Advertisement

Performance Evaluation of Identity and Access Management Systems in Federated Environments

  • Frank Schell
  • Jochen Dinger
  • Hannes Hartenstein
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 18)

Abstract

Identity and access management (IAM) systems are used to assure authorized access to services in distributed environments. The architecture of IAM systems, in particular the arrangement of the involved components, has significant impact on performance and scalability of the overall system. Furthermore, factors like robustness and even privacy that are not related to performance have to be considered. Hence, systematic engineering of IAM systems demands for criteria and metrics to differentiate architectural approaches. The rise of service-oriented architectures and cross-organizational integration efforts in federations will additionally increase the importance of appropriate IAM systems in the future. While previous work focused on qualitative evaluation criteria, we extend these criteria by metrics to gain quantitative measures. The contribution of this paper is twofold: i) We propose a system model and corresponding metrics to evaluate different IAM system architectures on a quantitative basis. ii) We present a simulation-based performance evaluation study that shows the suitability of this system model.

Keywords

identity and access management federated identity management access control scalability 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Becker, S., Koziolek, H., Reussner, R.: Model-based performance prediction with the palladio component model. In: Proceedings of the 6th international workshop on Software and performance, pp. 54–65. ACM, New York (2007)Google Scholar
  2. 2.
    Benantar, M.: Access control systems: security, identity management and trust models. Springer, Heidelberg (2006)zbMATHGoogle Scholar
  3. 3.
    Djordjevic, I., Dimitrakos, T.: A note on the anatomy of federation. BT Technology Journal 23(4), 89–106 (2005)CrossRefGoogle Scholar
  4. 4.
    Höllrigl, T., Schell, F., Suelmann, S., Hartenstein, H.: Towards systematic engineering of Service-Oriented access control in federated environments. In: IEEE Congress on Services Part II, SERVICES-2., pp. 104–111 (2008)Google Scholar
  5. 5.
    Jøsang, A., Pope, S.: User centric identity management. In: Proceedings of AusCERT Asia Pacific Information Technology Security Conference, pp. 77–89 (2005)Google Scholar
  6. 6.
    Kormann, D., Rubin, A.: Risks of the passport single signon protocol. Computer Networks 33, 51–58 (2000)CrossRefGoogle Scholar
  7. 7.
    Liberty alliance project (2009), http://www.projectliberty.org/
  8. 8.
    Lopez, J., Oppliger, R., Pernul, G.: Authentication and authorization infrastructures (AAIs): a comparative survey. Computers & Security 23(7), 578–590 (2004)CrossRefGoogle Scholar
  9. 9.
    Maler, E., Reed, D.: The venn of identity: Options and issues in federated identity management. IEEE Security & Privacy 6(2), 16–23 (2008)CrossRefGoogle Scholar
  10. 10.
    Mont, M., Baldwin, A., Griffin, J., Shiu, S.: Towards Identity Analytics in Enterprises. To Appear: Proceeding of the 24th IFIP International Information Security Conference (2009)Google Scholar
  11. 11.
  12. 12.
    Pfitzmann, B., Waidner, M.: Federated identity-management protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 153–174. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Ping Identity. Federated Provisioning: The Synergy of Identity Federation and User Provisioning, http://www.pingidentity.com/information-library/resource-details.cfm?customel_datapageid_1296=7587
  14. 14.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  15. 15.
    Schell, F., Höllrigl, T., Hartenstein, H.: Federated Identity Management as a Basis for Integrated Information Management. it-Information Technology 51(1), 14–23 (2009)CrossRefGoogle Scholar
  16. 16.
    Schläger, C., Ganslmayer, M.: Effects of Architectural Decisions in Authentication and Authorisation Infrastructures. In: The Second International Conference on Availability, Reliability and Security, ARES 2007, pp. 230–237 (2007)Google Scholar
  17. 17.
    Schläger, C., Nowey, T., Montenegro, J.: A Reference Model for Authentication and Authorisation Infrastructures Respecting Privacy and Flexibility in b2c eCommerce. In: Proceedings of the First International Conference on Availability, Reliability and Security, pp. 709–716 (2006)Google Scholar
  18. 18.
    Schläger, C., Pernul, G.: Authentication and Authorisation Infrastructures in b2c e-Commerce. In: Bauknecht, K., Pröll, B., Werthner, H. (eds.) EC-Web 2005. LNCS, vol. 3590, pp. 306–315. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Shen, H., Hong, F.: An attribute-based access control model for web services. In: Seventh International Conference on Parallel and Distributed Computing, Applications and Technologies, PDCAT 2006, pp. 74–79 (2006)Google Scholar
  20. 20.
  21. 21.
    Smith, J.: Inside microsoft windows communication foundation. Microsoft Press, Redmond (2007)Google Scholar
  22. 22.
    Wilson, E.: An introduction to scientific research. Courier Dover Publications (1990)Google Scholar
  23. 23.
    OASIS eXtensible Access Control Markup Language, XACML (2009), http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
  24. 24.
    Yavatkar, R., Pendarakis, D., Guerin, R.: A Framework for Policy-based Admission Control. RFC 2753, Informational (2000)Google Scholar
  25. 25.
    Yuan, E., Tong, J., Inc, B., McLean, V.: Attributed based access control (ABAC) for Web services. In: 2005 IEEE International Conference on Web Services, ICWS 2005. Proceedings, pp. 561–569 (2005)Google Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2009

Authors and Affiliations

  • Frank Schell
    • 1
  • Jochen Dinger
    • 1
  • Hannes Hartenstein
    • 1
  1. 1.Steinbuch Centre for Computing & Institute of Telematics, Karlsruhe Institute of TechnologyUniversität Karlsruhe (TH)KarlsruheGermany

Personalised recommendations