RealTime IT News

IBM Debuts Privacy Language for ID Management

With concerns about identity management apparently popping up at every turn in the IT industry, IBM Wednesday unveiled a purpose-based data authorization language to help businesses automate privacy policies across applications and systems.

Called Enterprise Privacy Authorization Language, EPAL is intended to cover ground that another major privacy protocol, Platform for Privacy Preferences (P3P), fails to address. While P3P communicates privacy policies from business applications to consumer applications, EPAL provides an XML language that allows organizations to enforce P3P policies among applications and databases.

In one scenario, IBM said EPAL lets developers express a natural language statement such as "Members of the physician group can read protected health information for the purpose of medical treatment, only if the physician is the primary care physician and the patient or the patient's family is notified in advance" in a language that applications and privacy management tools can understand.

Unveiled at the Burton Catalyst Conference in San Francisco and in Zurich at an IBM Privacy Technology Summit, EPAL is also an articulation of IBM's enterprise privacy management software, IBM Tivoli Privacy Manager.

Steve Adler, marketing manager of IBM's Tivoli security software, said that EPAL essentially ties privacy policy to the back-end infrastructure, with P3P shoring up the front in complementary fashion. With Tivoli Privacy Manager, EPAL translates data into P3P, publishes that to a server, sits like a hub, publishes data to a monitor, sits next to a database, intercepts calls accesses data types and determines if a user is allowed to access certain data.

"We see EPAL as the next logical evolution," Adler told internetnews.com. "Whereas companies have people checking to make sure data is handled logically and manually coding to set up user-based policies, EPAL automates those functions in the back-end so humans don't have to handle such complex divisions, which can be as much as terabytes of data."

EPAL can also save companies money. Adler said in typical organizations, there is employee training on legal policies and procedures, database scrubbing and network infrastructure planning all hinging on privacy policies on IT networks.

"Personal information is the lifeblood of a company," Adler said. "With more and more privacy regulations springing up around the world, it is more complex and difficult to know what the right permission to grant is all of the time. This language is a standard way to offer access to info on data purpose, what data types, what levels of permissions."

Adler said the first tool based on EPAL was created by a team of students at North Carolina State University. The Privacy Authoring Editor acts like a wizard, helping companies author and edit privacy policies with EPAL while the expression of richer and more complex privacy rules than current standards allow.

After it was scripted, IBM brought it before the IBM Privacy Management Advisory Council, which is made up of such giants as eBay and the U.S. Department of Commerce. Members debated the merit of the EPAL and realized it was a solid language. IBM also took it before the World Wide Web Consortium (W3C) during a conference on P3P last year.

With such approval, Adler said IBM will next bring it before W3C or OASIS for consideration to begin the standards approval process that would make EPAL fully legitimate in the eyes of the IT public. A draft of EPAL may be read here.

EPAL also has roots stretching back a few years, and may originally be traced to when IBM developed its Enterprise Privacy Architecture in November 2001.

In related news, IBM said new tools to automate privacy management are available free on its alphaWorks Web site. Using the Reference Monitor for Tivoli Privacy Manager sample code, a developer making financial applications can build a Tivoli application monitor that will help protect personal financial data contained in the application.

A firm can then use Tivoli to deploy the policy to the application, record privacy preferences of individuals, enforce access to the sensitive data according to the policy and generate audit trails of who has accessed the data.