Extended Slovník

Policy Enforcement Point (PEP)

A Policy Enforcement Point (PEP) is a component in an access control system responsible for enforcing the access decisions made by a Policy Decision Point (PDP) regarding a user's attempt to access a protected resource.
What is a Policy Enforcement Point? -----------------------------------

A Policy Enforcement Point (PEP) is a critical component within cybersecurity architecture, particularly in Identity and Access Management (IAM) and externalized authorization systems. Its primary function is to intercept access requests, query a Policy Decision Point (PDP) for an authorization decision, and then actively enforce that decision by either permitting or denying access to a specific resource or operation.

Think of a PEP as a security gatekeeper—it doesn't make the rules, but it ensures they are followed. The PEP sits at the boundary between users and the resources they're trying to access, making it an essential element in implementing zero trust security models and attribute-based access control (ABAC) systems.

Why are Policy Enforcement Points Important? --------------------------------------------

Policy Enforcement Points play a vital role in modern security architectures for several reasons:

  • Centralized Policy Management: By separating enforcement from decision-making, organizations can manage access policies centrally while enforcing them at multiple points across their infrastructure.
  • Consistent Security: PEPs ensure that security policies are applied uniformly across all access points, reducing the risk of policy gaps or inconsistencies.
  • Real-time Protection: PEPs operate in real-time, intercepting and evaluating every access request before it reaches protected resources.
  • Scalability: Multiple PEPs can be deployed across an organization while relying on a centralized PDP, making the architecture highly scalable.
  • Compliance: PEPs help organizations meet regulatory requirements by providing auditable enforcement of access control policies.
How Does a Policy Enforcement Point Work? -----------------------------------------

The operation of a PEP follows a straightforward but effective pattern:

  1. Interception: When a user or system attempts to access a protected resource, the PEP intercepts the request before it reaches its destination.
  2. Request Formation: The PEP gathers relevant attributes about the request, including user identity, resource being accessed, action requested, and environmental context (time, location, etc.).
  3. Policy Query: The PEP sends this information to the Policy Decision Point (PDP), asking whether the access should be permitted.
  4. Decision Enforcement: Based on the PDP's response (permit, deny, or indeterminate), the PEP either allows the request to proceed or blocks it.
  5. Logging: The PEP typically logs the access attempt and decision for audit purposes.
When is a Policy Enforcement Point Invoked? -------------------------------------------

PEPs are invoked whenever there is an attempt to access a protected resource. Common scenarios include:

  • API Calls: When applications or users make requests to protected APIs
  • User Authentication: During login attempts to protected systems
  • Resource Access: When users try to read, write, or modify protected data
  • Service-to-Service Communication: In microservices architectures where services need to communicate with each other
  • Network Access: When devices attempt to connect to protected network segments
Which Components Interact with a Policy Enforcement Point? ----------------------------------------------------------

PEPs operate within a broader access control ecosystem defined by standards like OASIS XACML:

  • Policy Decision Point (PDP): The brain of the system that evaluates policies and makes authorization decisions
  • Policy Administration Point (PAP): Where security administrators create and manage access policies
  • Policy Information Point (PIP): Provides additional attributes needed for policy evaluation (user roles, resource classifications, etc.)
  • Policy Retrieval Point (PRP): Stores and retrieves the actual policy definitions
Real-World Examples -------------------

API Gateway Protection

Consider an e-commerce platform using microservices architecture. An API Gateway serves as the PEP, intercepting all incoming API requests. When a user attempts to access their order history, the gateway queries the PDP with user credentials and the requested action. The PDP checks if the user is authorized to view their own orders and returns a permit decision, allowing the gateway to forward the request to the appropriate microservice.

Web Access Management

A healthcare organization uses a Web Access Management (WAM) system to protect patient portal applications. The WAM acts as a PEP, ensuring that only authenticated healthcare providers can access patient records, and only for patients under their care. When a nurse attempts to view a patient's medical history, the PEP verifies their credentials and care relationship before granting access.

Further Reading ---------------

For more detailed information on Policy Enforcement Points and access control architectures, refer to:

← Back to Glossary