Towards Improving the Performance of Enterprise Authorization Systems using Speculative Authorization

With the emergence of tighter corporate policies and government regulations, access control has become an integral part of business requirements in enterprises. The authorization process in enterprise systems follow the request-response model, where a policy enforcement point intercepts application requests, obtains authorization decisions from a remote policy decision point, and enforces those decisions. The two advantages of this model are (1) the separation between the application and authorization logic (2) reduction of authorization policy administration. However, the authorization process adds to the already existing latency for accessing resources, affecting enterprises negatively in terms of responsiveness of their systems. This dissertation presents an approach to reduce latency introduced by the authorization process. We present Speculative Authorization (SPAN), a prediction technique to address the problem of latency in enterprise authorization systems. SPAN predicts the possible future requests that could be made by a client, based on the present and past behavior of the client. Authorization decisions to the predicted requests are fetched even before the requests are made by the client, thus reducing the latency. SPAN is designed using a clustering technique that combines information about requests made by different clients in order to make predictions for a particular client. We present our results in terms of hit rate and precision, and demonstrate that SPAN improves the performance of authorization infrastructures. We also calculate the additional load incurred by the system to compute responses to the predicted requests, and provide measures to reduce the unnecessary load. Caching is a simple and inexpensive technique, popularly used to improve the latency of enterprise authorization systems. On the other hand, we have not seen any implementation of techniques like SPAN to reduce latency. To demonstrate the effectiveness of such techniques, we implement caching and SPAN in the same system, and show that combining the two techniques can further improve the performance of access control systems.