Business process discovery as a service with event log privacy and access control over discovered models

The information systems supporting business processes of organizations generate and collect a large number of records in event logs that are exploitable in process mining tasks (discovery, conformance and enhancement). Under a Big Data scenario, Process Mining as a Service (PMaaS) can be attractive for organizations to outsource the storage of event logs and the processing resources for process mining tasks to the cloud in the presence of large event logs. However, the Cloud Service Provider (CSP) may be honest but curious, thus posing security and privacy risks when event log data are sensitive or subject to data privacy laws and regulations. In this work, a cryptography-based method is presented that preserves the privacy of event log data outsourced to an untrusted CSP, which executes the process discovery task, the most common task in process mining. The method conveniently encrypts the event log on the data owner's side to enable the CSP to apply access control over the discovered models (encrypted) through proxy re-encryption. The proposed method is implemented as a software tool and validated and evaluated in terms of performance, scalability, and data utility using real medical (sensitive) data logs under recommended security levels. The results demonstrate the feasibility of the proposed approach to support Process Discovery as a Service (PDaaS), which enables privacy preservation and access control.