Temporarily storing (caching) information like access control rules or system configuration policies in memory or a local store allows the system to avoid repeatedly querying a centralized policy engine or database. This makes the system faster and more resilient to outages. Caching policy data helps improve performance, reduce latency, and maintain system resilience. It is essential to carefully manage the consistency of cached data, ensure it is up-to-date, and implement mechanisms for cache invalidation when policies change.
Check
Verify the API has a mechanism for cache invalidation when using cache policy data.
It may be appropriate to allow microservices to cache policy data; however, this cache must only be relied upon when an access server is unavailable. The cached data must expire after a duration defined by the organization and appropriate for the specific environment/infrastructure.
If the API is not configured to expire cache policy data, this is a finding.
Fix
Build or configure the API to expire the cache policy data.