IBM on Wednesday introduced a set of tools that will help companies automatically set and manage privacy policies that govern access to sensitive data stored in corporate applications and databases.
IBM's new XML-based programming language called Enterprise Privacy Authorization Language (EPAL) allows developers to build policy enforcement directly into enterprise applications. The move is another in a series by IBM to create a suite of tools and software to support identity management, a broad initiative that relies on user identity to control access and secure systems.
EPAL allows companies to translate clearly stated privacy policies into a language a machine can read and act upon.
"You may have a policy that says your primary care physician can look at some private patient data, but only in specific situations," says Arvind Krishna, vice president of security products for IBM. "We don’t know how to do that with technology, we need a common language. With EPAL, you can go from an English language description of a policy to an XML-based representation of that policy."
Krishna says the key is that privacy is based on the purpose for accessing the information and not just on an identity of the person seeking access.
EPAL builds on current privacy specifications, namely the Platform for Privacy Preferences (P3P) that provide privacy controls for information passed between business applications and consumers with browsers. EPAL lets companies use those privacy controls internally with their corporate users.
The language will be part of an infrastructure that will include monitors that are built into the interface of corporate applications and databases and perform the enforcement of policies. IBM will use its Tivoli Privacy Manager as a hub that the monitors plug into to check policies. The Privacy Manager will store policies, as well as, log and audit access to data as a means to document policy enforcement.
"EPAL can express issues of time, data, what application is being accessed and from where and what role the person accessing the information is in," says Fred Cohen, an analyst with the Burton Group. "It means you can express more interesting things. You could express HIPAA rules, although that would be complex."
A group of North Carolina State University students working in conjunction with IBM has developed the Privacy Authoring Editor as an open source project that is available on SourceForge.net that is used to author and edit privacy policies using EPAL.
IBM also has posted two tools on its alphaWorks Web site that help companies link existing applications to Tivoli Privacy Manager and other privacy management software.
The Reference Monitor for Tivoli Privacy Manager and the Declarative Privacy Monitoring for Tivoli Privacy Manager allow companies to build privacy into applications without having to hard-code privacy features into each application. For example, Declarative Privacy Monitoring could be used to add privacy to a Java-based Web application without having to modify the Java code.
IBM plans to submit its EPAL language to a standards body within the next few months, possibly the Organization for the Advancement of Structured Information Standards or the World Wide Web Consortium.
IBM is testing the software with 25 of its largest customers, including eBay, Fidelity Investments and Marriott International.