Model-Driven Security Engineering for Trust Management in SECTET

Service Oriented Architectures with underlying technologies like web services and web services orchestration have opened the door to a wide range of novel application scenarios, especially in the context of inter-organizational cooperation. One of the remaining obstacles for a widespread use of these techniques is security. Companies and organizations open their systems and core business processes to partners only if a high level of trust can be guaranteed. The emergence of web services security standards provides a valuable and effective paradigm for addressing the security issues arising in the context of inter-organizational cooperation. The low level of abstraction of these standards is, however, still an unresolved issue which makes them inaccessible to the domain expert and remains a major obstacle when aligning security objectives with the customer needs. Their complexity makes implementation easily prone of error. The SECTET – a model-driven security engineering framework for B2B-workflows – facilitates the design and implementation of secure inter-organizational workflows. This contribution has three objectives. First we present a high-level domain specific language – called SECTET-PL. Being part of the SECTET-framework, SECTET-PL is a policy language influenced by Object Constraint Language and interpreted in the context of UML models. We then detail the Meta Object Facility based metamodels for the integration of business requirements with the security requirements. Finally, using Model Driven Architecture paradigm, we describe the transformation of high-level security models to low-level web services standard artefacts with the help of Eclipse Modelling Framework and OpenArchitectureWare.