Skip to main content
SpringerLink
Log in

A Systemic Approach to Automate Privacy Policy Enforcement in Enterprises

  • Conference paper
Privacy Enhancing Technologies (PET 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4258))

Included in the following conference series:

Abstract

It is common practice for enterprises and other organisations to ask people to disclose their personal data in order to grant them access to services and engage in transactions. This practice is not going to disappear, at least in the foreseeable future. Most enterprises need personal information to run their businesses and provide the required services, many of whom have turned to identity management solutions to do this in an efficient and automated way. Privacy laws dictate how enterprises should handle personal data in a privacy compliant way: this requires dealing with privacy rights, permissions and obligations. It involves operational and compliance aspects. Currently much is done by means of manual processes, which make them difficult and expensive to comply with. A key requirement for enterprises is being able to leverage their investments in identity management solutions. This paper focuses on how to automate the enforcement of privacy within enterprises in a systemic way, in particular privacy-aware access to personal data and enforcement of privacy obligations: this is still open to innovation. We introduce our work in these areas: core concepts are described along with our policy enforcement models and related technologies. Two prototypes have been built as a proof of concept and integrated with state-of-the-art (commercial) identity management solutions to demonstrate the feasibility of our work. We provide technical details, discuss open issues and our next steps.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Laurant, C.: Privacy International: Privacy and Human Rights 2003: an International Survey of Privacy Laws and Developments, Electronic Privacy Information Center (EPIC), Privacy International (2003), http://www.privacyinternational.org/survey/phr2003/

  2. Online Privacy Alliance: Guidelines for Online Privacy Policies, Online Privacy Alliance (2004), http://www.privacyalliance.org/

  3. OECD: OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), http://www1.oecd.org/publications/e-book/9302011E.PDF

  4. Karjoth, G., Schunter, M.: A Privacy Policy Model for Enterprises, IBM Research, Zurich. In: 15th IEEE Computer Foundations Workshop (2002)

    Google Scholar 

  5. Karjoth, G., Schunter, M., Waidner, M.: Platform for Enterprise Privacy Practices: Privacy-enabled Management of Customer Data. In: 2nd Workshop on Privacy Enhancing Technologies. LNCS, Springer, Heidelberg (2002)

    Google Scholar 

  6. Schunter, M., Ashley, P.: The Platform for Enterprise Privacy Practices. IBM Zurich Research Laboratory (2002)

    Google Scholar 

  7. Karjoth, G., Schunter, M., Waidner, M.: Privacy-enabled Services for Enterprises. IBM Zurich Research Laboratory, TrustBus (2002)

    Google Scholar 

  8. IBM: The Enterprise Privacy Authorization Language (EPAL), EPAL 1.1 specification, IBM (2004), http://www.zurich.ibm.com/security/enterprise-privacy/epal/

  9. Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic Databases. IBM Almaden Research Center (2002), http://www.almaden.ibm.com/cs/people/srikant/papers/vldb02.pdf

  10. IBM Tivoli Privacy Manager: Privacy manager main web page (2005), http://www-306.ibm.com/software/tivoli/products/privacy-mgr-e-bus/

  11. IBM Tivoli Privacy Manager: online technical documentation (2005), http://publib.boulder.ibm.com/tividd/td/PrivacyManagerfore-business1.1.html

  12. HP: HP Select Federation - Product and Solution Overview (2005), http://www.managementsoftware.hp.com/products/slctfed/

  13. ePok: identity management solution - Trusted Data Exchange Server (2005), http://www.epokinc.com/

  14. HP: HP OpenView SelectAccess - Overview and Features (2005), http://www.openview.hp.com/products/select

  15. IBM: IBM Tivoli Storage Manager for Data Retention (2004)

    Google Scholar 

  16. Bettini, C., Jajodia, S., Sean Wang, X., Wijesekera, D.: Obligation Monitoring in Policy Management (2002)

    Google Scholar 

  17. Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder Policy Specification Language (2001)

    Google Scholar 

  18. Casassa Mont, M., Pearson, S., Bramhall, P.: Towards Accountable Management of Privacy and Identity Information. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, Springer, Heidelberg (2003)

    Google Scholar 

  19. Casassa Mont, M., Thyne, R., Bramhall, P.: Privacy Enforcement with HP Select Access for Regulatory Compliance, HPL-2005-10 (2005)

    Google Scholar 

  20. Casassa Mont, M.: Dealing with Privacy Obligations: Important Aspects and Technical Approaches, TrustBus 2004 (2004)

    Google Scholar 

  21. Casassa Mont, M.: Dealing with Privacy Obligations in Enterprises. In: ISSE 2004 (2004)

    Google Scholar 

  22. PRIME: Privacy and Identity Management for Europe, European RTD Integrated Project under the FP6/IST Programme (2006), http://www.prime-project.eu/

  23. HP: HP OpenView Select Identity – Overview and Features (2005), http://www.openview.hp.com/products/slctid/index.html

  24. Hilty, M., Basin, D., Pretschner, A.: On Obligations. In: de Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, Springer, Heidelberg (2005)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Hewlett-Packard Laboratories, Trusted Systems Lab, Bristol, United Kingdom

    Marco Casassa Mont

  2. Hewlett-Packard, Software Business Organisation, Toronto, Canada

    Robert Thyne

Authors
  1. Marco Casassa Mont
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Robert Thyne
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Microsoft Research, Cambridge, UK

    George Danezis

  2. Palo Alto Research Center, 3333 Coyote Hill Rd, 94304, Palo Alto, CA, USA

    Philippe Golle

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Mont, M.C., Thyne, R. (2006). A Systemic Approach to Automate Privacy Policy Enforcement in Enterprises. In: Danezis, G., Golle, P. (eds) Privacy Enhancing Technologies. PET 2006. Lecture Notes in Computer Science, vol 4258. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11957454_7

Download citation

  • DOI: https://doi.org/10.1007/11957454_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-68790-0

  • Online ISBN: 978-3-540-68793-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation