Measurement and Prediction of Access Control Policy Evaluation Performance

Bernard Butler, Brendan Jennings

Research output: Contribution to journalArticlepeer-review

4 Citations (Scopus)

Abstract

As the need for more pervasive and more complex access controls grows, the challenge of ensuring the performance of access control systems is becoming apparent. Researchers have proposed several solutions to mitigate performance problems, including: adjusting the policy set; re-engineering the policy decision point (PDP); and decomposing the policies and distributing their evaluation. However, since the benefits and tradeoffs depend heavily upon the actual scenario, security administrators typically do not have objective justification for adopting particular mitigation actions. In response, we present the ATLAS framework, comprising: 1) DomainManager, which facilitates modelling the domain as closely as possible and automatically generates large numbers of representative policies and associated requests; 2) STACS, which enables controlled experiments to be performed using the generated policies/requests, to collect comprehensive measurements of PDP performance; and 3) PARPACS, which aids the understanding and worth of the measurement data and, by using rigorous validation techniques, reduces the risk of spurious insights or incorrect recommendations. We present a discussion of ATLAS as applied to an enterprise communication scenario, where access control is realised via XACML PDPs. Notable insights include that the SunXacml 2.0 PDP performs relatively poorly in terms of policy evaluation performance and that adding additional memory and/or processor cores to a XACML PDP server is not guaranteed to improve performance significantly.

Original languageEnglish
Article number7289468
Pages (from-to)526-539
Number of pages14
JournalIEEE Transactions on Network and Service Management
Volume12
Issue number4
DOIs
Publication statusPublished - Dec 2015

Keywords

  • Access Control
  • Domain Modelling
  • Performance Management
  • Policy-based Management
  • Security Management
  • Service Management
  • XACML

Fingerprint

Dive into the research topics of 'Measurement and Prediction of Access Control Policy Evaluation Performance'. Together they form a unique fingerprint.

Cite this