Access control in the Internet of Things: Big challenges and new opportunities

In this paper, an extensive state of the art review of different access control solutions in IoT within the Objectives, Models, Architecture and Mechanisms (OM-AM) way is provided. An analysis of the security and privacy requirements for the most dominant IoT application domains, including Personal and home, Government and utilities, and Enterprise and industry, is conducted. The pros and cons of traditional, as well as recent access control models and protocols from an IoT perspective are highlighted. Furthermore, a qualitative and a quantitative evaluation of the most relevant IoT related-projects that represent the majority of research and commercial solutions proposed in the field of access control conducted over the recent years (2011- 2016) is achieved. Finally, potential challenges and future research directions are defined.

[1]  Anas Abou El Kalam,et al.  Harnessing the power of blockchain technology to solve IoT security & privacy issues , 2017, ICC.

[2]  Óscar García-Morchón,et al.  HADA: Hybrid Access Decision Architecture for Building Automation and Control Systems , 2013, ICS-CSR.

[3]  Erik Wahlstroem OAuth 2.0 Introspection over the Constrained Application Protocol (CoAP) , 2015 .

[4]  Klaus Moessner,et al.  Enabling smart cities through a cognitive management framework for the internet of things , 2013, IEEE Communications Magazine.

[5]  Hannes Tschofenig The OAuth 2.0 Internet of Things (IoT) Client Credentials Grant , 2015 .

[6]  Patricia Flatley Brennan,et al.  A method to implement fine-grained access control for personal health records through standard relational database queries , 2010, J. Biomed. Informatics.

[7]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[8]  Dominique Guinard,et al.  SOCRADES: A Web Service Based Shop Floor Integration Infrastructure , 2008, IOT.

[9]  Fabio Martinelli,et al.  Usage control in computer security: A survey , 2010, Comput. Sci. Rev..

[10]  Antonio F. Gómez-Skarmeta,et al.  TACIoT: multidimensional trust-aware access control system for the Internet of Things , 2016, Soft Comput..

[11]  Antonio F. Gómez-Skarmeta,et al.  Distributed Capability-based Access Control for the Internet of Things , 2013, J. Internet Serv. Inf. Secur..

[12]  Shruti Bansal,et al.  Data Security and Privacy in the Internet of Things (IoT) Environment , 2016 .

[13]  Ravi S. Sandhu,et al.  Role-Based Access Control , 1998, Adv. Comput..

[14]  Hajar Mousannif,et al.  Access control models in IoT: The road ahead , 2015, 2015 IEEE/ACS 12th International Conference of Computer Systems and Applications (AICCSA).

[15]  Ivan Marsá-Maestre,et al.  Applying an Unified Access Control for IoT-based Intelligent Agent Systems , 2015, 2015 IEEE 8th International Conference on Service-Oriented Computing and Applications (SOCA).

[16]  Jaehong Park,et al.  Usage control: a unified framework for next generation access control , 2003 .

[17]  Antonio F. Gómez-Skarmeta,et al.  Privacy-Preserving Security Framework for a Social-Aware Internet of Things , 2014, UCAmI.

[18]  E. F. Michiels,et al.  ISO/IEC 10181-4:1995 Information technology Open Systems Interconnection Security frameworks for open systems: Non-repudiation framework , 1996 .

[19]  Imane Bouij-Pasquier,et al.  Security analysis and proposal of new access control model in the Internet of Thing , 2015, 2015 International Conference on Electrical and Information Technologies (ICEIT).

[20]  Ramjee Prasad,et al.  Secure Access Control and Authority Delegation Based on Capability and Context Awareness for Federated IoT , 2013 .

[21]  Eve Maler,et al.  Authentication and Authorization for Constrained Environments Using OAuth and UMA , 2015 .

[22]  Benjamin Aziz,et al.  Web API Management Meets the Internet of Things , 2015, SALAD@ESWC.

[23]  Andreas Pfitzmann,et al.  Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[24]  Vlad Trifa,et al.  Interacting with the SOA-Based Internet of Things: Discovery, Query, Selection, and On-Demand Provisioning of Web Services , 2010, IEEE Transactions on Services Computing.

[25]  Rolf H. Weber,et al.  Internet of Things - New security and privacy challenges , 2010, Comput. Law Secur. Rev..

[26]  Antonio Iera,et al.  The Internet of Things: A survey , 2010, Comput. Networks.

[27]  Ramjee Prasad,et al.  Identity Authentication and Capability Based Access Control (IACAC) for the Internet of Things , 2012, J. Cyber Secur. Mobil..

[28]  Ravi S. Sandhu The typed access matrix model , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[29]  Ru-chuan Wang,et al.  An efficient authentication and access control scheme for perception layer of Internet of Things , 2014 .

[30]  Sushil Jajodia,et al.  Access Control Policies and Languages in Open Environments , 2007, Secure Data Management in Decentralized Systems.

[31]  Benjamin Aziz,et al.  Federated Identity and Access Management for the Internet of Things , 2014, 2014 International Workshop on Secure Internet of Things.

[32]  Ricardo Neisse,et al.  Ethical Design in the Internet of Things , 2016, Science and Engineering Ethics.

[33]  Felipe Ferraz,et al.  Towards a Smart City Security Model Exploring Smart Cities Elements Based on Nowadays Solutions , 2013, ICSEA 2013.

[34]  Nafees Qamar,et al.  Validation of security policies by the animation of Z specifications , 2011, SACMAT '11.

[35]  V. J. Jincy,et al.  Classification Mechanism for IoT Devices towards Creating a Security Framework , 2014, ISI.

[36]  Maciej P. Machulak,et al.  User-Managed Access (UMA) Profile of OAuth 2.0 , 2016 .

[37]  Eran Hammer-Lahav,et al.  The OAuth 1.0 Protocol , 2010, RFC.

[38]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.

[39]  Li Gong,et al.  A secure identity-based capability system , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[40]  Hannes Tschofenig The OAuth 2.0 Bearer Token Usage over the Constrained Application Protocol (CoAP) , 2015 .

[41]  Patrice Clemente,et al.  An extended attribute based access control model with trust and privacy: Application to a collaborative crisis management system , 2014, Future Gener. Comput. Syst..

[42]  Eric Rescorla,et al.  A Survey of Authentication Mechanisms , 2010 .

[43]  Imrich Chlamtac,et al.  Internet of things: Vision, applications and research challenges , 2012, Ad Hoc Networks.

[44]  Alessandro Bassi,et al.  Enabling Things to Talk: Designing IoT solutions with the IoT Architectural Reference Model , 2013 .

[45]  Anas Abou El Kalam,et al.  PolyOrBAC: A security framework for Critical Infrastructures , 2009, Int. J. Crit. Infrastructure Prot..

[46]  Ricardo Neisse,et al.  Enforcement of security policy rules for the Internet of Things , 2014, 2014 IEEE 10th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[47]  Athanasios V. Vasilakos,et al.  A survey on trust management for Internet of Things , 2014, J. Netw. Comput. Appl..

[48]  Alexander Gluhak,et al.  The SENSEI Real World Internet Architecture , 2010, Future Internet Assembly.

[49]  Marimuthu Palaniswami,et al.  Internet of Things (IoT): A vision, architectural elements, and future directions , 2012, Future Gener. Comput. Syst..

[50]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[51]  Cecilia Mascolo,et al.  SenShare: Transforming Sensor Networks into Multi-application Sensing Infrastructures , 2012, EWSN.

[52]  Neeli R. Prasad,et al.  A fuzzy approach to trust based access control in internet of things , 2013, Wireless VITAE 2013.

[53]  Marco Picone,et al.  Effective authorization for the Web of Things , 2015, 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT).

[54]  Zheng Yan,et al.  Trust Modeling and Management: From Social Trust to Digital Trust , 2008 .

[55]  Geoff Skinner Cyber Security Management of Access Controls in Digital Ecosystems and Distributed Environments , 2009 .

[56]  Hannes Tschofenig,et al.  Authorization for the Internet of Things using OAuth 2.0 , 2015 .

[57]  Yacine Atif,et al.  Securing the Web of Things with Role-Based Access Control , 2015, C2SI.

[58]  Jing Liu,et al.  Authentication and Access Control in the Internet of Things , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[59]  Daniel Mossé,et al.  Seamless Integration of Heterogeneous Devices and Access Control in Smart Homes , 2012, 2012 Eighth International Conference on Intelligent Environments.

[60]  Rodrigo Roman,et al.  On the features and challenges of security and privacy in distributed internet of things , 2013, Comput. Networks.

[61]  Ramjee Prasad,et al.  Capability-based access control delegation model on the federated IoT network , 2012, The 15th International Symposium on Wireless Personal Multimedia Communications.

[62]  Luigi Alfredo Grieco,et al.  Security, privacy and trust in Internet of Things: The road ahead , 2015, Comput. Networks.

[63]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[64]  Vlad Trifa,et al.  SOA-Based Integration of the Internet of Things in Enterprise Services , 2009, 2009 IEEE International Conference on Web Services.

[65]  Alessandro Bassi,et al.  Enabling Things to Talk , 2013, Springer Berlin Heidelberg.

[66]  Douglas R. Stinson,et al.  On the Construction of Practical Key Predistribution Schemes for Distributed Sensor Networks Using Combinatorial Designs , 2008, TSEC.

[67]  Bruce Christianson,et al.  A Survey of Access Control Models in Wireless Sensor Networks , 2014, J. Sens. Actuator Networks.

[68]  Gail-Joon Ahn,et al.  Anomaly discovery and resolution in web access control policies , 2011, SACMAT '11.

[69]  Jaehong Park,et al.  Formal model and policy specification of usage control , 2005, TSEC.

[70]  Cheng Cheng,et al.  Access Control Method for Web of Things Based on Role and SNS , 2012, 2012 IEEE 12th International Conference on Computer and Information Technology.

[71]  Achim D. Brucker,et al.  An approach to modular and testable security models of real-world health-care applications , 2011, SACMAT '11.

[72]  Y. Simmhan,et al.  Towards a Practical Architecture for the Next Generation Internet of Things , 2015, ArXiv.

[73]  Guoping Zhang,et al.  An extended role based access control model for the Internet of Things , 2010, 2010 International Conference on Information, Networking and Automation (ICINA).

[74]  Cristina Alcaraz,et al.  Key management systems for sensor networks in the context of the Internet of Things , 2011, Comput. Electr. Eng..

[75]  Min-Sheng Liu,et al.  Enhancements of thermal conductivities with Cu, CuO, and carbon nanotube nanofluids and application of MWNT/water nanofluid on a water chiller system , 2011, Nanoscale research letters.

[76]  Ravi S. Sandhu,et al.  Engineering authority and trust in cyberspace: the OM-AM and RBAC way , 2000, RBAC '00.

[77]  Carol Woody,et al.  Introduction to the OCTAVE ® Approach , 2003 .

[78]  Anas Abou El Kalam,et al.  A Security Framework for Internet of Things , 2015, CANS.

[79]  Domenico Rotondi,et al.  A capability-based security approach to manage access control in the Internet of Things , 2013, Math. Comput. Model..

[80]  Vivy Suhendra A Survey on Access Control Deployment , 2011, FGIT-SecTech.

[81]  Carsten Bormann,et al.  The Constrained Application Protocol (CoAP) , 2014, RFC.

[82]  Xinwen Zhang,et al.  DAuth: Fine-Grained Authorization Delegation for Distributed Web Application Consumers , 2010, 2010 IEEE International Symposium on Policies for Distributed Systems and Networks.

[83]  Ludwig Seitz,et al.  Authorization framework for the Internet-of-Things , 2013, 2013 IEEE 14th International Symposium on "A World of Wireless, Mobile and Multimedia Networks" (WoWMoM).

[84]  Saul Greenberg,et al.  Informing the Design of Proxemic Interactions , 2012, IEEE Pervasive Computing.

[85]  Arputharaj Kannan,et al.  A comprehensive presentation to XACML , 2013 .

[86]  Hajar Mousannif,et al.  The Human Face of Mobile , 2014, ICT-EurAsia.

[87]  Antonio F. Gómez-Skarmeta,et al.  DCapBAC: embedding authorization logic into smart things through ECC optimizations , 2016, Int. J. Comput. Math..

[88]  Ravi S. Sandhu,et al.  Toward a Usage-Based Security Framework for Collaborative Computing Systems , 2008, TSEC.

[89]  Guoping Zhang,et al.  The Research of Access Control Based on UCON in the Internet of Things , 2011, J. Softw..

[90]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[91]  Jaehong Park,et al.  Towards usage control models: beyond traditional access control , 2002, SACMAT '02.

[92]  Luca Veltri,et al.  IoT-OAS: An OAuth-Based Authorization Service Architecture for Secure Services in IoT Scenarios , 2015, IEEE Sensors Journal.

[93]  Eleonora Borgia,et al.  The Internet of Things vision: Key features, applications and open issues , 2014, Comput. Commun..

[94]  Remus Brad,et al.  Security Requirements, Counterattacks and Projects in Healthcare Applications Using WSNs - A Review , 2014, ArXiv.

[95]  Ricardo Neisse,et al.  A Model-Based Security Toolkit for the Internet of Things , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.