Toward Improving Availability and Performance of Enterprise Authorization Services

Konstantin Beznosov

27 April 2009

Abstract: In currently deployed large enterprise systems, policy enforcement points (PDPs) are commonly implemented as logically centralized authorization servers. This centralization provides important benefits: consistent policy enforcement across multiple policy enforcement points (PEPs) and reduced administration cost for authorization policies. Like all centralized architectures, however, this approach has two critical drawbacks: the PDP is a single point of failure and a potential performance bottleneck. The former property may lead to reduced availability. A conventional approach to improving the availability of a distributed infrastructure is failure masking through redundancy. However, redundancy and other general purpose fault-tolerance techniques for distributed systems scale poorly, and become technically and economically infeasible when the number of entities in the system reaches the thousands. Large-scale commodity computing is, however, becoming a reality, with eBay having 12,000 servers and 15,000 application server instances, and Google estimated to have ``more than 450,000 servers spread in at least 25 locations around the world''. Performance is also of concern. In a large-scale enterprise system with non-trivial authorization policies, making authorization decisions is often computationally expensive due to the complexity of the policies involved and the large size of the resource and user populations. In addition, authorization policy evaluation could require obtaining just-in-time data from human resources, medical records, and other repositories of business data, which commonly further increases the access control decision time. Thus, the centralized PDP often becomes a performance bottleneck. Also, the communication delay between the PEP and the PDP can make the authorization overhead prohibitively high. To address these drawbacks, we are developing an approach to authorization architectures consisting of three key elements. First, we suggest decoupling the enforcement and decision components of access control solutions with a publish-subscribe architecture. The administrative and operating overheads associated with reconfiguring access control systems to accommodate component and infrastructure failures should thereby be reduced. Second, since multiple PEPs can subscribe to and share the same authorizations, we put forward a way of ``actively recycling'' authorizations by searching through the authorization streams and caches and finding the ``best approximate'' (as opposed to ``precise'') authorization(s) for the request to be authorized. Finally, we consider taking advantage of virtually free CPU resources and network bandwidth by speculatively predicting near-future authorization requests, computing corresponding access control decisions, and proactively pushing them to the PEPs through the publish-subscribe channels. The anticipated results of this approach are (1) improved resilience of authorization infrastructures in the light of the high failure rates observed in large enterprises; (2) reduced delay (latency) in requesting and obtaining authorizations; and (3) reduced human resources required to operate and maintain authorization infrastructures. This talk will present the approach and discuss results so far.

Keyword(s): SAAM ; JAMES

Published in: Talk given at the Faculty of Computer Science, Technical University of Dortmund.:

The record appears in these collections:

 Record created 2009-05-30, last modified 2013-05-22

Transfer from CDS 0.99.7:
Download fulltext

Rate this document:

Rate this document:
(Not yet reviewed)