A.G. Miheev, P.G. Shabalin
It's an efficient method of increasing the security level of bank payment process to embedding control points hidden from a malefactor into it. While it is possible for a malefactor to gather rather full data about information security measures used in bank, for example about software and hardware protection as well as about arrangements that are described in bank internal documents, the situation is completely different with the control points of payment process: the bank can organize its business process and control procedures in a way that makes practically impossible for a malefactor to gather the information in question.
The control point is an operational procedure that controls the conformity of the current business process state results to the informational security requirements. Its main purpose is to generate messages about a particular events for the system of events correlation.
If the system of events correlation finds a certain type of events in the event monitoring system then a notice about security system violation is generated
An example of the control points implementation
An example of the control points implementation was created with the help of hidden action handlers on the business process scheme in the RunaWFE system (a system of business process and administrative regulations management) Action handlers are specific business process elements that are shown only in business process editor while they are hidden on the schemes that are deployed to the system.
In this implementation the system may have several instances of one and the same application that works in different nodes. In this case different action handlers are activated and different events are generated. The system of events correlations power is defined by its ability to process multitude of different simple events and to form one complex event that is processed by other systems. That is why it is wise to put the system of events correlation into a separate application and to provide its message reception from different handlers with the help of JMS application adapters. For these purposes it is possible to use an integral framework such as Apache Camel. Thus, messages from different applications become available for processing in JMS. The framework contains several components that allow to use a unified API for the process control points and allow not only to receive messages but also to send them.
RunaWFE is a system of business process and administrative regulations management. The system is platform independent and is an open source freeware product. All the materials on the system can be found and downloaded from: http://sourceforge.net/projects/runawfe.
A demo example of integration with Apache Camel, Esper and ActiveMQ can be acquired from http://camel.apache.org/esper.html.ed.