Access control evaluation performance is a challenge in modern enterprises. Such enterprises are characterized by workflows involving extensive communication events, as information is shared within and between groups in that enterprise. Security administrators are tasked with enabling communication events that help the business achieve its objectives, and of preventing the rest. They develop policies and deploy them in ever more complex access control infrastructures, and it is not always clear how to ensure the deployments have adequate performance. In response, we propose a performance testbed (STACS), a means of generating policies and requests in bulk (DomainManager) for that testbed and a system for analyzing the performance measurements obtained from the testbed (PARPACS). STACS provides a means of performing reproducible, controlled experiments, so researchers can compare different performance improvement proposals on standard test infrastructure. DomainManager is built upon a flexible domain model that can be used as a foundation for a) generating large numbers of consistent, scenario-specific policies and requests and b) generating variants of those artifacts for performance comparison in STACS. PARPACS enables robust statistical models of performance to be built, so that researchers can predict performance and not just perform limited comparisons. Indeed, the three components are part of a larger ATLAS framework for diagnosing performance problems in an existing deployment and/or dimensioning a new deployment. Using these research contributions, we conducted extensive experiments to evaluate ATLAS and generated more research contributions in the form of findings. These findings relate to the effects on performance of domain size, policy authoring patterns, policy optimisations, request complexity, system resource (e.g., memory) availability etc. While many of the main effects might be expected, there are significant (and often surprising) interaction effects that need to be considered in any access control deployment. Although the motivating application concerned access control, ATLAS was designed so that it could be extended to other client-server performance studies, such as those concerning database query performance.
|Publication status||Unpublished - 2016|
- Access control systems