TY - GEN
T1 - On the performance of access control policy evaluation
AU - Griffin, Leigh
AU - Butler, Bernard
AU - De Leastar, Eamonn
AU - Jennings, Brendan
AU - Botvich, Dmitri
PY - 2012
Y1 - 2012
N2 - There is growing awareness of the need to protect digital resources and services in both corporate and home ICT scenarios. Meanwhile, communication tools tailored for corporations are blurring the line between communication mechanisms and (near) real-time resource sharing. The resulting requirement for near real-time policy-based access control is technically challenging. In a corporate domain, such access control mechanisms must be unobtrusive and comply with strict security objectives. Thus policy evaluation performance needs to be considered while addressing traditional security concerns. This paper discusses policy system design principles that motivate a novel Policy Decision Point (PDP) implementation and associated policy language. These principles are consistent with recent web development techniques designed to improve performance and scalability. Given a modern web development stack comprising a language (Javascript), a framework (Node.js) and a database management system (Redis), the proposition is that significant performance gains can be made. Our performance experiments suggest this is the case when, through various design iterations, our prototype PDP implementation is compared with an established, Java/XACML-based access control PDP implementation. The experiments presented in this paper suggest that newer technologies offer better performance. The analysis suggests that this is because they offer a more efficient data representation and make better use of computing resources.
AB - There is growing awareness of the need to protect digital resources and services in both corporate and home ICT scenarios. Meanwhile, communication tools tailored for corporations are blurring the line between communication mechanisms and (near) real-time resource sharing. The resulting requirement for near real-time policy-based access control is technically challenging. In a corporate domain, such access control mechanisms must be unobtrusive and comply with strict security objectives. Thus policy evaluation performance needs to be considered while addressing traditional security concerns. This paper discusses policy system design principles that motivate a novel Policy Decision Point (PDP) implementation and associated policy language. These principles are consistent with recent web development techniques designed to improve performance and scalability. Given a modern web development stack comprising a language (Javascript), a framework (Node.js) and a database management system (Redis), the proposition is that significant performance gains can be made. Our performance experiments suggest this is the case when, through various design iterations, our prototype PDP implementation is compared with an established, Java/XACML-based access control PDP implementation. The experiments presented in this paper suggest that newer technologies offer better performance. The analysis suggests that this is because they offer a more efficient data representation and make better use of computing resources.
KW - JSON
KW - XACML
KW - access control
KW - evaluation performance
KW - language conversion
KW - policy
KW - service time measurement
UR - http://www.scopus.com/inward/record.url?scp=84866761389&partnerID=8YFLogxK
U2 - 10.1109/POLICY.2012.15
DO - 10.1109/POLICY.2012.15
M3 - Conference contribution
AN - SCOPUS:84866761389
SN - 9780769547350
T3 - Proceedings - 2012 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2012
SP - 25
EP - 32
BT - Proceedings - 2012 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2012
T2 - 2012 IEEE 13th International Symposium on Policies for Distributed Systems and Networks, POLICY 2012
Y2 - 16 July 2012 through 18 July 2012
ER -