This Q+A originally appeared on Information Security Stack Exchange. 

Question: We are looking to implement Attribute-Based Access Control. While we are sold on the philosophy, there are two topics that seem to crop up:

  • Will it lead to significant performance issues? Especially if we seek fine-grained access. I guess I am looking for some structured guidance to strike the right balance.
  • Are available PEPs capable of implementing XACML? My colleagues who checked IBM and Oracle aren’t very comfortable that it is ready for enterprise yet.

Answer, from Axiomatics’ David Brossard:

I am glad to hear you are sold on the philosophy of ABAC. If you haven’t already done so, do check out the following resources (I’ll spare you commercial links):

Now, with respect to your questions directly:

  • Will it lead to significant performance issues- esp if we seek fine-grained access? When you plan for and architect an ABAC solution, the two main points you want to consider and that may impact performance the most are the PEP to PDP communication link (where PEP is the enforcement point that protects your applications and PDP is the decision point that processes authorization requests and evaluates authorization policies) and the PDP to PIP links (where the PIP or policy information point is the bridge to attribute sources e.g. LDAP, databases, web services). Policy evaluation in itself is not expensive at all. Whether access is fine-grained or not will not necessarily impact performance. What will, though, is how you exposed the authorization service (the PDP). If you expose as a SOAP service then you introduce the latency of a SOAP service. If you expose it via a binary protocol e.g. Apache Thrift then the performance is much better. Similarly, if you need to retrieve 10 attributes from 10 different sources and if each source has a long latency then the performance will be poor. But you can always choose to bundle attribute lookups, to consolidate your attribute sources and to cache attribute values. The bottom line is yes ABAC can perform correctly if architected correctly. To give you an example, PayPal uses Attribute-based access control and their performance is fine. Some of the bigger Fortune 50 companies all use ABAC while at the same time having strict performance requirements.

The diagram below illustrates all 6 points where you can enhance performance.

    • how policies are loaded into memory (1)
    • how policies are evaluated (2): if you build a good policy structure, you can quickly eliminate up to 90% of an authorization policy before you fully evaluate it.
    • how attribute values are fetched from PIPs (3). This is the main point to consider as previously stated. There are several techniques to reduce the performance impact of this integration
    • how authorization decisions can be cached on the PEP side (4).
    • how authorization requests can be bundled together into a multiple decision request: this saves roundtrips between the PEP and the PDP (5)
    • lastly, and perhaps most importantly, how the PEP and PDP communicate – as previously mentioned. Just choose the protocol that works best for you (embedded, binary, SOAP…)(6) XACML Architecture - Performance Points - © Axiomatics
  • Are available PEPs capable of implementing XACML? Yes of course there are. Several vendors such as Axiomatics (likely not the big ones like Oracle or IBM) and open source implementations provide PEPs. See as an example this list. There are integrations with off-the-shelf components as well. For instance Fedora provides ones for its OS. There is one for SAP. Axiomatics provides one for SQL databases (Oracle, SQL Server…). One can also protect CMS such as SharePoint and Liferay. Also check out the OpenAZ project.

Have your colleagues only looked into IBM and Oracle? The main players are definitely not those two but rather the smaller vendors and the open-source community.

As Gartner recently stated, ABAC is the way to go. They predict 70% of organizations will adopt ABAC by 2020. Now’s a good time to start.

 



Leave a Reply

Your email address will not be published. Required fields are marked *