A Performance Analysis of the XACML Decision Process and the Impact of Caching

摘要

Whenever multiple service providers and high demanding service customers communicate with each other, the need of compliance to legal regulations and enterprise guidelines increases the expectations on technologies and systems used to ensure security and data privacy. Regarding the challenge of managing access rules and enforcing authorization to data and resources, OASIS' XACML standard provides a flexible and distributed approach. We provide an XACML-based authorization in the TRESOR Cloud Ecosystem "as a service" for SaaS providers and consumers. In this ecosystem the complexity and amount of access policies and rules raises scalability concerns. This paper explores the possibilities for caching and performance optimization in XACML, primarily focusing on XACML version 3 (XACMLv3) and its Policy Decision Point (PDP). We provide an overview of existing approaches to caching and performance optimization and conclude that most current approaches are concerned with the policy evaluation itself but not with finding applicable policies or loading and storing policies, rather attempting to increase performance through policy reconfiguration, translation, normalization or clustering. Furthermore, we explore the use of caching at specific points during the evaluation process, namely loading policies, finding policies and evaluation, for better performance along with other more general improvements.