available through well-defined or standardized XML-format API. The result of this approach is called Service-Oriented Architecture (SOA). XML is playing an important role in the data transport protocol for Web services. Web services are becoming widely deployed to implement SaaS. These new SaaSs and SOAs with a new set of protocols bring a new set of security challenges such as confidentiality, integrity, anonymity, authentication, authorization and availability. As security has become an essential component for all software, several security solutions for XML data have been proposed. In addition to security issues, survivability requires SaaS in a service overlay network to be able to fulfill their missions in a timely manner, even in the presence of attacks, threats, or failures due to unreliable communication channels. Because of the severe consequences of failure, software requesters are focusing on SaaS survivability as a key risk management strategy for businesses.

Technically this tutorial will review the topics of XML and a portfolio of related standards, such as Document Type Definitions (DTD), XML Style Sheets (XSLT), XML Path Language (XPath), Extensible HyperText Markup Language (XHTML) and XML Schemas, in response to the growing need for a platform independent language for supporting SaaS design, implementation and delivery. This tutorial aims to present and discuss various security issues of SaaS. This tutorial will cover the fundamental concepts of security strategy and risk management from the managerial perspectives of SaaS. This tutorial will discuss security risks and related security issues in SaaS. Strategy and policy topics on how to find the right balance between security and usability will be addressed as well as the management of maintaining a secure SaaS infrastructure. This tutorial will also review the topics of XML security standards, such as XML Signature, XML Encryption, XML Key Management, WS-Security and SAML, XACML and P3P, in response to the growing need for a platform independent language for securing SaaS. This tutorial will also address the common practices and related tools/procedures for addressing those security risks such as static analysis and assessment tool. A research prototype of security assessment tool by Milescan will also be presented and demonstrated in the tutorial.

Dr. Patrick Hung is an Assistant Professor and IT Director at the Faculty of Business and Information Technology in UOIT and an Adjunct Assistant Professor at the Department of Electrical and Computer Engineering in University of Waterloo. Patrick is currently collaborating with Boeing Phantom Works (Seattle, USA) and Bell Canada on security- and privacy-related research projects, and he has filed two US patent applications on "Mobile Network Dynamic Workflow Exception Handling System." In addition, Patrick is also cooperating on Web services composition research projects with Southeast University in China. Patrick has been serving as a panelist of the Small Business Innovation Research and Small Business Technology Transfer programs of the National Science Foundation (NSF) in the States since 2000. He is an executive committee member of the IEEE Computer Society's Technical Steering Committee for Services Computing, a steering member of EDOC "Enterprise Computing," and an associate editor/editorial board member/guest editor in several international journals such as the IEEE Transactions on Services Computing, International Journal of Web Services Research (JWSR) and International journal of Business Process and Integration Management (IJBPIM).

Dr. Wendy Hui holds a Ph.D. in Information Systems from the Hong Kong University of Science and Technology (HKUST). She is currently an Assistant Professor at Zayed University, Abu Dhabi, U.A.E. Her research interests include Economics of Information Systems, Information Security, and Technology-Assisted Learning. Her work has been accepted at Journal of Management Information Systems (JMIS), Decision Support Systems (DSS), IEEE Transactions on Systems, Man and Cybernetics, Part A (IEEE SMCA), and Communication of the AIS (CAIS).

Industry Research Partner: Mr. Steven Siu, Director, Milescan Technologies, Hong Kong

Tutorial 5: Business Entities: Modeling Process and Information
Frederick Wu, IBM T.J. Watson Research Center, US
Santhosh Kumaran, IBM T.J. Watson Research Center, US
Rong Liu, IBM T.J. Watson Research Center, US

Abstract:

In this tutorial, we present a business process and information modeling approach based on our research results and engagement experiences over the past five years. A business process model describes actions taken by business (human or system) actors to achieve a strategic or operational goal. Traditionally, most of the work in this area, like workflow modeling, is activity-centric and focuses on prescribing activities and their sequences, for example, by stating "first we do A, then B, then C, and while doing C we also do D." This approach has a number of drawbacks, particularly when the goal is to consolidate business processes across organizations, generate IT solutions that are in close alignment with business goals, and achieve desirable features like scalability, flexibility and modularity as business processes become complex and large. In response to these challenges, we developed a new modeling paradigm that models process activities in the context of information entities. Although a business process may involve a large number of information entities, very often we observe that only a small number of them (for example, the claim in an insurance claim process) are key drivers of the flow of activities in the process. The business process itself is the path of these "business entities" through their lifecycles, from their initial states to their final states. Therefore, a complex process can be viewed as the intersecting life cycles of such entities. In this tutorial, we will first introduce the concept of business entities and a method for discovering business entities from existing activity-centric process models. Second, we will describe the modeling of business entity lifecycles as formal state machines and representing business processes as interacting state machines. A formal technique for verifying such process models will be also introduced. Third, we will demonstrate that SOA-based IT solutions can be automatically generated from such business entity models. Moreover, as this new paradigm has been successfully tested through customer engagements, in this tutorial, we will select a couple of case studies to show how it was applied to solve real customer problems. Finally, we will compare this new approach with traditional process modeling approaches and show the advantages of this approach in achieving process scalability, flexibility and modularity.

About Speakers:

Dr. Rong Liu is a researcher at IBM Thomas J. Watson Research Center. Her research interest includes entity centric business modeling, process modeling and verification, workflow systems, Petri net technologies and supply chain management.

Dr. Frederick Wu leads a team of researchers in the area of model-driven enterprise solutions at IBM
Thomas J. Watson Research Center. He has worked in the area of electronic commerce and business
integration for the past nine years. He holds S.B., S.M., and Ph.D. degrees from the Massachusetts Institute
of Technology.

Dr. Santhosh Kumaran leads a team of researchers in the area of model-driven business integration at IBM Thomas J. Watson Research Center. His research interest is in using formal models to explicitly define the structure and behavior of an enterprise and employing these models to integrate, monitor, analyze, and improve its performance.

Tutorial 6: Enterprise Service Architectures
Aditya K. Ghose and George Koliadis, Decision Systems Laboratory, School of Computer Science and Software Engineering, University of Wollongong, NSW 2522 Australia.

Abstract:

An exective service architecture helps provide a high-level blueprint of the complexity underlying an enterprise, which can be used by senior management, as well as technical, IT and operational personnel in key decision and change processes. With the growing popularity of the SOA paradigm, and the increasing emphasis on the application of business process management principles, it is becoming increasingly important for organizations to understand their service architectures by answering questions such as what services the enterprise supports, which enterprise actors/units oer these services, which services support cross-enterprise value chains, which processes rely on these services, which processes implement these services, which of these are critical to realizing enterprise goals, which services are redundant etc. This tutorial presents the current state-of-the-art in enterprise service architectures and explores a set of novel approaches to the problem. The tutorial will begin by exploring a competence theory for enterprise service architectures, by discussing the key questions that such enterprise service architectures must help answer. An initial competence theory will be presented based on the existing lliterature. Attendees will be encouraged to identify and discuss gaps, if any, in the competency theory presented. A wide repertoire of frameworks that can serve as the basis for enterprise service architectures will then be reviewed. These include Porter's Value Chain model (subequently implemented in VCOR and extended to the Value Network model), Kaplan and Norton's Strategy Maps, the Business Motivation Model (BMM), the ARIS House of Business Engineering (HOBE) architecture, the Business Process Architecture Framework (BPAF) and Role-Activity Diagrams. More research-oriented frameworks such as i*, e3 Value, the Semantic Object Model (SOM) and the Toronto Virtual Enterprise Ontology (TOVE) will also be examined in detail. Each of these (and others) will be evaluated against the competence theory discussed above. Gaps in functionality will be highlighted, and will form the basis for motivating a new set of frameworks for enterprise service architectures that support a variety of techniques for relating service and process portfolios to enterprise models.

About Speakers:

Aditya Ghose is a Professor in the School of Computer Science and Software Engineering at the University of Wollongong, and Director of that university's Decision Systems Lab. He holds PhD and MSc degrees in Computing Science from the University of Alberta, Canada (he also spent parts of his PhD candidature at the Beckman Institute, University of Illinois at Urbana Champaign and the University of Tokyo) and a Bachelor of Engineering degree in Computer Science and Engineering from Jadavpur University, Kolkata, India. While at the University of Alberta, he received the Jerey Sampson Memorial Award. . His research is (or has been) funded by the Australian Research Council, the Canadian Natural Sciences and Engineering Research Council, the Japanese Institute for Advanced Information Technology (AITEC) and various Australian government agencies as well as companies such as Bluescope Steel, CSC, Holocentric and Pillar Administration. His research has been published in the top venues in service-oriented computing (SCC and ICSOC), software modelling (ER), software evolution (IWSSD, IWPSE) and AI (AAAI, AAMAS and ECAI). He has an invited speaker at the Schloss Dagstuhl Seminar Series in Germany and the Ban International Research Station in Canada. He also been a keynote speaker at several conferences, and program/general chair of several others. He is a senior technical advisor to several companies both in Australia and Canada.

George Koliadis holds a BSc Honours from the University of Wollongong, and is currently in his PhD candidature at this institution. He has previously worked on large-scale software engineering projects for the Australian Taxation Oce, and as a researcher for a collaborative research centre in Sydney, Australia. He as served as a reviewer for workshops and conferences in the areas of service and process engineering (SOPOSE, WS-FM), digital ecosystems (IEEE-DEST), and multi-agent systems (PRIMA), and is currently the organizing/publicity chair the SOPOSE series of workshops. His research and applied interests include Business Process Management, Conceptual Modeling, and Requirements Engineering.