Research Challenges in Enterprise Privacy Authorization Language

1
Research Challenges in Enterprise Privacy
Authorization Language

• Ninghui Li
• Department of Computer Science
• and CERIAS
• Purdue University

2
Outline

• Enforcement
• Consistency
• Expressive power
• Usability

3
Enforcement

• Objective an EPAL Policy needs to be enforced
  when data are accessed.
• Challenge it is inefficient to have each
  data-base access to call an EPAL policy engine.
• Research problem how to translate an EPAL policy
  into policy configurations in lower-level access
  control mechanism
• e.g., into Virtual Private Database policies

4
Consistency

• Objective needs to ensure that an EPAL policy is
  sufficient to enforce a higher-level privacy
  policy (e.g., in P3P) promised to customers
• Challenge lacks a sufficiently expressive
  higher-level formal language for expressing
  privacy policies
• Research problem to come up with such a language
  such that consistency can be checked
  automatically

5
Expressive power

• Objective needs to ensure that one can express
  desirable policies in an Enterprise Privacy
  Authorization Language
• Challenge how to deal with dynamic enterprise
  environments
• how to control who can change which parts of a
  policy and how
• Research problem to come up with administration
  models for enterprise privacy management

6
Usability

• Problem needs to ensure that policies can be
  authored correctly and conveniently
• Challenge policy understanding and policy
  composition are made difficult by the use of both
  allow and deny with ordered conflict resolution
• Research problem to measure/improve usability

7
Summary

• Many challenges remain in the area of Enterprise
  Privacy Authorization Language
• enforcement
• consistency
• expressive power
• usability
• Further research is needed