On the Performance of Access Control Policy Evaluation

There is growing awareness of the need to protect digital resources and services in both corporate and home ICT scenarios. Meanwhile, communication tools tailored for corporations are blurring the line between communication mechanisms and (near) real-time resource sharing. The resulting requirement for near real-time policy-based access control is technically challenging. In a corporate domain, such access control mechanisms must be unobtrusive and comply with strict security objectives. Thus policy evaluation performance needs to be considered while addressing traditional security concerns. This paper discusses policy system design principles that motivate a novel Policy Decision Point (PDP) implementation and associated policy language. These principles are consistent with recent web development techniques designed to improve performance and scalability. Given a modern web development stack comprising a language (Javascript), a framework (Node.js) and a database management system (Redis), the proposition is that significant performance gains can be made. Our performance experiments suggest this is the case when, through various design iterations, our prototype PDP implementation is compared with an established, Java/XACML-based access control PDP implementation. The experiments presented in this paper suggest that newer technologies offer better performance. The analysis suggests that this is because they offer a more efficient data representation and make better use of computing resources.

[1]  Dmitri Botvich,et al.  Scaling Instant Messaging communication services: A comparison of blocking and non-blocking techniques , 2011, 2011 IEEE Symposium on Computers and Communications (ISCC).

[2]  Reuven M. Lerner At the forge: Redis , 2010 .

[3]  Guanhua Wang Improving Data Transmission in Web Applications via the Translation between XML and JSON , 2011, 2011 Third International Conference on Communications and Mobile Computing.

[4]  Peter Dalgaard,et al.  Introductory statistics with R , 2002, Statistics and computing.

[5]  Steve Vinoski,et al.  Node.js: Using JavaScript to Build High-Performance Network Programs , 2010, IEEE Internet Comput..

[6]  Bernard Butler,et al.  XACML policy performance evaluation using a flexible load testing framework , 2010, CCS '10.

[7]  Brendan Jennings,et al.  The policy continuum-Policy authoring and conflict analysis , 2008, Comput. Commun..

[8]  Reuven M. Lerner At the Forge , 1999 .

[9]  Reuven M. Lerner At the forge: Node.JS , 2011 .

[10]  Rick Cattell,et al.  Scalable SQL and NoSQL data stores , 2011, SGMD.

[11]  Bernard Butler,et al.  An experimental testbed to predict the performance of XACML Policy Decision Points , 2011, 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops.

[12]  Stephen Downes,et al.  Managing Digital Rights Using JSON , 2010, 2010 7th IEEE Consumer Communications and Networking Conference.

[13]  Dmitri Botvich,et al.  Scaling Instant Messaging Communication Services: A Comparison of Blocking and Non-Blocking Techniques , 2012, Int. J. Ambient Comput. Intell..

[14]  Tao Xie,et al.  Xengine: a fast and scalable XACML policy evaluation engine , 2008, SIGMETRICS '08.