I have been working for quite a lot of time on a research project at University focused on Access Control. More specifically, I am studying how to protect unauthorized access to personal data in a distributed system and in general in the Internet.
In this context, I stumbled on the XACML (wiki, official spec) specification, which seemed quite interesting. After some time spent digging into it, though, it seemed more and more that no company would actually spend a lot of effort (time, money) in realizing the described architeture (to my understanding, it needs at least three different entities to store policies, evaluate them and enforce the decision).
I am still studying, so I don’t know a lot about common industrial procedures: is something like XACML really implemented for data management and protection? If not, is there any alternative (possibly effective) technology which is employed?
It seems to me that most companies do not care so much about personal data protection (mostly because of the profit and insight gained from data analytics and ads), so I doubt that personal data protection is thoroughly employed.