Efficient access enforcement in distributed role-based access control (RBAC) deployments

Tripunitara, Mahesh; Cărbunar, Bogdan

doi:10.1145/1542207.1542232

Cited by 16 publications

(21 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The third factor is the frequency of policy changes and the scope of these changes, that is, how many elements in the PA they affect. The fourth factor is the relative benefits brought by one-time replication of the PA (or some subset of it)-as proposed by Tripunitara and Carbunar [2009], for example-to the SDPs, as opposed to item-by-item caching of the responses.…”

Section: Discussionmentioning

confidence: 99%

Authorization recycling in hierarchical RBAC systems

Wei¹,

Crampton

Beznosov

et al. 2011

ACM Trans. Inf. Syst. Secur.

View full text Add to dashboard Cite

As distributed applications increase in size and complexity, traditional authorization architectures based on a dedicated authorization server become increasingly fragile because this decision point represents a single point of failure and a performance bottleneck. Authorization caching, which enables the reuse of previous authorization decisions, is one technique that has been used to address these challenges.This article introduces and evaluates the mechanisms for authorization "recycling" in RBAC enterprise systems. The algorithms that support these mechanisms allow making precise and approximate authorization decisions, thereby masking possible failures of the authorization server and reducing its load. We evaluate these algorithms analytically as well as using simulation and a prototype implementation. Our evaluation results demonstrate that authorization recycling can improve the performance of distributed-access control mechanisms.

show abstract

Section: Discussionmentioning

confidence: 99%

Authorization recycling in hierarchical RBAC systems

Wei¹,

Crampton

Beznosov

et al. 2011

ACM Trans. Inf. Syst. Secur.

View full text Add to dashboard Cite

show abstract

“…Good performance for authorization recycling depends heavily on cache warmness, which can be a problem especially for short duration sessions or access requests with low temporal locality. To circumvent the problem of a cold cache, Tripunitara and Carbunar [27] proposed implementing an SDP using a push model that prefetches authorizations into the SDP. The authors proposed the novel cascade Bloom filter as a data structure for caching authorizations.…”

Section: Related Workmentioning

confidence: 99%

Hardware-enhanced distributed access enforcement for role-based access control

Bloom

Simha

2014

Proceedings of the 19th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

The protection of information in enterprise and cloud platforms is growing more important and complex with increasing numbers of users who need to access resources with distinct permissions. Role-based access control (RBAC) eases administrative complexity for large-scale access control, while a client-server model can ease performance bottlenecks by distributing access enforcement across multiple servers that consult the centralized access decision policy server as needed. In this paper, we propose a new approach to access enforcement using an existing associative array hardware data structure (HWDS) to cache authorizations in a distributed system using RBAC. This HWDS approach uses hardware that has previous been demonstrated as useful for several application domains including access control, network packet routing, and generic comparison-based integer search algorithms. We reproduce experiments from prior work on distributed access enforcement for RBAC systems, and we design and conduct new experiments to evaluate HWDS-based access enforcement. Experimental data show the HWDS cuts session initiation time by about a third compared to existing solutions, while achieving similar performance to authorize access requests. These results suggest that distributed systems using RBAC could use HWDS-based access enforcement to increase session throughput or to decrease the number of access enforcement servers without losing performance.

show abstract

“…Because the orchestration engine acts as a central controller, it is able to keep a central process execution history. On the other hand, the orchestration engine is also a single point of failure which (in case of a system crash) will stop the entire system from working (see, e.g., [3,23]). …”

Section: Motivationmentioning

confidence: 99%

On the Impact of Concurrency for the Enforcement of Entailment Constraints in Process-driven SOAs

Quirchmayr

Strembeck

2013

Proceedings of the 10th International Workshop on Security in Information Systems

View full text Add to dashboard Cite

Abstract. A distributed business process is executed in a distributed computing environment. In this context, the service-oriented architecture (SOA) paradigm provides a mature and well understood framework for the integration of software services. Entailment constraints, such as mutual exclusion or binding constraints, are an important means to specify and enforce business processes in a SOA. However, the inherent concurrency of a distributed system may lead to omission and ordering failures. Such failures impact the enforcement of entailment constraints in a process-driven SOA. In particular, the impact of these failures as well as the corresponding countermeasures depend on the architecture of the respective process engine. In this paper, we discuss the impact of omission and ordering failures on the enforcement of entailment constraints in process-driven SOAs. In this context, we especially consider if the respective process engine acts as an orchestration engine or as a choreography engine.

show abstract

Efficient access enforcement in distributed role-based access control (RBAC) deployments

Cited by 16 publications

References 24 publications

Authorization recycling in hierarchical RBAC systems

Authorization recycling in hierarchical RBAC systems

Hardware-enhanced distributed access enforcement for role-based access control

On the Impact of Concurrency for the Enforcement of Entailment Constraints in Process-driven SOAs

Contact Info

Product

Resources

About