Measurement and Prediction of Access Control Policy Evaluation Performance
- 5 October 2015
- journal article
- Published by Institute of Electrical and Electronics Engineers (IEEE) in IEEE Transactions on Network and Service Management
- Vol. 12 (4), 526-539
- https://doi.org/10.1109/tnsm.2015.2486519
Abstract
As the need for more pervasive and more complex access controls grows, the challenge of ensuring the performance of access control systems is becoming apparent. Researchers have proposed several solutions to mitigate performance problems, including: adjusting the policy set; re-engineering the policy decision point (PDP); and decomposing the policies and distributing their evaluation. However, since the benefits and tradeoffs depend heavily upon the actual scenario, security administrators typically do not have objective justification for adopting particular mitigation actions. In response, we present the ATLAS framework, comprising: 1) DomainManager, which facilitates modelling the domain as closely as possible and automatically generates large numbers of representative policies and associated requests; 2) STACS, which enables controlled experiments to be performed using the generated policies/requests, to collect comprehensive measurements of PDP performance; and 3) PARPACS, which aids the understanding and worth of the measurement data and, by using rigorous validation techniques, reduces the risk of spurious insights or incorrect recommendations. We present a discussion of ATLAS as applied to an enterprise communication scenario, where access control is realised via XACML PDPs. Notable insights include that the SunXacml 2.0 PDP performs relatively poorly in terms of policy evaluation performance and that adding additional memory and/or processor cores to a XACML PDP server is not guaranteed to improve performance significantly.Keywords
Funding Information
- Science Foundation Ireland via the FAME research cluster (08/SRC/I1403)
- ATLAS project (13/TIDA/I2748)
- CONNECT centre (13/RC/2077)
This publication has 29 references indexed in Scilit:
- Multi-data-types interval decision diagrams for XACML evaluation enginePublished by Institute of Electrical and Electronics Engineers (IEEE) ,2013
- On the Performance of Access Control Policy EvaluationPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2012
- Graph-based XACML evaluationPublished by Association for Computing Machinery (ACM) ,2012
- An experimental testbed to predict the performance of XACML Policy Decision PointsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2011
- Adaptive Reordering and Clustering-Based Framework for Efficient XACML Policy EvaluationIEEE Transactions on Services Computing, 2010
- The policy continuum–Policy authoring and conflict analysisComputer Communications, 2008
- Extending query rewriting techniques for fine-grained access controlPublished by Association for Computing Machinery (ACM) ,2004
- Statistical Design and Analysis of ExperimentsWiley Series in Probability and Statistics, 2003
- The Chinese Wall security policyPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2003
- A role-based access control model and reference implementation within a corporate intranetACM Transactions on Information and System Security, 1999