Research Challenges in Enterprise Privacy Authorization Language

1. Research Challenges in Enterprise Privacy Authorization Language Ninghui Li Department of Computer Science and CERIAS Purdue University

2. Outline • Enforcement • Consistency • Expressive power • Usability 2

3. Enforcement • Objective: an EPAL Policy needs to be enforced when data are accessed. • Challenge: it is inefficient to have each data-base access to call an EPAL policy engine. • Research problem: how to translate an EPAL policy into policy configurations in lower-level access control mechanism • e.g., into Virtual Private Database policies 3

4. Consistency • Objective: needs to ensure that an EPAL policy is sufficient to enforce a higher-level privacy policy (e.g., in P3P) promised to customers • Challenge: lacks a sufficiently expressive higher-level formal language for expressing privacy policies • Research problem: to come up with such a language such that consistency can be checked automatically 4

5. Expressive power • Objective: needs to ensure that one can express desirable policies in an Enterprise Privacy Authorization Language • Challenge: how to deal with dynamic enterprise environments • how to control who can change which parts of a policy and how • Research problem: to come up with administration models for enterprise privacy management 5

6. Usability • Problem: needs to ensure that policies can be authored correctly and conveniently • Challenge: policy understanding and policy composition are made difficult by the use of both allow and deny with ordered conflict resolution • Research problem: to measure/improve usability 6

7. Summary • Many challenges remain in the area of Enterprise Privacy Authorization Language • enforcement • consistency • expressive power • usability • Further research is needed 7