IBM Debuts Privacy Language for ID Management

With concerns about identity management apparently popping up at every turn in the IT industry, IBM Wednesday unveiled a purpose-based data authorization language to help businesses automate privacy policies across applications and systems.


Called Enterprise Privacy Authorization Language, EPAL is intended to cover ground that another major privacy protocol, Platform for Privacy Preferences (P3P), fails to address. While P3P
communicates privacy policies from business applications to consumer
applications, EPAL provides an XML language that allows organizations to
enforce P3P policies among applications and databases.


In one scenario, IBM said EPAL lets developers express a natural language
statement such as “Members of the physician group can read protected health
information for the purpose of medical treatment, only if the physician is
the primary care physician and the patient or the patient’s family is
notified in advance” in a language that applications and privacy management
tools can understand.


Unveiled at the Burton Catalyst Conference in San Francisco and in Zurich at
an IBM Privacy Technology Summit, EPAL is also an articulation of IBM’s
enterprise privacy management software, IBM Tivoli Privacy Manager.


Steve Adler, marketing manager of IBM’s Tivoli security software, said that
EPAL essentially ties privacy policy to the back-end infrastructure, with
P3P shoring up the front in complementary fashion. With Tivoli Privacy
Manager, EPAL translates data into P3P, publishes that to a server, sits
like a hub, publishes data to a monitor, sits next to a database, intercepts
calls accesses data types and determines if a user is allowed to access
certain data.


“We see EPAL as the next logical evolution,” Adler told
internetnews.com. “Whereas companies have people checking to make
sure data is handled logically and manually coding to set up user-based
policies, EPAL automates those functions in the back-end so humans don’t
have to handle such complex divisions, which can be as much as terabytes of
data.”


EPAL can also save companies money. Adler said in typical organizations,
there is employee training on legal policies and procedures, database
scrubbing and network infrastructure planning all hinging on privacy
policies on IT networks.


“Personal information is the lifeblood of a company,” Adler said. “With more
and more privacy regulations springing up around the world, it is more
complex and difficult to know what the right permission to grant is all of
the time. This language is a standard way to offer access to info on data
purpose, what data types, what levels of permissions.”


Adler said the first tool based on EPAL was created by a team of students at
North Carolina State University. The Privacy Authoring Editor acts like a
wizard, helping companies author and edit privacy policies with EPAL while
the expression of richer and more complex privacy rules than current
standards allow.


After it was scripted, IBM brought it before the IBM Privacy Management
Advisory Council, which is made up of such giants as eBay and the U.S.
Department of Commerce. Members debated the merit of the EPAL and realized
it was a solid language. IBM also took it before the World Wide Web
Consortium (W3C) during a conference on P3P last year.


With such approval, Adler said IBM will next bring it before W3C or OASIS
for consideration to begin the standards approval process that would make
EPAL fully legitimate in the eyes of the IT public. A draft of EPAL may be
read here.


EPAL also has roots stretching back a few years, and may originally be
traced to when IBM developed its Enterprise Privacy
Architecture
in November 2001.


In related news, IBM said new tools to automate privacy management are
available free on its alphaWorks Web site. Using the Reference Monitor for
Tivoli Privacy Manager sample code, a developer making financial
applications can build a Tivoli application monitor that will help protect
personal financial data contained in the application.


A firm can then use Tivoli to deploy the policy to the application, record
privacy preferences of individuals, enforce access to the sensitive data
according to the policy and generate audit trails of who has accessed the
data.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web