Article Preview
Top1. Introduction
As defined by the World Wide Web Consortium (W3C1), a Web Service is a software system designed to support interoperable machine-to-machine interaction over a network. In a more practical way, Web services are a standardized way of integrating Web-based applications over the Internet using open protocols that allow them to be advertised, located and composed. Precisely, composing sets of Web services to build more complex services is the raison d'être of this technology, making it a usual choice when designing and deploying Service Oriented Architectures (SOA) and Cloud Computing solutions. Composing different Web services to perform a complex sequence of activities is a natural way of modeling a business process in which different operations, with certain inputs and outputs must be executed following a specific sequence. The use of this approach for implementing business processes has received significant attention in both the scientific community and the industry.
Generally, researchers classify the techniques for Web service composition into two main classes: service choreography and service orchestration.
The choreographed scenario is based on a fully decentralized model in which Web services organize themselves in a dynamic way; in the orchestrated approach, there is a central entity, named broker, which manages the sequence of Web services that have to be executed and distributes the required inputs among them (Carminati et al., 2015). Both approaches have advantages and shortcomings: the distributed design of the service choreography is a significant asset against the availability and resiliency problems that orchestration based methods are prone to suffer due to their centralized nature; on the other hand, the lack of a broker that organizes the sequence of activities to be performed, forces choreographed proposals to assume that all the Web services to be involved in a certain execution know the existence and the interfaces of the others. This assumption is quite unrealistic in scenarios in which Web services are expected to be hosted by external entities and to be ideally applied to a wide range of different applications requested by a wide range of different users.
The scenario considered in this paper is based on offering a Cloud-based solution in which a user (ideally, a business) wishes to outsource the execution of a certain complex service; asks the broker of the system to organize the requested computation; and pays the corresponding charges. The broker will organize the distributed execution of the service among the different Web services hosted by a set of independent Service Providers that may receive some economical compensation too.
Due to the fact that the brokered service orchestration is the best suited approach to deal with the envisaged scenario, the rest of the paper will focus on it.
A main shortcoming which is inherent to brokered systems is the fact that the system's broker receives and learns all the input data needed to perform the requested complex service. This behavior may represent a serious privacy problem depending on the nature of the business process to be executed, more specifically, applications focusing on healthcare or e-commerce may involve very sensitive information from the individuals and should receive special attention.
In general, previous proposals for the service orchestration model deal with privacy issues simply considering the broker as a fully-trusted entity that follows a defined protocol and respects the privacy of the users by applying some basic privacy rules or policies that try to assure individuals that their data will be handled in a trustworthy manner (Xu et al., 2006; Tbahriti et al., 2011; Nyre et al., 2011). On the one hand, assuming that brokers are fully-trusted is such a strong assumption which may be considered unrealistic. On the other hand, one of the challenges of this environment is providing the users a framework for defining and enforcing fine-grained privacy policies that allow them to model and specify privacy preferences and requirements that could be enforced at the broker side but also at the service providers’ side.