BPM Security and Privacy: 17 Must do Checks for your BPM Installation (Free Download)

Submitted by Abhishek on Thu, 2012-04-05 11:24
sxc.hu

Is your BPM Installation secure enough? Are you making sure that product loopholes are not compromising security? BPM stands for control, ownership, answerability and auditability. Without proper security these could be meaningless. If you feel the list makes you nervous, find a BPM Security expert.

Read through the list and test your BPM Product. Also included are questions you should ask your IT if you are at threat.

1.  Access Control – Authentication and Authorization

Perhaps the most important aspect of BPM Security: your install should have an access control. Having just a username and passwords is merely not enough. That will only provide authentication. You need to have proper authorization procedures as well. Many systems have a dependency on LDAP Groups to control who has access to what. If a user can figure out how to get into that LDAP group, he would have access to everything. Your BPM Server should have some way to determine Super user access.

Ask these Questions to your IT:

  • How is super user access determined?
  • Will we come to know if someone gets super user access?
  • Are we dependent on 3rd party system for authentication?
  • Is our policy restrictive enough?

2.  Password Encryption

Password storage should be encrypted. This includes user passwords as well as passwords to databases, external systems. Systems which use one way Hashes like MD5 are far better than those who store plain text. And beware; often junior developers make the mistake of storing passwords in text files, sometimes even in their class files (if using java). Beware, decompiling a class and getting those passwords out is a child's play.

Ask these questions to your IT

  • What all passwords are we storing?
  • Are the passwords encrypted?
  • If we are on a distributed file system, can that server file system/database be accessed easily?
  • Do we have a code review policy for every line of code?

3.    Field level Security

Processes are often made with Fields and Data. Are you making sure that data level security is in place? It might come as a surprise to you that several BPM Products do not have field level security available. You can secure entire form but not an individual field. This means a clever hacker who can access the master object which has all data can easily determine (and change) critical fields like Price, Rate, Authorizer.

Ask these questions to your IT:

  • Do we have field level security?
  • How do we determine who should see what fields?
  • Are the developers just hiding the field on front end or they are being blocked right from the backend?
  • What data happens to be critical and confidential?

To download the full whitepaper click on the download button below

Download


Abhishek Mishra
Good experience in working with BPM technologies like Savvion, JBPM. Founder and Chief Editor of BPMGeek.com. Founder of Savvion Business Manager Mobility Framework Savmobify| View my BPMGeek Profile
|

About BPMGeek

BPMGeek is an initiative to collaborate and communicate with the growing Business process management community out there. The goal is to help developers connect with experts, ask questions, post their learning and get understanding of BPM Concepts. Often tool specific knowledge of niche areas end up developers perplexed and confused - especially when there are very less number of resources available. We will be coming up several several new features. Have a look at our Roadmap here

BPMGeek is an independent entity not associated with any Product. All BPM product professionals are invited to contribute. The Logos and Names used across the site belong to their respective owners. The viewpoints mentioned by Individual contributors are their own. BPMgeek cannot be held liable for any issues arising out of it.