Privacy Enforcement with HP Select Access for Regulatory Compliance

Regulatory compliance is a hot topic for enterprises. The increasing number of laws, including SOX, GLB, HIPAA and various governmental directives on data protection require enterprises to put in place complex processes to comply with related policies. Among other things, this involves the analysis, modeling, deployment, enforcement and audit of these policies. Privacy management is a core aspect of regulatory compliance. Enterprises store large amounts of personal (confidential) data about their employees, customers and partners. Failure to comply with privacy policies can have serious consequences for their reputation and brand and have negative legal and financial impacts. Most of the solutions in this space address auditing and reporting issues. However, being able to enforce privacy policies on personal data by means of flexible, integrated and adaptive solutions is also very important: at the moment this aspect is still a green field, open to research. This paper describes work done at HP Labs to address this problem and develop a privacy-aware access control system to enforce privacy policies on personal data. A working prototype and a related demonstrator have been implemented, as a proof of concept, by leveraging the HP Select Access product: privacy policies are authored with an extended version of the HP Select Access Policy Builder (via standard plug-ins); related decisions are made by an extended version of the HP Select Access Validator (via standard plug-ins). A brand new “Data Enforcer” has been implemented and integrated with HP Select Access to enforce fine-grained privacy decisions on personal data stored in data repositories. The management of traditional access control policies is integrated with the management of privacy policies. This brings simplicity and rationalises the required set of management and enforcement tools.