A security architect is designing an access control system with a key requirement to decouple authorization logic from the access control mechanism itself. This will allow policies to be updated centrally without redeploying the services they protect. Which design pattern best fulfills this requirement?
A single security gateway that evaluates and enforces all access policies for inbound traffic
An identity-aware proxy that relies on periodically synchronized group memberships
A shared library for authorization that is compiled into every microservice
A centralized policy engine that makes decisions and distributed agents that enforce them
This scenario describes the separation of the Policy Decision Point (PDP) and the Policy Enforcement Point (PEP). A centralized policy engine (the PDP) evaluates access rules, while distributed agents (PEPs) at the service or application level enforce the resulting decisions. This decoupling allows for dynamic, centralized policy management. A single security gateway combines decision and enforcement, creating a potential bottleneck and monolithic update cycle. Using a shared library would require recompiling and redeploying services to update authorization logic, which violates a key requirement. An identity-aware proxy with periodic syncs may not be real-time enough and still often combines the roles of decision and enforcement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Policy Decision Points (PDP) and Policy Enforcement Points (PEP)?
Open an interactive chat with Bash
Why is separating PDP and PEP important in security systems?
Open an interactive chat with Bash
What are the risks of combining decision-making and enforcement in one tool?