Abstract
In conventional centralized authorization models, the evaluation performance of policy decision point (PDP) decreases obviously with the growing numbers of rules embodied in a policy. Aiming to improve the evaluation performance of PDP, a distributed policy evaluation engine called XDPEE is presented. In this engine, the unicity of PDP in the centralized authorization model is changed by increasing the number of PDPs. A policy should be decomposed into multiple subpolicies each with fewer rules by using a decomposition method, which can have the advantage of balancing the cost of subpolicies deployed to each PDP. Policy decomposition is the key problem of the evaluation performance improvement of PDPs. A greedy algorithm withO(nlgn)time complexity for policy decomposition is constructed. In experiments, the policy of the LMS, VMS, and ASMS in real applications is decomposed separately into multiple subpolicies based on the greedy algorithm. Policy decomposition guarantees that the cost of subpolicies deployed to each PDP is equal or approximately equal. Experimental results show that (1) the method of policy decomposition improves the evaluation performance of PDPs effectively and that (2) the evaluation time of PDPs reduces with the growing numbers of PDPs.
Highlights
In the service-oriented architecture (SOA) [1,2,3,4,5] environment, access control [6,7,8,9] is one significant part of security requirement [10,11,12,13,14,15]
Experimental results show that (1) the method of policy decomposition improves the evaluation performance of policy decision point (PDP) effectively and that (2) the evaluation time of PDPs reduces with the growing numbers of PDPs
Experimental results show that the method of policy decomposition improves the evaluation performance of PDPs substantially
Summary
In the service-oriented architecture (SOA) [1,2,3,4,5] environment, access control [6,7,8,9] is one significant part of security requirement [10,11,12,13,14,15]. When users try to access resources concurrently, the policy enforcement point (PEP) calls PDP to retrieve an authorization decision. The cost of subpolicies deployed to each PDP cannot be guaranteed to be equal or approximately equal This problem may lead to the fact that there might exist an appreciable difference in the evaluation time among PDPs. For example, some subpolicies might be relatively large and some relatively small, which might affect the evaluation performance improvement of PDPs. we present a novel distributed policy evaluation engine and propose a decomposition method. We present a novel distributed policy evaluation engine and propose a decomposition method In this method, a policy should be decomposed into multiple subpolicies each with fewer rules so that the cost of subpolicies deployed to each PDP is equal or approximately equal.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have