XACML for Building Access Control Policies in Internet of Things (original) (raw)
Related papers
Journal of Communications
The Internet of Things (IoT) extends internet connectivity to a wide range of smart devices. However, battery autonomy, computational capability and storage capacity are major technology challenges that hinder increased implementation and adoption. Although the integration of the Internet of Things (IoT) with Cloud Computing is considered as a highly promising solution in overcoming these bottlenecks, it raises security concerns, especially access control. Recently, a variety of access control models have been developed to help protect confidential information and restrict access to sensitive data. Because of its flexibility and scalability, the consensus is that the Attribute Based Access Control (ABAC) is the most appropriate model in a dynamic environment. In the context of IoT, the ABAC model has the ability to enforce data privacy and ensure a secure connection between IoT devices and cloud providers. One of the core components of the ABAC model is access policies, these are used to deny or allow user' requests. To achieve that, an access policy language is required to implement policy rules in ABAC model. In this study, we propose a method based on EXtensible Access Control Markup Language (XACML) to prevent all unauthorized access to remote resources. This policy language is a particularly efficient and appropriate technique within a context of IoT due to its compatibility with heterogonous platforms. Index Terms-cloud computing, internet of things, cloud, ABAC model, XACML language, security policy tool
Annals of Telecommunications, 2019
The Internet of Things operates in a personal-data-rich sector, which makes security and privacy an increasing concern for consumers. Access control is thus a vital issue to ensure trust in the IoT. Several access-control models are today available, each of them coming with various features, making them more or less suitable for the IoT. This article provides a comprehensive survey of these different models, focused both on access control models (e.g., DAC, MAC, RBAC, ABAC) and on access control architectures and protocols (e.g., SAML and XACML, OAuth 2.0, ACE, UMA, LMW2M, AllJoyn). The suitability of each model or framework for IoT is discussed. In conclusion, we provide future directions for research on access control for the IoT: scalability, heterogeneity, openness and flexibility, identity of objects, personal data handling, dynamic access control policies and usable security. Index Terms-Access Control (AC), Internet of Things (IoT),
Context-aware Automatic Access Policy Specification for IoT Environments
2018
Data privacy becomes a primary impediment to the realization of the IoT vision. One approach to the IoT security and privacy problem is to restrict access to sensitive data via access control and authorization models. Yet access context in IoT changes frequently raising the need for flexible and dynamic access control policies. Towards developing dynamic access control policies, context-based access control techniques are being investigated due to their robustness in assigning dynamic access permissions according to changes in context. In this paper, we propose to automate the generation of access control policies to overcome the inflexibility in traditional access policy specification techniques, and improve its adaptability to dynamic IoT environments. In our framework, we use context, attributes, and predication to describe the core access control elements. In response to access requests, our algorithm automatically produces conflict-free access control policies and makes the fin...
Access Control for the Internet of Things
2016
As we are moving from networked "Things" towards the Internet of Things (IoT), new security requirements arise. Access control in this new environment is a burgeoning and challenging problem. On the one hand, an access control system should be generic enough to cover the requirements of all the new exciting applications that become pervasive with the IoT. On the other hand, an access control system should be lightweight and easily implementable, considering at the same time the restrictions that Things impose. In this paper, we develop an access control system which enables offloading of complex access control decisions to third, trusted parties. Our system provides Thing authentication without public keys and establishes a shared symmetric encryption key that can be used to secure the communication between authorized users and Things. Our design imposes minimal overhead and it is based on a simple communication protocol. The resulting system is secure, enhances end-user privacy and the architecture facilitates the creation of new applications.
Access control in internet-of-things: A survey
Journal of Network and Computer Applications
The Internet of Things (IoT) is an emerging technology that is revolutionizing the global economy and society. IoT enables a collaborative environment where different entities-devices, people and applications-exchange information for service provision. Despite the benefits that IoT technology brings to individuals, society and industry, its wide adoption opens new security and privacy challenges. Among them, a vital challenge is the protection of devices and resources produced within IoT ecosystems. This need has attracted growing attention from the research community and industry, and several authorization frameworks have been designed specifically for IoT. In this survey, we investigate the main trends in access control in IoT and perform an extensive analysis of existing authorization frameworks tailored to IoT systems. Driven by the needs of representative IoT applications and key requirements for IoT, we elicit the main requirements that authorization frameworks for IoT should satisfy along with criteria for their assessment. These criteria and requirements form a baseline for our literature study. Based on this study, we identify the main open issues in the field of access control for IoT and draw directions for future research.
Developing an adaptive Risk-based access control model for the Internet of Things
The Internet of Things (IoT) is creating a revolution in the number of connected devices. Cisco reported that there were 25 billion IoT devices in 2015 and modest estimation that this number will almost double by 2020. Society has become dependent on these billions of devices, devices that are connected and communicating with each other all the time with information constantly share between users, services, and internet providers. The emergent IoT devices as a technology are creating a huge security rift between users and usability, sacrificing usability for security created a number of major issues. First, IoT devices are classified under Bring Your Own Device (BYOD) that blows any organization security boundary and make them a target for espionage or tracking. Second, the size of the data generated from IoT makes big data problems pale in comparison not to mention IoT devices need a real-time response. Third, is incorporating secure access and control for IoT devices ranging from edge nodes devices to application level (business intelligence reporting tools) is a challenge because it has to account for several hardware and application levels. Establishing a secure access control model between different IoT devices and services is a major milestone for the IoT. This is important because data leakage and unauthorized access to data have a high impact on our IoT devices. However, traditional access control models with the static and rigid infrastructure cannot provide the required security for the IoT infrastructure. Therefore, this paper proposes a risk-based access control model for IoT technology that takes into account real-time data information request for IoT devices and gives dynamic feedback. The proposed model uses IoT environment features to estimate the security risk associated with each access request using user context, resource sensitivity, action severity and risk history as inputs for security risk estimation algorithm that is responsible for access decision. Then the proposed model uses smart contracts to provide adaptive features in which the user behaviour is monitored to detect any abnormal actions from authorized users.
Dynamic Access Control Framework for Internet of Things
2019
In the near future, IoT ecosystems will enable billions of smart things to interconnect and communicate information about themselves and their physical environments. The high density of smart things in these environments allows for fine-grained data acquisition, enabling the development of advanced services and new kinds of applications ranging from wearable devices to air conditioners to fully automated cars. However, the dense and pervasive collection, processing and dissemination of data can unleash sensitive information about individuals, raising non-trivial security and privacy concerns. One solution for IoT security and privacy is to restrict access to sensitive data using access control and authorization techniques. Although many basic principles of standard access control models continue to apply, the high dynamic nature of IoT environments, resources limitation of IoT devices and vulnerability to physical and virtual attacks present unique challenges that render existing ac...
Sensors (Basel, Switzerland), 2018
Internet growth has generated new types of services where the use of sensors and actuators is especially remarkable. These services compose what is known as the Internet of Things (IoT). One of the biggest current challenges is obtaining a safe and easy access control scheme for the data managed in these services. We propose integrating IoT devices in an access control system designed for Web-based services by modelling certain IoT communication elements as resources. This would allow us to obtain a unified access control scheme between heterogeneous devices (IoT devices, Internet-based services, etc.). To achieve this, we have analysed the most relevant communication protocols for these kinds of environments and then we have proposed a methodology which allows the modelling of communication actions as resources. Then, we can protect these resources using access control mechanisms. The validation of our proposal has been carried out by selecting a communication protocol based on mes...
Policy-based Access Control for the IoT and Smart Cities
2019
The Internet of Things (IoT) can revolutionize the interaction between users and technology. This interaction generates many sensitive and personal data. Therefore, access to the information they provide should be restricted to only authorized users. However, the limited storage and memory in IoT make it impractical to deploy traditional mechanisms to control access. In this paper, we propose a new access control mechanism based on trust policies adapted from LIGHTest. The proposed protocol also handles delegations in the IoT context elegantly. We provide the protocol overview and discuss its practical applications in the IoT environment.