Towards Efficient Evaluation of XACML Policies

Policy-based computing is taking an increasing role in providing real-time decisions and governing the systematic interaction among distributed cloud and Web services. XACML has been known as the de facto standard widely used by many vendors for specifying access control and context-aware policies. Accordingly, the size and complexity of XACML policies are significantly growing to cope with the evolution of web-based applications. This growth raised many concerns related to the efficiency of real-time decision process (i.e. policy evaluation). This paper is addressing this concern through the elaboration of SBA-XACML, a novel set-based algebra scheme that provides efficient evaluation of XACML policies. Our approach constitutes of elaborating (1) set-based language that covers all the XACML components and establish an intermediate layer to which policies are automatically converted, and (2) policy evaluation module that provides better performance compared to the industrial standard Sun Policy Decision Point (PDP) and its corresponding ameliorations. Experiments have been conducted on real-life and synthetic XACML policies in order to demonstrate the efficiency, relevance and scalability of our proposition. The experimental results explore that SBA-XACML evaluation of large and small sizes policies offers better performance than the current approaches, by a factor ranging between 2.4 and 15 times faster depending on policy size.