There is growing awareness of the need to protect
digital resources and services in both corporate and home
ICT scenarios. Meanwhile, communication tools tailored for
corporations are blurring the line between communication mech-
anisms and (near) real-time resource sharing. The resulting
requirement for near real-time policy-based access control is
technically challenging. In a corporate domain, such access
control mechanisms must be unobtrusive and comply with strict
security objectives. Thus policy evaluation performance needs to
be considered while addressing traditional security concerns. This
paper discusses policy system design principles that motivate a
novel Policy Decision Point (PDP) implementation and associated
policy language. These principles are consistent with recent web
development techniques designed to improve performance and
scalability. Given a modern web development stack comprising
a language (Javascript), a framework (Node.js) and a database
management system (Redis), the proposition is that significant
performance gains can be made. Our performance experiments
suggest this is the case when, through various design iterations,
our prototype PDP implementation is compared with an estab-
lished, Java/XACML-based access control PDP implementation.
The experiments presented in this paper suggest that newer
technologies offer better performance. The analysis suggests that
this is because they offer a more efficient data representation
and make better use of computing resources
