Security Features in Activiti

StackOverflow https://stackoverflow.com//questions/11670335

Question

I'm collecting security features provided in Activiti Process Engine such as Authentication, Authorization, Database Security (file encryption, Https Connection). I need to know more about security features of Activiti which make a Business Process secure.

For example; If a packet is shipped to a customer by a courier company, what real time security measurements should be taken in consideration and what Activiti provides while executing this process model?

All I have is; Activiti has

  • authentication feature (only right person can access the system)
  • authorization feature (Activiti takes care who is going to access what)
  • Secure Database connection

What else? Can any body help me with that? What are the by default features provided by Activiti and what can be done with extra user code or plugins? Any document/research paper?

Was it helpful?

Solution

As nobody answered me and I did my own research finding out some security controls provided by Activiti, I would like to share my experience. I started with two existing security catalogs provided as standards;

  1. NIST (SP 800-53)
  2. Common Criteria (ISO 15408)

and tried to find out controls from above mentioned catalogs which are provided(exactly or partially) by Activiti as security functions. The initial draft includes;

  1. User Authentication [Ref: Common Criteria (ISO 15408); p. 94, NIST (SP 800-53); p. 128]
  2. User Identification [Ref: Common Criteria (ISO 15408); p. 99, NIST (SP 800-53); p. 128]
  3. Account Management [Ref: NIST (SP 800-53); p. 77]
  4. Security Management Roles (CC)/Separation of Duties (NIST) [Ref: Common Criteria (ISO 15408); p. 116, NIST (SP 800-53), p. 82]
  5. Least Privilege [Ref: NIST (SP 800-53), p. 83]
  6. Remote Access [Ref: NIST (SP 800-53), p. 88]
  7. Roll Back [Ref: Common Criteria (ISO 15408); p. 79]
  8. Stored Data Integrity (CC)/ Media Storage (NIST) [Ref: Common Criteria (ISO 15408); p. 81, NIST (SP 800-53); p. 146]
  9. Media Access [Ref: NIST (SP 800-53); p. 145]
  10. Internal TOE Transfer (CC)/ Transmission Integrity (NIST) [Ref: Common Criteria (ISO 15408); p. 74, NIST (SP 800-53); p. 185]
  11. Transmission Confidentiality [Ref: NIST (SP 800-53); p. 186]

I hope it might help somebody.

Salman

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top