Traceability and confidentiality of business data exchange and treatment with access control for process execution

The concept of Business Process Management (BPM) is that each product on the market results from a sequence of performed activities. Organizing and understanding these activities is the objective of business processes. Blockchain technology facilitates the execution of business processes between multiple parties. In these scenarios, there is a need for secure, auditable, and automated solutions to manage this kind of process. While public blockchains guarantee traceability, immutability, and non-repudiation, they expose all sensitive business data. This thesis investigates the confidentiality issues of public blockchains, proposing solutions that enable secure, privacy-preserving interactions among untrusted entities. Integrating blockchain technology into BPM systems addresses the problem of enforcing global process logic without a central authority. However, since public blockchains are involved, the data is exposed, which is not feasible in several domains (e.g., healthcare, logistics, and finance). We present the contributions we developed throughout this research to mitigate this limitation. First, we introduce Control Access via Key Encryption (CAKE), a framework that combines Attribute-Based Encryption (ABE), InterPlanetary File System (IPFS), and smart contracts to regulate fine-grained access control to data artifacts shared in blockchain-backed workflows. CAKE ensures that only authorized parties can decrypt specific slices of data while the system maintains auditability and integrity guarantees via cryptographic hashing and notarization. Starting from CAKE, we developed Multi-Authority Approach to Transaction System for Interoperating Applications (MARTSIA), a fully decentralized approach that leverages Multi-Authority Attribute-Based Encryption (MA-ABE) to eliminate trusted entities. MARTSIA provides decentralized key management and shows interoperability with multiple blockchain platforms and tools. We provide formal security analyses and evaluate its cost and performance through two proof-of-concept implementations. Our third contribution, Blockchain-Linked Network for Credit Guarantee Institutions (BLINK), focuses on applying blockchain to the domain of Credit Guarantee Institutions (CGIs). Despite CGIs' operational and regulatory importance, their internal processes lack transparency and efficiency. We investigate how blockchain technology can be applied to CGIs while complying with the principles set by the World Bank. We present two architectural variants (BLINKprivate and BLINKpublic ) to explore trade-offs between confidentiality and auditability. Next, we propose CONFidentiality EnforcemenT TransparencY (CONFETTY), an architecture that enables transparent process execution and verifiable public state updates while preserving the confidentiality of exchanged data. CONFETTY integrates MA-ABE for attribute-based access control and implements business process control flow and data-flow logic using smart contracts. We validate its security guarantees through a threat model and evaluate its performance using real-world process scenarios. The last work we present is Secure Platform for Automated decision Rules via Trusted Applications (SPARTA), a novel approach for enabling automated decision-making support over confidential data in multi-party business environments.