XACML for Building Access Control Policies in Internet of Things

Although the Internet of things (IoT) brought unlimited benefits, it also brought many security issues. The access control is one of the main elements to address these issues. It provides the access to system resources only to authorized users and ensures that they behave in an authorized manner during their access sessions. One of the significant components of any access control model is access policies. They are used to build the criteria to permit or deny any access request. Building an efficient access control model for the IoT require selecting an appropriate access policy language to implement access policies. Therefore, this paper presents an overview of most common access policy languages. It starts with discussing different access control models and features of the access policy. After reviewing different access policy languages, we proposed XACML as the most efficient and appropriate policy language for the IoT as it compatible with different platforms, provides a distributed and flexible approach to work with different access control scenarios of the IoT system. In addition, we proposed an XACML model for an Adaptive Risk-Based Access Control (AdRBAC) for the IoT and showed how the access decision will be made using XACML.

[1]  Vivy Suhendra A Survey on Access Control Deployment , 2011, FGIT-SecTech.

[2]  Gary B. Wills,et al.  An Overview of Risk Estimation Techniques in Risk-based Access Control for the Internet of Things , 2017, IoTBDS.

[3]  Gary B. Wills,et al.  Validation of an adaptive risk-based access control model for the Internet of Things , 2018 .

[4]  Hong Zhu,et al.  A practical mandatory access control model for XML databases , 2009, Inf. Sci..

[5]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[6]  Ahmad-Reza Sadeghi,et al.  Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies , 2013, USENIX Security Symposium.

[7]  Carla Merkle Westphall,et al.  A Risk Calculus Extension to the XACML Language , 2016, CloudCom 2016.

[8]  Hany F. Atlam,et al.  Integration of Color and Texture Features in CBIR System , 2017 .

[9]  Gary B. Wills,et al.  Developing an Adaptive Risk-Based Access Control Model for the Internet of Things , 2017, 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[10]  Arun Kumar,et al.  Context sensitivity in role-based access control , 2002, OPSR.

[11]  Nawal A. El-Fishawy,et al.  Comparative Study on CBIR based on Color Feature , 2013, International Journal of Computer Applications.

[12]  Sitenkov Denis,et al.  Access Control in the Internet of Things , 2014 .

[13]  Luca Gasparini Risk-Aware Access Control And XACML , 2013 .

[14]  Liang Chen,et al.  XACML and risk-aware access control , 2013 .

[15]  Vijay Varadharajan,et al.  Secure administration of cryptographic role-based access control for large-scale cloud storage systems , 2014, J. Comput. Syst. Sci..

[16]  Gary B. Wills,et al.  Integration of Cloud Computing with Internet of Things: Challenges and Open Issues , 2017, 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[17]  Satoshi Hada,et al.  XML Access Control Language : Provisional Authorization for XML Documents , 2000 .

[18]  Jorge Lobo,et al.  A Survey of Privacy Policy Languages , 2007 .

[19]  Jing Liu,et al.  Authentication and Access Control in the Internet of Things , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[20]  Gail-Joon Ahn,et al.  Cryptographic role-based security mechanisms based on role-key hierarchy , 2010, ASIACCS '10.

[21]  Lujo Bauer,et al.  A Language and System for Composing Security Policies , 2004 .

[22]  Ravi S. Sandhu,et al.  A framework for risk-aware role based access control , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[23]  David F. Ferraiolo,et al.  Assessment of Access Control Systems , 2006 .

[24]  Alfons H. Salden,et al.  Context sensitive access control , 2005, SACMAT '05.