A Systematic Approach Toward Extracting Technically Enforceable Policies From Data Usage Control Requirements

Solutions for data sovereignty are in high demand as companies are willing to exchange their data in decentralized infrastructures. Data sovereignty is tightly coupled with data security and therefore, with data usage control policy specification. In this paper, we propose an approach to facilitate the processes of policy specification by data owners, policy transformation from a technology-independent to a technology-dependent language, and policy negotiation between the parties who exchange their data. We extracted an enterprise-relevant set of policy classes from the parties' security requirements in order to implement an editor that supports users in creating their machine-readable policies. Then, we developed an algorithm that benefits from the policy classes and constructs technology-dependent security policy instances. In addition, we proposed a policy negotiation approach which is based on the parameters of the extracted policy classes.