Running Axiomatics Policy Server in the Cloud, Part 2: Amazon Web Services

Mark Berg   ·   Wednesday, April 19th, 2017

Part 1 of this blog series can be found here: Axiomatics Policy Server in the Cloud: How to Containerize 

Axiomatics recently announced a public Amazon Machine Image (AMI) available through the AWS Marketplace. This AMI contains a one-click configuration of the Axiomatics Policy Server (APS), including a single Policy Decision Point (PDP). Amazon Web Services (AWS) is a great platform for evaluating APS if you are considering a purchase, as well as for existing customers in lower environments (Development, Test, Patch, etc.) who are building out production policies and incorporating attribute-based access control (ABAC) into their applications and data protection.  Having this rapid on-boarding to Axiomatics in AWS opens up some interesting options for production deployment.

One of the key benefits to moving applications to a public cloud like AWS is the prospect of auto-scaling based on demand.  I think about auto-scaling and elasticity in these three buckets:

-Automated provisioning and deprovisioning of nodes
-Load balancing
-Monitoring

When the demand for your service exceeds your current capacity or your SLA, adding additional nodes and adding them to the load balancer will get you back within your happy zone.  When the spike subsides, the nodes can be removed and costs can be saved.   With Axiomatics Policy Server, you only have to worry about scaling the PDP to your runtime demand.   The diagram below illustrates how one can leverage this tripod of monitoring, load balancing and provisioning to scale your policy decision capability with your applications.  Above the line shows the baseline capacity of two PDPs insufficient for the response times during a high load period (0.03 seconds), when the SLA is 0.02.

Below the line shows that additional PDPs have been provisioned automatically and added to the round-robin load balancing and response time is brought back within acceptable parameters.

Characteristics of the Policy Decision Point (PDP) make it easy to scale in this manner. When going into production, the PDP can be put into a disconnected state. This is beneficial to avoid accidental changes to policy or configuration, but it also eliminates the need to synch with the Policy Administration Point (PAP). One must ensure that the Policy Information Points (PIPs) must be able to scale to support potential increased attribute queries during this increased demand.

Having the Axiomatics Policy Server AMI also makes the conversation with the infrastructure team easier.

There is no need to procure the relational database, Java EE application server, and hardware normally required for standing up the Axiomatics Services Manager. The ASM is packaged within the API with a local Postgresql database and Tomcat Server. The way the PDP is separated on separate volumes from the ASM enable deployment of the Instance Type to be more appropriate for just a PDP. The ASM volume can be removed entirely and this single-purpose instance can be sized accordingly. The PDP supports REST/JSON profile of XACML, so it is very easy to start using the cloud deployment of Axiomatics without any Axiomatics software required on the application. It’s as simple as one click.

Questions on running Axiomatics Policy Server in the Cloud? Send us a note.