Thesis title: Protocols for Confidential Computing in Business Process Monitoring
In the research domain of Business Process Management (BPM), collaborative processes, commonly found in healthcare, manufacturing, and supply chain management, involve multiple autonomous organizations that cooperate to achieve mutually shared operational objectives. The adoption of end-to-end process monitoring techniques in these contexts remains hindered by the primary requirement to protect the secrecy of sensitive execution data: the exposure of raw process records beyond organizational boundaries can lead to the disclosure of business-critical or personal information, generating privacy and compliance risks under regulations such as the General Data Protection Regulation (GDPR). As a result, most organizations avoid data sharing and monitor only on their local fragments. This practice, however, may lead to potentially misleading or imprecise insights, as the resulting analytics may miss dependencies that emerge only when the process is observed comprehensively. Existing secrecy-preserving strategies, while effective in reducing disclosure risks, typically rely on data transformation or anonymization mechanisms that inevitably alter the original process execution information. Although these approaches enhanced data protection, applying them to case-level monitoring can compromise the accuracy of the results, as the noise they introduce on the input data may lead to the observation of non-existent process behavior. Therefore, the main research question driving this thesis is: "How can collaborative business processes be monitored by multiple independent organizations using execution data in its original form without the disclosure of sensitive information?"
To answer this question, we explore two complementary process monitoring settings: offline and online process monitoring. Offline monitoring focuses on the ex-post analysis of completed process instances whose execution history is recorded in event logs. In this case, the research challenges to guarantee data secrecy during the offline analysis of unaltered event logs. This leads to the first sub question: "How can the secrecy of sensitive data within original event logs be preserved while applying offline monitoring on concluded process instances?"
Online process monitoring involves ongoing process executions, where process event streams should be analyzed in real-time. Here, our challenge shifts toward preserving the data secrecy of the original process event streams while ensuring timely updates of the process state. This motivates the second sub question: "How can the secrecy of sensitive data within original process event streams be preserved while monitoring process instances online?"
This thesis reports on solutions leveraging confidential computing as a means to enable secrecy-preserving process monitoring in collaborative environments. Confidential computing extends traditional data protection mechanisms by safeguarding information not only when stored or transmitted, but also while being processed. Its enabling technology, Trusted Execution Environments (TEEs), can handle hardware-encrypted areas of the main memory that guarantee data confidentiality and code integrity during the execution of trusted applications. We leverage this paradigm to embed in TEE monitoring algorithms that can directly process original, unaltered event data, thus avoiding issues deriving from ex-ante approximations. By ensuring that process data remains encrypted and inaccessible outside the TEE, we unlock joint analyses for multiple organizations on shared processes without exposing their sensitive information. To this end, we introduce CONFINE and ProMTEE, namely, two confidential computing protocols providing data secrecy guarantees in online and offline monitoring settings, respectively.
In the research work inherent to CONFINE, we tackle data secrecy issues in offline monitoring, thereby enabling independent organizations to merge and process their unaltered event logs through trusted applications running within TEEs. We demonstrate the potential of CONFINE in the field of process mining, a core research domain within the broader family of offline monitoring techniques. We evaluate our solution with a formal verification of our approach's correctness, alongside a robustness analysis against a set of security threats. In addition, we test our implementation using real-world and synthetic event logs to assess memory usage and scalability.
With ProMTEE, we shift our focus toward the secrecy-related challenges arising within online process monitoring. We theorize and implement a solution involving trusted applications, named Process Vaults, which shield the runtime state of a process within the isolation layer of TEEs. ProMTEE enables the continuous transmission of event streams from their native organizational boundaries to one or more Process Vaults, which reactively update the process state. Our work supports control-flow tracking and compliance monitoring, two well-established tasks within the domain of online process monitoring. We verify the security of our solution through a threat analysis against a set of security requirements derived from a supply-chain scenario. In addition, we conduct an experimental assessment of our proof-of-concept implementation with experiments on memory usage and responsiveness using real-world datasets.