IAACaaS: IoT Application-Scoped Access Control as a Service

access control is a key element when guaranteeing the security of online services. However, devices that make the Internet of Things have some special requirements that foster new approaches to access control mechanisms. Their low computing capabilities impose limitations that make traditional paradigms not directly applicable to sensors and actuators. In this paper, we propose a dynamic, scalable, IoT-ready model that is based on the OAuth 2.0 protocol and that allows the complete delegation of authorization, so that an as a service access control mechanism is provided. Multiple tenants are also supported by means of application-scoped authorization policies, whose roles and permissions are fine-grained enough to provide the desired flexibility of configuration. Besides, OAuth 2.0 ensures interoperability with the rest of the Internet, yet preserving the computing constraints of IoT devices, because its tokens provide all the necessary information to perform authorization. The proposed model has been fully implemented in an open-source solution and also deeply validated in the scope of FIWARE, a European project with thousands of users, the goal of which is to provide a framework for developing smart applications and services for the future Internet. We provide the details of the deployed infrastructure and offer the analysis of a sample smart city setup that takes advantage of the model. We conclude that the proposed solution enables a new access control as a service paradigm that satisfies the special requirements of IoT devices in terms of performance, scalability and interoperability.

[1]  Gery Ducatel Identity as a service: A cloud based common capability , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[2]  Dhananjay Singh,et al.  A survey of Internet-of-Things: Future vision, architecture, challenges and services , 2014, 2014 IEEE World Forum on Internet of Things (WF-IoT).

[3]  Neil W. Bergmann,et al.  IoT Privacy and Security Challenges for Smart Home Environments , 2016, Inf..

[4]  Giuseppe Piro,et al.  OAuth-IoT: An access control framework for the Internet of Things based on open standards , 2017, 2017 IEEE Symposium on Computers and Communications (ISCC).

[5]  R. M. Banakar,et al.  Evolution of IoT in smart vehicles: An overview , 2015, 2015 International Conference on Green Computing and Internet of Things (ICGCIoT).

[6]  Swati Kinikar,et al.  Implementation of open authentication protocol for IoT based application , 2016, 2016 International Conference on Inventive Computation Technologies (ICICT).

[7]  In Lee,et al.  The Internet of Things (IoT): Applications, investments, and challenges for enterprises , 2015 .

[8]  Sergey Balandin,et al.  Deployment of Smart Spaces in Internet of Things: Overview of the Design Challenges , 2013, NEW2AN.

[9]  Ralph Deters,et al.  Using REST based protocol to enable ABAC within IoT systems , 2016, 2016 IEEE 7th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON).

[10]  Luca Veltri,et al.  IoT-OAS: An OAuth-Based Authorization Service Architecture for Secure Services in IoT Scenarios , 2015, IEEE Sensors Journal.

[11]  Christian Emig,et al.  Identity as a Service - Towards a Service-Oriented Identity Management Architecture , 2007, EUNICE.

[12]  Rodrigo Roman,et al.  On the features and challenges of security and privacy in distributed internet of things , 2013, Comput. Networks.

[13]  Luigi Alfredo Grieco,et al.  Security, privacy and trust in Internet of Things: The road ahead , 2015, Comput. Networks.

[14]  Phillip A. Laplante,et al.  The Internet of Things in Healthcare: Potential Applications and Challenges , 2016, IT Professional.

[15]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[16]  Marimuthu Palaniswami,et al.  Internet of Things (IoT): A vision, architectural elements, and future directions , 2012, Future Gener. Comput. Syst..

[17]  Bruno Crispo,et al.  Performance evaluation of XACML PDP implementations , 2008, SWS '08.

[18]  Xin Wang,et al.  From RBAC to ABAC: Constructing Flexible Data Access Control for Cloud Storage Services , 2015, IEEE Transactions on Services Computing.

[19]  Álvaro Alonso,et al.  A model to enable application-scoped access control as a service for IoT using OAuth 2.0 , 2017, 2017 20th Conference on Innovations in Clouds, Internet and Networks (ICIN).

[20]  Ki-Hyung Kim,et al.  An OAuth based authentication mechanism for IoT networks , 2015, 2015 International Conference on Information and Communication Technology Convergence (ICTC).

[21]  Carlo Maria Medaglia,et al.  An Overview of Privacy and Security Issues in the Internet of Things , 2010 .

[22]  Adrian Perrig,et al.  Security and Privacy in Sensor Networks , 2003, Computer.

[23]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[24]  Imrich Chlamtac,et al.  Internet of things: Vision, applications and research challenges , 2012, Ad Hoc Networks.

[25]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[26]  Emmanuel Bertin,et al.  A Community-Driven Access Control Approach in Distributed IoT Environments , 2017, IEEE Communications Magazine.