|
Current regulatory requirements such as Sarbanes-Oxley, HIPAA, and the European Union Directive on
Data Privacy make it increasingly important for enterprises to be able to verify and audit their compliance
with privacy policies.
Two platform-independent languages that support directly-enforceable policies including "purposes" are
IBM.s Enterprise Privacy Authorization Language(EPAL) and the OASIS eXtensible Access Control
Markup Language (XACML). This document gives a brief overview of directly-enforceable policy languages,
and then compares EPAL and XACML to show where the two languages diiffer. The differences
are used to compare the strengths and weaknesses of each language for expressing privacy policies
and for authorization or access control policies.
The main findings of this analysis are:
- With two exceptions, EPAL 1.2 supports a small subset of the functionality offered by XACML 2.0. The
two exceptions, a built-in policy "vocabulary" mechanism and "categories", could be supported in
XACML 2.0 without changes to the language. Their implementation in EPAL 1.2 is problematic.
- EPAL 1.2 lacks significant features required for complex enterprise policies, both for privacy and for
access control in general. It adds no privacy-specific functionality not already supported by XACML 2.0.
- XACML 2.0 is an approved OASIS Standard with an OASIS Standard profile for privacy policies. If
EPAL were considered as an additional standard, it would be detrimental to industry functionality and
interoperability.
This document examines in detail the differences between the two languages that support
these findings.
|
