Abstract
It is common practice for enterprises and other organisations to ask people to disclose their personal data in order to grant them access to services and engage in transactions. This practice is not going to disappear, at least in the foreseeable future. Most enterprises need personal information to run their businesses and provide the required services, many of whom have turned to identity management solutions to do this in an efficient and automated way. Privacy laws dictate how enterprises should handle personal data in a privacy compliant way: this requires dealing with privacy rights, permissions and obligations. It involves operational and compliance aspects. Currently much is done by means of manual processes, which make them difficult and expensive to comply with. A key requirement for enterprises is being able to leverage their investments in identity management solutions. This paper focuses on how to automate the enforcement of privacy within enterprises in a systemic way, in particular privacy-aware access to personal data and enforcement of privacy obligations: this is still open to innovation. We introduce our work in these areas: core concepts are described along with our policy enforcement models and related technologies. Two prototypes have been built as a proof of concept and integrated with state-of-the-art (commercial) identity management solutions to demonstrate the feasibility of our work. We provide technical details, discuss open issues and our next steps.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Laurant, C.: Privacy International: Privacy and Human Rights 2003: an International Survey of Privacy Laws and Developments, Electronic Privacy Information Center (EPIC), Privacy International (2003), http://www.privacyinternational.org/survey/phr2003/
Online Privacy Alliance: Guidelines for Online Privacy Policies, Online Privacy Alliance (2004), http://www.privacyalliance.org/
OECD: OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), http://www1.oecd.org/publications/e-book/9302011E.PDF
Karjoth, G., Schunter, M.: A Privacy Policy Model for Enterprises, IBM Research, Zurich. In: 15th IEEE Computer Foundations Workshop (2002)
Karjoth, G., Schunter, M., Waidner, M.: Platform for Enterprise Privacy Practices: Privacy-enabled Management of Customer Data. In: 2nd Workshop on Privacy Enhancing Technologies. LNCS, Springer, Heidelberg (2002)
Schunter, M., Ashley, P.: The Platform for Enterprise Privacy Practices. IBM Zurich Research Laboratory (2002)
Karjoth, G., Schunter, M., Waidner, M.: Privacy-enabled Services for Enterprises. IBM Zurich Research Laboratory, TrustBus (2002)
IBM: The Enterprise Privacy Authorization Language (EPAL), EPAL 1.1 specification, IBM (2004), http://www.zurich.ibm.com/security/enterprise-privacy/epal/
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic Databases. IBM Almaden Research Center (2002), http://www.almaden.ibm.com/cs/people/srikant/papers/vldb02.pdf
IBM Tivoli Privacy Manager: Privacy manager main web page (2005), http://www-306.ibm.com/software/tivoli/products/privacy-mgr-e-bus/
IBM Tivoli Privacy Manager: online technical documentation (2005), http://publib.boulder.ibm.com/tividd/td/PrivacyManagerfore-business1.1.html
HP: HP Select Federation - Product and Solution Overview (2005), http://www.managementsoftware.hp.com/products/slctfed/
ePok: identity management solution - Trusted Data Exchange Server (2005), http://www.epokinc.com/
HP: HP OpenView SelectAccess - Overview and Features (2005), http://www.openview.hp.com/products/select
IBM: IBM Tivoli Storage Manager for Data Retention (2004)
Bettini, C., Jajodia, S., Sean Wang, X., Wijesekera, D.: Obligation Monitoring in Policy Management (2002)
Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder Policy Specification Language (2001)
Casassa Mont, M., Pearson, S., Bramhall, P.: Towards Accountable Management of Privacy and Identity Information. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, Springer, Heidelberg (2003)
Casassa Mont, M., Thyne, R., Bramhall, P.: Privacy Enforcement with HP Select Access for Regulatory Compliance, HPL-2005-10 (2005)
Casassa Mont, M.: Dealing with Privacy Obligations: Important Aspects and Technical Approaches, TrustBus 2004 (2004)
Casassa Mont, M.: Dealing with Privacy Obligations in Enterprises. In: ISSE 2004 (2004)
PRIME: Privacy and Identity Management for Europe, European RTD Integrated Project under the FP6/IST Programme (2006), http://www.prime-project.eu/
HP: HP OpenView Select Identity – Overview and Features (2005), http://www.openview.hp.com/products/slctid/index.html
Hilty, M., Basin, D., Pretschner, A.: On Obligations. In: de Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mont, M.C., Thyne, R. (2006). A Systemic Approach to Automate Privacy Policy Enforcement in Enterprises. In: Danezis, G., Golle, P. (eds) Privacy Enhancing Technologies. PET 2006. Lecture Notes in Computer Science, vol 4258. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11957454_7
Download citation
DOI: https://doi.org/10.1007/11957454_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-68790-0
Online ISBN: 978-3-540-68793-1
eBook Packages: Computer ScienceComputer Science (R0)