1. Research Challenges in Enterprise Privacy Authorization Language
Ninghui Li
Department of Computer Science
and CERIAS
Purdue University
This is ongoing work.

2. Outline Enforcement Consistency Expressive power Usability
March 22, 2004 2

3. Enforcement
Objective: an EPAL Policy needs to be enforced when data are accessed.
Challenge: it is inefficient to have each data-base access to call an EPAL policy engine.
Research problem: how to translate an EPAL policy into policy configurations in lower-level access control mechanism
e.g., into Virtual Private Database policies
March 22, 2004 3

4. Consistency
Objective: needs to ensure that an EPAL policy is sufficient to enforce a higher-level privacy policy (e.g., in P3P) promised to customers
Challenge: lacks a sufficiently expressive higher-level formal language for expressing privacy policies
Research problem: to come up with such a language such that consistency can be checked automatically
March 22, 2004 4

5. Expressive power
Objective: needs to ensure that one can express desirable policies in an Enterprise Privacy Authorization Language
Challenge: how to deal with dynamic enterprise environments
how to control who can change which parts of a policy and how
Research problem: to come up with administration models for enterprise privacy management
March 22, 2004 5

6. Usability
Problem: needs to ensure that policies can be authored correctly and conveniently
Challenge: policy understanding and policy composition are made difficult by the use of both allow and deny with ordered conflict resolution
Research problem: to measure/improve usability
March 22, 2004 6

7. Summary
Many challenges remain in the area of Enterprise Privacy Authorization Language
enforcement
consistency
expressive power
usability
Further research is needed
March 22, 2004 7