Access Control for IoT: A Survey of Existing Research, Dynamic Policies and Future Directions
Abstract
:1. Introduction
- The latest development of the access control in the IoT is provided to understand the recent progress on the access control.
- Access control requirements are discussed to help design and implement access control solutions for effective identity and access management in the IoT.
- Three major access control authorization architectures, namely, policy-based, token-based open authorization, and hybrid user-managed access architectures are discussed, and their essential components are briefly summarized.
- We compare different IoT access control models, including discretionary access control, role-based access control, attribute-based access control, organization-based access control, usage-based access control, capability-based access control, blockchain-based access control, and relationship-based access control to facilitate the adoption of access control solutions.
- Access control policies such as dynamic policies’ specification are thoroughly discussed. The challenges faced by the current solutions are highlighted.
- To guide future research in access control, we summarize the research challenges in access control and also point out future research directions in the IoT.
2. Access Control in the IoT
2.1. Access Control
2.2. Access Control Requirements
- 1.
- Granularity: Granularity is the expressiveness of the policies used to formulate access control rules [17]. The fine-grained nature is the most important characteristic of any solution that is designed to manage access rights. Due to the heterogeneity property of the IoT networks and their dynamic nature, granularity is a major concern while designing access control models [9,18].
- 2.
- Policies’ Specification: Policies developed for access control models should be able to handle dynamicity and allow and monitor delegation. An IoT network may contain a large number of devices presented in various forms and locations. Therefore, access control should consider the granularity and the policies’ specification to govern the network effectively [9].
- 3.
- Handling Complexity: IoT networks are heterogeneous networks that are characterized by resource-constrained devices, multiple hop links, unreliable communications, and limited physical security. Access control models shall be designed to handle the complex nature of the IoT networks [10].
- 4.
- Interoperability: Many device manufacturers provide a variety of IoT devices to customers. There is a high possibility that an IoT network may contain devices from different manufacturers and must function together. Therefore, access control must support this interoperable nature in the IoT [19].
- 5.
- Facilitation of Users: IoT devices may be shared and accessed by multiple users. For example, virtual assistants and smart home products can be used by family members and guests at home. Access control must be able to allow users to delegate access to other users instead of handling them all at a single administrative point [20,21].
- 6.
- 7.
- 8.
- Coherence: In the case of multiple administrative points adopted in access control, all the administrative nodes should be coherent when managing and provisioning access control. The variant types of IoT networks create a challenge when ensuring coherence across multiple administrative domains in the IoT [9].
- 9.
- Resolving Identities: Access control grants or denies requests from a user, a device, an application, or a service. It assumes that each user, device, application, or service is uniquely identified. IoT devices can be characterized by attributes such as model numbers, serial numbers, IP addresses, physical addresses, locations, etc. In turn, these devices are accessed by other devices and human users when connected to a network. Leveraging a combination of the device attributes to uniquely identify a device in a network poses a challenge during the access control specification and implementation [18].
- 10.
- Downtime: Downtime is the amount of time when access control is not available. The dynamic nature of the IoT environments tests the limits of any access control solution. Since access decisions are made frequently, there should be no downtime [8,9,22]. The design of a centralized model or a distributive model decides the downtime. In a centralized model, if the administrative node fails, it causes a single point of failure.
- 11.
- Scalability: Scalability is the ability for any access control process to continue to function properly when the number of users and devices changes [24]. Due to the vast number of devices available, access control in the IoT must be extensible to support the number of users and devices, the variety of devices, and the heterogeneous structures in the IoT [8].
- 12.
- Security: Access control is an essential process in any information system. The security of the access control process itself is thus important. Software defects such as design flaws and implementation bugs could be exploited by malicious actors [25]. Thorough security analysis should be conducted to ensure access control solutions are resistant to any cyber attack [10,14,23].
2.3. Discussion
3. Access Control Authorization Architecture
3.1. Policy-Based Architecture
- 1.
- Policy Administration Point: The PAP, also known as a policy repository, is where all the policies required to grant or deny permissions are stored. Typically, the policies are stored in a specific format, for example, Extensible Access Control Markup Language (XACML). In addition, the PAP makes the complete access control policies available for the policy decision point to grant or deny permissions [32,33]. In an IoT environment, PAP should be designed so that policies can be added, removed or modified at runtime.
- 2.
- Policy Enforcement Point: The PEP acts as an intercept between the PDP and the requesting subjects. It forwards every request made by a subject along with the attribute values related to the subjects, the resources, the actions to be performed, and the environment to the PDP. Once the evaluation is performed at the PDP, the PEP retrieves the decision and forwards it to the subject that made the request. Moreover, based on the decision, the PEP is responsible for enforcing the actions that the subject can perform on a resource (e.g., read, write or both) [32,34,35].
- 3.
- Policy Decision Point: The PDP evaluates the requests it receives based on the subject that makes the request, the resource that the subject is requesting to access, and the contextual (attributes) information. The PDP triggers the PIP to provide all the required contextual information, such as attribute values of the requester, the resources, the action that is being requested, and the environmental variables. Based on the information that is received, the PDP evaluates the decision by verifying them against the policies [32,34,35].
- 4.
- Policy Information Point: The PIP is responsible for collecting and storing all the contextual information related to the system. In an IoT network, granting or denying permissions based on context is one of the important requirements of access control. Hence, whenever the PDP requires the contextual information and the attribute information, the PIP sends them through the PEP to make an access decision [32,34,35].
- 5.
- Policy Refinement Point: The PRP is a component that is responsible for refining policies at runtime and updating the policy repository. The refining process can be triggered for several reasons such as any change in the context of the environment or detection of an abnormal or unauthorized access behavior [33,36]. Various techniques have been adopted in the literature for the policy refinement process [32,33,34,37]. Most of these techniques are based on artificial intelligence. The PRP contributes to automating policies’ specification for access control which is essential in a dynamic environment such as IoT.
3.2. Token-Based OAuth Architecture
- Constrained Application Protocol: CoAP is a protocol specially designed for interaction between endpoints and networks that are resource-constrained [41]. Specifically, this protocol is designed for machine-to-machine applications. The structure of CoAP is logically divided into two layers [42]. The first layer is used for requests and responses. CoAP uses a Representational State Transfer Constraints approach, allowing the clients to use HTTP methods to send requests [42]. The second layer, called the message layer, is used for retransmitting lost packets [42]. CoAP uses the Datagram Transport Layer Security (DTLS) protocol for security.
- Message Queuing Telemetry Transport: MQTT is a messaging protocol for the IoT standardized by the OASIS consortium. MQTT offers bidirectional communications and supports scalability and reliability. MQTT is considered a great communication protocol for the IoT due to its simple, lightweight, and easy deployment properties [43]. Moreover, the use of MQTT has advantages in the ability to work with low-end devices [44], implementing machine learning algorithms in the cloud by interfacing the device with the Internet [45], and easy integration of new devices [45]. MQTT also comes with limitations. The default plain-text data exchange mechanism is a significant threat to data security [43]. Several security attacks on IoT communication protocols were analyzed in [42].
3.3. Hybrid User-Managed Access Architecture
3.4. Discussion
4. Access Control Models in IoT
4.1. Access Control Models
- 1.
- Discretionary Access Control (DAC): DAC is one of the primary access control techniques introduced in computing. It grants access by managing an access control matrix or an Access-Control List (ACL) [53]. Once access is granted in DAC, it remains forever until the administrator revokes access. In IoT, the access should be continually monitored and evaluated for timely revocation. As new devices are being added or when existing devices are removed, access control must be updated automatically. Access decisions should be made based on various criteria in different situations. DAC is a static model, and the ACL must be manually updated by an administrator. For a dynamic environment such as IoT, DAC is not suitable.
- 2.
- Role-Based Access Control (RBAC): In RBAC, a user is granted access based on roles which are in turn assigned with appropriate permissions to access resources [54]. Although it is easy to assign permissions to roles, many users may fall under a single role. As IoT devices come with a variety of functionalities and offer a wide range of services, the administrator must create a new role whenever a device with new functionality is added to a network. In a large enterprise network, this may lead to role explosion. In addition, RBAC may have challenges in supporting dynamicity.
- 3.
- Attribute-Based Access Control (ABAC): ABAC is considered by many as one of the suitable models for IoT to provision access rights because of its ability to support additional attributes with user roles. Using ABAC, different attributes of IoT such as device ID and location can be included for evaluation while providing access. Even though this model is being used in large-scale projects such as smart grids, ABAC faces the issue of complexity due to its centralized architecture [17,55].
- 4.
- Organization-Based Access Control (OrBAC): OrBAC is an extension of the role-based access control by including a new dimension called “organization” [56]. This additional attribute helps in granting access when multiple organizations play a role or when an organization has many subdivisions. However, other than the above-mentioned concept, this model is no different from its parent model RBAC and is considered unsuitable for heterogeneous and dynamic IoT environments.
- 5.
- Usage-Based Access Control (UCON): UCON was introduced as a framework to protect digital resources that come under the digital rights management (DRM). This model comes with three main concepts: authorization, obligation, and condition [11]. The authorization represents evaluation as to whether a subject is eligible to be provided access. The obligation is a criterion that a subject must perform to be provided with or sustain access. The condition represents the criteria that a subject must satisfy. Due to the three evaluation categories, UCON provides high dynamicity where the access is continually monitored, thereby revoking access whenever required by policies. However, this model does not explain the delegation property and follows a centralized architecture.
- 6.
- Capability-Based Access Control (CapBAC): The concept of CapBAC was started as part of the IoT@Work project [57]. It is an initiative by the European Union to leverage IoT to automate various services in public sector entities [57]. CapBAC follows a distributed approach. It is implemented through various nodes by using PDP and PEP [58]. In CapBAC, a resource requester must show a particular capability to request an access token. The PDP decides whether to issue the token to the requester. Once issued, the token is evaluated at the PEP for the requester to access the resource. Another advantage of CapBAC is the property of delegation, where nodes can be given the authority to provide access to other nodes. The level of delegation is determined while designing the model. Nevertheless, the model must depend on a central server for either identity verification or certificate to decide whether to trust the requester or not. The access is issued based on the requester’s capability. CapBAC does not consider context while provisioning access [8].
- 7.
- Blockchain-Based Access Control (BBAC): Blockchain technology has had explosive growth in security and privacy applications in recent years. The important characteristic of this technology is its distributed nature. The methods through which the blockchain-based access control is described in the literature can be further divided into transaction-based and smart contract-based access control [59,60,61]. Transactions can be used to grant, delegate, or revoke access rights. Smart contracts can evaluate access requests and make decisions based on the access policies defined by the resource owner. In either case, an access token is generated and passed on to the requester, which signifies the right to access. The main disadvantage of the transaction-based approach is that access decisions must be made by a centralized node. In contrast, the smart contract-based approach may invoke large overhead due to the creation of contracts between nodes.
- 8.
- Relationship-Based Access Control (ReBAC): Relationships such as user-to-user, user-to-device, and device-to-device relationships can be utilized for identity access management. It is expected by many consumers that the IoT device manufacturers include the concept of relationships for access provisioning. Thus, Identity Relationship Management (IRM) is gaining attention and has been identified as a promising identity and access management (IAM) system for the IoT [62]. In ReBAC, permission is granted based on the relationship between a subject and a device. For example, if a subject is the owner of a device, the device can access a resource. The relationship as an ‘owner’ of the device grants the permission [63]. ReBAC is one of the recent models and it is gaining more attention due to its dynamic nature [64].
4.2. Discussion
5. Access Control Policies
5.1. Dynamic Policies’ Specification
5.2. Discussion
6. Access Control Research Challenges and Future Directions
6.1. Research Challenges
6.2. Future Directions
7. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
Abbreviations
ABAC | Attribute-Based Access Control |
ACL | Access-Control List |
ASG | Answer Set Grammar |
BBAC | Blockchain-Based Access Control |
CapBAC | Capability-Based Access Control |
CoAP | Constrained Application Protocol |
DAC | Discretionary Access Control |
DoS | Denial of Service |
DRM | Digital Rights Management |
DTLS | Datagram Transport Layer Security |
GAN | Generative Adversarial Network |
GDPR | General Data Protection Regulation |
GPM | Generative Policy Model |
HBAC | History-Based Access Control |
HIPAA | Health Insurance Portability and Accountability Act |
HBAC | History-Based Access Control |
IAB | Internet Architecture Board |
IDoT | Identities of Things |
IETF | Internet Engineering Task Force |
IAM | Identity and Access Management |
IoT | Internet of Things |
IoV | Internet of Vehicles |
IRM | Identity Relationship Management |
LSTM | Long Short-Term Memory |
MFA | Multi-Factor Authentication |
MQTT | Message Queuing Telemetry Transport |
OAuth | Open Authorization |
OrBAC | Organization-Based Access Control |
PAP | Policy Administration Point |
PDP | Policy Decision Point |
PEP | Policy Enforcement Point |
PIP | Policy Information Point |
PRP | Policy Refinement Point |
RBAC | Role-Based Access Control |
ReBAC | Relationship-Based Access Control |
RPT | Requesting Party Token |
UCON | Usage-Based Access Control |
UMA | User-Managed Access |
URI | Uniform Resource Identifier |
XACML | Extensible Access Control Markup Language |
XML | Extensible Markup Language |
References
- Statista Research Department. Internet of Things (IoT) Connected Devices Installed Base Worldwide from 2015 to 2025; Statista Research Department: New York, NY, USA, 2016. [Google Scholar]
- Shane, G. The Aftermath of the Dyn DDOS Attack. Micro 2019, 39, 66–68. [Google Scholar] [CrossRef]
- Check Point Research. IoTroop Botnet: The Full Investigation; Check Point Research: San Carlos, CA, USA, 2017. [Google Scholar]
- Kolias, C.; Kambourakis, G.; Stavrou, A.; Voas, J. DDoS in the IoT: Mirai and Other Botnets. Computer 2017, 50, 80–84. [Google Scholar] [CrossRef]
- Macaulay, T. Chapter 9—Identity and Access Control Requirements in the IoT; Morgan Kaufmann: Boston, MA, USA, 2017; pp. 157–176. [Google Scholar] [CrossRef]
- Sharma, A.; Sharma, S.; Dave, M. Identity and Access management—A Comprehensive Study. In Proceedings of the 2015 International Conference on Green Computing and Internet of Things (ICGCIoT), Greater Noida, India, 8–10 October 2015; pp. 1481–1485. [Google Scholar] [CrossRef]
- Wang, Y.; Attebury, G.; Ramamurthy, B. A Survey of Security Issues in Wireless Sensor Networks. IEEE Commun. Surv. Tutor. 2006, 8, 2–23. [Google Scholar] [CrossRef]
- Ouaddah, A.; Mousannif, H.; Elkalam, A.A.; Ouahman, A.A. Access control in the Internet of Things: Big challenges and new opportunities. Comput. Netw. 2017, 112, 237–262. [Google Scholar] [CrossRef]
- Ravidas, S.; Lekidis, A.; Paci, F.; Zannone, N. Access Control in Internet-of-Things: A Survey. J. Netw. Comput. Appl. 2019, 144, 79–101. [Google Scholar] [CrossRef]
- Bertin, E.; Hussein, D.; Sengul, C.; Frey, V. Access Control in the Internet of Things: A Survey of Existing Approaches and Open Research Questions. Ann. Telecommun. 2019, 74, 375–388. [Google Scholar] [CrossRef]
- Qiu, J.; Tian, Z.; Du, C.; Zuo, Q.; Su, S.; Fang, B. A Survey on Access Control in the Age of Internet of Things. IEEE Internet Things J. 2020, 7, 4682–4696. [Google Scholar] [CrossRef]
- Dramé-Maigné, S.; Laurent, M.; Castillo, L.; Ganem, H. Centralized, Distributed, and Everything in between: Reviewing Access Control Solutions for the IoT. ACM Comput. Surv. 2021, 54, 138. [Google Scholar] [CrossRef]
- Alnefaie, S.; Alshehri, S.; Cherif, A. A survey on access control in IoT: Models, architectures and research opportunities. Int. J. Secur. Netw. 2021, 16, 60–76. [Google Scholar] [CrossRef]
- Bhattarai, S.; Wang, Y. End-to-End Trust and Security for Internet of Things Applications. Computer 2018, 51, 20–27. [Google Scholar] [CrossRef]
- Nieles, M.; Dempsey, K.; Pillitteri, V.Y. An introduction to information security. NIST Spec. Publ. 2017, 800, 101. [Google Scholar]
- Muthusamy Ragothaman, K.N.; Wang, Y. A Systematic Mapping Study of Access Control in the Internet of Things. In Proceedings of the 54th Hawaii International Conference on System Sciences, Kauai, HI, USA, 5–8 January 2021; pp. 7090–7099. [Google Scholar] [CrossRef]
- Ouaddah, A.; Mousannif, H.; Abou Elkalam, A.; Ait Ouahman, A. Access control in IoT: Survey & state of the art. In Proceedings of the 2016 5th International Conference on Multimedia Computing and Systems (ICMCS), Marrakech, Morocco, 29 September–1 October 2016; pp. 272–277. [Google Scholar] [CrossRef]
- Pal, S. Limitations and Approaches in Access Control and Identity Management for Constrained IoT Resources. In Proceedings of the 2019 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops), Kyoto, Japan, 11–15 March 2019; pp. 431–432. [Google Scholar] [CrossRef]
- Cheung, K.; Huth, M.; Kirk, L.; Lundbæk, L.N.; Marques, R.; Petsche, J. Owner-Centric Sharing of Physical Resources, Data, and Data-Driven Insights in Digital Ecosystems. In Proceedings of the 24th ACM Symposium on Access Control Models and Technologies (SACMAT ’19), Toronto, ON, Canada, 3–6 June 2019; Association for Computing Machinery: New York, NY, USA, 2019; pp. 73–81. [Google Scholar] [CrossRef]
- Al-Halabi, Y.; Raeq, N.; Abu-Dabaseh, F. Study on Access Control Approaches in the Context of Internet of Things: A Survey. In Proceedings of the 2017 International Conference on Engineering and Technology (ICET), Antalya, Turkey, 21–23 August 2017; pp. 1–7. [Google Scholar] [CrossRef]
- Nguyen, M.; Gani, M.O.; Raychoudhury, V. Yours Truly? Survey on Accessibility of Our Personal Data in the Connected World. In Proceedings of the 2019 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops), Kyoto, Japan, 11–15 March 2019; pp. 292–297. [Google Scholar] [CrossRef]
- Ray, I.; Abdunabi, R.; Basnet, R. Access Control for Internet of Things Applications. In Proceedings of the 5th on Cyber-Physical System Security Workshop (CPSS ’19), Auckland, New Zealand, 8 July 2019; Association for Computing Machinery: New York, NY, USA, 2019; pp. 35–36. [Google Scholar] [CrossRef]
- Kaur, A.; Isha; Rai, G.; Malik, A. Authentication and Context Awareness Access Control in Internet of Things: A Review. In Proceedings of the 2018 8th International Conference on Cloud Computing, Data Science Engineering (Confluence), Noida, India, 1–12 January 2018; pp. 630–635. [Google Scholar] [CrossRef]
- Al-Fuqaha, A.; Guizani, M.; Mohammadi, M.; Aledhari, M.; Ayyash, M. Internet of things: A survey on enabling technologies, protocols, and applications. IEEE Commun. Surv. Tutor. 2015, 17, 2347–2376. [Google Scholar] [CrossRef]
- McGraw, G. Software security. IEEE Secur. Priv. 2004, 2, 80–83. [Google Scholar] [CrossRef]
- Amazon Devices and Accessories. Available online: https://www.amazon.com/smart-home-devices/b?ie=UTF8&node=9818047011 (accessed on 10 November 2022).
- Smart Home Automation from Google. Available online: https://home.google.com/welcome/ (accessed on 10 November 2022).
- SmartThings. Available online: https://www.smartthings.com/ (accessed on 10 November 2022).
- IFTTT. Available online: https://ifttt.com/ (accessed on 10 November 2022).
- Zapier. Available online: https://zapier.com/ (accessed on 10 November 2022).
- Power Automate. Available online: https://powerautomate.microsoft.com/en-us/ (accessed on 10 November 2022).
- Alkhresheh, A.; Elgazzar, K.; Hassanein, H.S. Adaptive Access Control Policies for IoT Deployments. In Proceedings of the 2020 International Wireless Communications and Mobile Computing (IWCMC), Limassol, Cyprus, 15–19 June 2020; pp. 377–383. [Google Scholar] [CrossRef]
- Cunnington, D.; Manotas, I.; Law, M.; Mel, G.D.; Calo, S.; Bertino, E.; Russo, A. A Generative Policy Model for Connected and Autonomous Vehicles. In Proceedings of the 2019 IEEE Intelligent Transportation Systems Conference (ITSC), Auckland, New Zealand, 27–30 October 2019; pp. 1558–1565. [Google Scholar] [CrossRef]
- Alkhresheh, A.; Elgazzar, K.; Hassanein, H.S. DACIoT: Dynamic Access Control Framework for IoT Deployments. IEEE Internet Things J. 2020, 7, 11401–11419. [Google Scholar] [CrossRef]
- El Kalam, A.A.; Outchakoucht, A.; Es-Samaali, H. Emergence-Based Access Control: New Approach to Secure the Internet of Things. In Proceedings of the 1st International Conference on Digital Tools & Uses Congress (DTUC ’18), Paris, France, 3–5 October 2018; Association for Computing Machinery: New York, NY, USA, 2018. [Google Scholar] [CrossRef]
- Bertino, E.; Russo, A.; Law, M.; Calo, S.; Manotas, I.; Verma, D.; Jabal, A.A.; Cunnington, D.; de Mel, G.; White, G.; et al. Generative Policies for Coalition Systems-A Symbolic Learning Framework. In Proceedings of the 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS), Dallas, TX, USA, 7–10 July 2019; pp. 1590–1600. [Google Scholar] [CrossRef]
- Sicari, S.; Rizzardi, A.; Miorandi, D.; Coen-Porisini, A. Security Towards the Edge: Sticky Policy Enforcement for Networked Smart Objects. Inf. Syst. 2017, 71, 78–89. [Google Scholar] [CrossRef]
- IETF. RFC8628: OAuth 2.0 Device Authorization Grant; IETF: Wilmington, DE, USA, 2019. [Google Scholar]
- Niruntasukrat, A.; Issariyapat, C.; Pongpaibool, P.; Meesublak, K.; Aiumsupucgul, P.; Panya, A. Authorization mechanism for MQTT-based Internet of Things. In Proceedings of the 2016 IEEE International Conference on Communications Workshops (ICC), Kuala Lumpur, Malaysia, 23–27 May 2016; pp. 290–295. [Google Scholar] [CrossRef]
- Cirani, S.; Picone, M.; Gonizzi, P.; Veltri, L.; Ferrari, G. IoT-OAS: An OAuth-Based Authorization Service Architecture for Secure Services in IoT Scenarios. IEEE Sens. J. 2015, 15, 1224–1234. [Google Scholar] [CrossRef]
- IETF. RFC7252: The Constrained Application Protocol (CoAP); IETF: Wilmington, DE, USA, 2014. [Google Scholar]
- Dizdarević, J.; Carpio, F.; Jukan, A.; Masip-Bruin, X. A Survey of Communication Protocols for Internet of Things and Related Challenges of Fog and Cloud Computing Integration. ACM Comput. Surv. 2019, 51, 116. [Google Scholar] [CrossRef]
- Mishra, B.; Kertesz, A. The Use of MQTT in M2M and IoT Systems: A Survey. IEEE Access 2020, 8, 201071–201086. [Google Scholar] [CrossRef]
- Prada, M.A.; Reguera, P.; Alonso, S.; Morán, A.; Fuertes, J.J.; Domínguez, M. Communication with Resource-Constrained Devices through MQTT for Control Education. IFAC-PapersOnLine 2016, 49, 150–155. [Google Scholar] [CrossRef]
- Wagle, S. Semantic Data Extraction over MQTT for IoTcentric Wireless Sensor Networks. In Proceedings of the 2016 International Conference on Internet of Things and Applications (IOTA), Pune, India, 22–24 January 2016; pp. 227–232. [Google Scholar] [CrossRef]
- Machulak, M.; Richer, J. User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization; Kantara Initiative: Richmond, VA, USA, 2018.
- Su, X.; Hyysalo, J.; Rautiainen, M.; Riekki, J.; Sauvola, J.; Maarala, A.I.; Hirvonsalo, H.; Li, P.; Honko, H. Privacy as a Service: Protecting the Individual in Healthcare Data Processing. Computer 2016, 49, 49–59. [Google Scholar] [CrossRef]
- Lin, C.A.; Liao, C.F. User-Managed Access Delegation for Blockchain-driven IoT Services. In Proceedings of the 2020 International Computer Symposium (ICS), Tainan, Taiwan, 17–19 December 2020; pp. 462–467. [Google Scholar] [CrossRef]
- Siris, V.A.; Dimopoulos, D.; Fotiou, N.; Voulgaris, S.; Polyzos, G.C. OAuth 2.0 Meets Blockchain for Authorization in Constrained IoT Environments. In Proceedings of the 2019 IEEE 5th World Forum on Internet of Things (WF-IoT), Limerick, Ireland, 15–18 April 2019; pp. 364–367. [Google Scholar] [CrossRef]
- Atlam, H.F.; Alassafi, M.O.; Alenezi, A.; Walters, R.J.; Wills, G.B. XACML for Building Access Control Policies in Internet of Things. In Proceedings of the IoTBDS, Madeira, Portugal, 19–21 March 2018; pp. 253–260. [Google Scholar]
- Rose, S.; Borchert, O.; Mitchell, S.; Connelly, S. Zero Trust Architecture; Technical Report; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. [Google Scholar]
- Sheikh, N.; Pawar, M.; Lawrence, V. Zero trust using Network Micro Segmentation. In Proceedings of the IEEE INFOCOM 2021—IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Vancouver, BC, Canada, 10–13 May 2021; pp. 1–6. [Google Scholar]
- Albulayhi, K.; Abuhussein, A.; Alsubaei, F.; Sheldon, F.T. Fine-Grained Access Control in the Era of Cloud Computing: An Analytical Review. In Proceedings of the 2020 10th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 6–8 January 2020; pp. 0748–0755. [Google Scholar] [CrossRef]
- Shan, T.L.; Ismail, S.A.; Azizan, A. Access Control Models for Cloud Computing: A Review. In Proceedings of the 2018 2nd International Conference on Telematics and Future Generation Networks (TAFGEN), Kuching, Malaysia, 24–26 July 2018; pp. 155–158. [Google Scholar] [CrossRef]
- Servos, D.; Osborn, S.L. Current Research and Open Problems in Attribute-Based Access Control. ACM Comput. Surv. 2017, 49, 65. [Google Scholar] [CrossRef]
- Kalam, A.A.E.; Baida, R.E.; Balbiani, P.; Benferhat, S.; Cuppens, F.; Deswarte, Y.; Miege, A.; Saurel, C.; Trouessin, G. Organization Based Access Control. In Proceedings of the POLICY 2003—IEEE 4th International Workshop on Policies for Distributed Systems and Networks, Lake Como, Italy, 4–6 June 2003; pp. 120–131. [Google Scholar] [CrossRef]
- Gusmeroli, S.; Piccione, S.; Rotondi, D. A Capability-Based Security Approach to Manage Access Control in the Internet of Things. Math. Comput. Model. 2013, 58, 1189–1205. [Google Scholar] [CrossRef]
- Andaloussi, Y.; Ouadghiri, M.D.E.; Maurel, Y.; Bonnin, J.M.; Chaoui, H. Access Control in IoT Environments: Feasible Scenarios. Procedia Comput. Sci. 2018, 130, 1031–1036. [Google Scholar] [CrossRef]
- Riabi, I.; Ayed, H.K.B.; Saidane, L.A. A Survey on Blockchain Based Access Control for Internet of Things. In Proceedings of the 2019 15th International Wireless Communications Mobile Computing Conference (IWCMC), Tangier, Morocco, 24–28 June 2019; pp. 502–507. [Google Scholar] [CrossRef]
- Zhu, X.; Badr, Y. A Survey on Blockchain-Based Identity Management Systems for the Internet of Things. In Proceedings of the 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), Halifax, NS, Canada, 30 July–3 August 2018; pp. 1568–1573. [Google Scholar] [CrossRef]
- Sedgewick, P.E.; de Lemos, R. Self-Adaptation Made Easy with Blockchains. In Proceedings of the 2018 IEEE/ACM 13th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS), Gothenburg, Sweden, 28–29 May 2018; pp. 192–193. [Google Scholar]
- Hardy, N.W. The Internet of Things Ecosystem: Survey of the Current Landscape, Identity Relationship Management, Multifactor Authentication Mechanisms, and Underlying Protocols. Int. J. Comput. Inf. Eng. 2016, 10, 1202–1206. [Google Scholar] [CrossRef]
- Nur, M.; Wang, Y. An Overview of Identity Relationship Management in the Internet of Things. In Proceedings of the 2021 IEEE International Conference on Consumer Electronics (ICCE), Las Vegas, NV, USA, 10–12 January 2021; pp. 1–5. [Google Scholar] [CrossRef]
- Nur, M.; Wang, Y. Identity Relationship Management for Internet of Things: A Case Study. In Proceedings of the 2022 IEEE International Conference on Consumer Electronics (ICCE), Las Vegas, NV, USA, 7–9 January 2022. [Google Scholar]
- Tandon, L.; Fong, P.W.L.; Safavi-Naini, R. HCAP: A History-Based Capability System for IoT Devices. In Proceedings of the23nd ACM on Symposium on Access Control Models and Technologies (SACMAT ’18), Indianapolis, IN, USA, 13–15 June 2018; Association for Computing Machinery: New York, NY, USA, 2018; pp. 247–258. [Google Scholar] [CrossRef]
- Wu, L.; Du, X.; Guizani, M.; Mohamed, A. Access Control Schemes for Implantable Medical Devices: A Survey. IEEE Internet Things J. 2017, 4, 1272–1283. [Google Scholar] [CrossRef]
- Thirukkumaran, R.; Muthu Kannan, P. Survey: Security and Trust Management in Internet of Things. In Proceedings of the 2018 IEEE Global Conference on Wireless Computing and Networking (GCWCN), Lonavala, India, 23–24 November 2018; pp. 131–134. [Google Scholar] [CrossRef]
- Aftab, M.U.; Oluwasanmi, A.; Alharbi, A.; Sohaib, O.; Nie, X.; Qin, Z.; Ngo, S.T. Secure and dynamic access control for the Internet of Things (IoT) based traffic system. PeerJ Comput. Sci. 2021, 7, e471. [Google Scholar] [CrossRef]
- Shakarami, M.; Sandhu, R. Role-Based Administration of Role-Based Smart Home IoT. In Proceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems (SAT-CPS ’21), Virtual Event, 28 April 2021; Association for Computing Machinery: New York, NY, USA, 2021; pp. 49–58. [Google Scholar] [CrossRef]
- Ning, H.; Shi, F.; Cui, S.; Daneshmand, M. From IoT to Future Cyber-Enabled Internet of X and Its Fundamental Issues. IEEE Internet Things J. 2021, 8, 6077–6088. [Google Scholar] [CrossRef]
- Rouhani, S.; Deters, R. Blockchain Based Access Control Systems: State of the Art and Challenges. In Proceedings of the IEEE/WIC/ACM International Conference on Web Intelligence (WI ’19), Thessaloniki, Greece, 14–17 October 2019; Association for Computing Machinery: New York, NY, USA, 2019; pp. 423–428. [Google Scholar] [CrossRef]
- Kafle, K.; Moran, K.; Manandhar, S.; Nadkarni, A.; Poshyvanyk, D. A Study of Data Store-Based Home Automation. In Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy (CODASPY ’19), Richardson, TX, USA, 25–27 March 2019; Association for Computing Machinery: New York, NY, USA, 2019; pp. 73–84. [Google Scholar] [CrossRef]
- Tabassum, M.; Kropczynski, J.; Wisniewski, P.; Lipford, H.R. Smart Home Beyond the Home: A Case for Community-Based Access Control. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (CHI ’20), Honolulu, HI, USA, 25–30 April 2020; Association for Computing Machinery: New York, NY, USA, 2020; pp. 1–12. [Google Scholar] [CrossRef]
- Jang, W.; Chhabra, A.; Prasad, A. Enabling Multi-User Controls in Smart Home Devices. In Proceedings of the 2017 Workshop on Internet of Things Security and Privacy (IoTS&P ’17), Dallas, TX, USA, 3 November 2017; Association for Computing Machinery: New York, NY, USA, 2017; pp. 49–54. [Google Scholar] [CrossRef]
- Koh, J.; Hong, D.; Nagare, S.; Boovaraghavan, S.; Agarwal, Y.; Gupta, R. Who Can Access What, and When? Understanding Minimal Access Requirements of Building Applications. In Proceedings of the 6th ACM International Conference on Systems for Energy-Efficient Buildings, Cities, and Transportation (BuildSys ’19), New York, NY, USA, 13–14 November 2019; Association for Computing Machinery: New York, NY, USA, 2019; pp. 121–124. [Google Scholar] [CrossRef]
- Calo, S.; Verma, D.; Chakraborty, S.; Bertino, E.; Lupu, E.; Cirincione, G. Self-Generation of Access Control Policies. In Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies (SACMAT ’18), Indianapolis, IN, USA, 13–15 June 2018; Association for Computing Machinery: New York, NY, USA, 2018; pp. 39–47. [Google Scholar] [CrossRef]
- Liu, Q.; Zhang, H.; Wan, J.; Chen, X. An Access Control Model for Resource Sharing Based on the Role-Based Access Control Intended for Multi-Domain Manufacturing Internet of Things. IEEE Access 2017, 5, 7001–7011. [Google Scholar] [CrossRef]
- Gabillon, A.; Gallier, R.; Bruno, E. Access Controls for IoT Networks. SN Comput. Sci. 2020, 1, 24. [Google Scholar] [CrossRef]
- Riad, K.; Cheng, J. Adaptive XACML Access Policies for Heterogeneous Distributed IoT Environments. Inf. Sci. 2021, 548, 135–152. [Google Scholar] [CrossRef]
- Sicari, S.; Rizzardi, A.; Grieco, L.; Piro, G.; Coen-Porisini, A. A Policy Enforcement Framework for Internet of Things Applications in the Smart Health. Smart Health 2017, 3–4, 39–74. [Google Scholar] [CrossRef]
- Zhang, Q.; Zhong, H.; Cui, J.; Ren, L.; Shi, W. AC4AV: A Flexible and Dynamic Access Control Framework for Connected and Autonomous Vehicles. IEEE Internet Things J. 2021, 8, 1946–1958. [Google Scholar] [CrossRef]
- Liu, Y.; Xiao, M.; Zhou, Y.; Zhang, D.; Zhang, J.; Gacanin, H.; Pan, J. An Access Control Mechanism Based on Risk Prediction for the IoV. In Proceedings of the 2020 IEEE 91st Vehicular Technology Conference (VTC2020-Spring), Antwerp, Belgium, 25–28 May 2020; pp. 1–5. [Google Scholar] [CrossRef]
- Yu, T.; Li, T.; Sun, Y.; Nanda, S.; Smith, V.; Sekar, V.; Seshan, S. Learning Context-Aware Policies from Multiple Smart Homes via Federated Multi-Task Learning. In Proceedings of the 2020 IEEE/ACM Fifth International Conference on Internet-of-Things Design and Implementation (IoTDI), Sydney, NSW, Australia, 21–24 April 2020; pp. 104–115. [Google Scholar] [CrossRef]
- Chu, M.; Li, H.; Liao, X.; Cui, S. Reinforcement Learning-Based Multiaccess Control and Battery Prediction with Energy Harvesting in IoT Systems. IEEE Internet Things J. 2019, 6, 2009–2020. [Google Scholar] [CrossRef]
- Di Francesco Maesa, D.; Mori, P.; Ricci, L. A Blockchain Based Approach for the Definition of Auditable Access Control Systems. Comput. Secur. 2019, 84, 93–119. [Google Scholar] [CrossRef]
- Liu, Y.; Zhang, J.; Zhan, J. Privacy Protection for Fog Computing and the Internet of Things Data Based on Blockchain. Clust. Comput. 2021, 24, 1331–1345. [Google Scholar] [CrossRef]
- Alcaraz, C.; Rubio, J.E.; Lopez, J. Blockchain-assisted Access for Federated Smart Grid Domains: Coupling and Features. J. Parallel Distrib. Comput. 2020, 144, 124–135. [Google Scholar] [CrossRef]
- Zhang, Y.; Yutaka, M.; Sasabe, M.; Kasahara, S. Attribute-Based Access Control for Smart Cities: A Smart-Contract-Driven Framework. IEEE Internet Things J. 2021, 8, 6372–6384. [Google Scholar] [CrossRef]
- Mont, M.; Pearson, S.; Bramhall, P. Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Services. In Proceedings of the 14th International Workshop on Database and Expert Systems Applications, Prague, Czech Republic, 1–5 September 2003; pp. 377–382. [Google Scholar] [CrossRef]
- Padget, J.A.; Vasconcelos, W.W. Fine-Grained Access Control via Policy-Carrying Data. ACM Trans. Internet Technol. 2018, 18, 31. [Google Scholar] [CrossRef]
- Sicari, S.; Rizzardi, A.; Miorandi, D.; Coen-Porisini, A. Dynamic Policies in Internet of Things: Enforcement and Synchronization. IEEE Internet Things J. 2017, 4, 2228–2238. [Google Scholar] [CrossRef]
- Sagirlar, G.; Carminati, B.; Ferrari, E. Decentralizing Privacy Enforcement for Internet of Things Smart Objects. Comput. Netw. 2018, 143, 112–125. [Google Scholar] [CrossRef]
- Miorandi, D.; Rizzardi, A.; Sicari, S.; Coen-Porisini, A. Sticky Policies: A Survey. IEEE Trans. Knowl. Data Eng. 2020, 32, 2481–2499. [Google Scholar] [CrossRef]
- Rimal, B.P.; Maier, M.; Satyanarayanan, M. Experimental Testbed for Edge Computing in Fiber-Wireless Broadband Access Networks. IEEE Commun. Mag. 2018, 56, 160–167. [Google Scholar] [CrossRef]
- Akhuseyinoglu, N.B.; Joshi, J. Access Control Approaches for Smart Cities. In IoT Technologies in Smart Cities: From Sensors to Big Data, Security and Trust; IET: London, UK, 2020; pp. 1–40. [Google Scholar] [CrossRef]
- Outchakoucht, A.; Hamza, E.S.; Leroy, J.P. Dynamic Access Control Policy Based on Blockchain and Machine Learning for the internet of Things. Int. J. Adv. Comput. Sci. Appl. 2017, 8, 417–424. [Google Scholar] [CrossRef]
- Outchakoucht, A.; Abou El Kalam, A.; Es-Samaali, H.; Benhadou, S. Machine Learning based Access Control Framework for the Internet of Things. Int. J. Adv. Comput. Sci. Appl. 2020, 11, 331–340. [Google Scholar] [CrossRef] [Green Version]
- Pal, S.; Hitchens, M.; Varadharajan, V. Modeling Identity for the Internet of Things: Survey, Classification and Trends. In Proceedings of the 2018 12th International Conference on Sensing Technology (ICST), Limerick, Ireland, 4–6 December 2018; pp. 45–51. [Google Scholar] [CrossRef]
- Koo, J.; Kim, Y.G. Interoperability of device identification in heterogeneous IoT platforms. In Proceedings of the 2017 13th International Computer Engineering Conference (ICENCO), Cairo, Egypt, 27–28 December 2017; pp. 26–29. [Google Scholar] [CrossRef]
- Ning, H.; Zhen, Z.; Shi, F.; Daneshmand, M. A Survey of Identity Modeling and Identity Addressing in Internet of Things. IEEE Internet Things J. 2020, 7, 4697–4710. [Google Scholar] [CrossRef]
- Jøsang, A.; Fabre, J.; Hay, B.; Dalziel, J.; Pope, S. Trust requirements in identity management. In Proceedings of the 2005 Australasian Workshop on Grid Computing and e-Research, Newcastle, NSW, Australia, 1 January 2005; Volume 44, pp. 99–108. [Google Scholar]
- Alpár, G.; Batina, L.; Batten, L.; Moonsamy, V.; Krasnova, A.; Guellier, A.; Natgunanathan, I. New directions in IoT privacy using attribute-based authentication. In Proceedings of the ACM International Conference on Computing Frontiers, Como, Italy, 16–19 May 2016; pp. 461–466. [Google Scholar]
- Cameron, K. The laws of identity. Microsoft Corp. 2005, 12, 8–11. [Google Scholar]
- Wang, Y.; Nikolai, J. Key Management in CPSs. In Security and Privacy in Cyber-Physical Systems: Foundations, Principles and Applications; John Wiley and Sons Ltd.: Hoboken, NJ, USA, 2017; pp. 117–136. [Google Scholar] [CrossRef]
- Wachter, S. Normative Challenges of Identification in the Internet of Things: Privacy, Profiling, Discrimination, and the GDPR. Comput. Law Secur. Rev. 2018, 34, 436–449. [Google Scholar] [CrossRef]
- Yu, B.; Wright, J.; Nepal, S.; Zhu, L.; Liu, J.; Ranjan, R. IoTChain: Establishing Trust in the Internet of Things Ecosystem Using Blockchain. IEEE Cloud Comput. 2018, 5, 12–23. [Google Scholar] [CrossRef]
- Abdulrahman, E.; Alshehri, S.; Cherif, A. Blockchain-Based Access Control for the Internet of Things: A Survey. In Proceedings of the 2021 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE), Brisbane, Australia, 8–10 December 2021; pp. 1–6. [Google Scholar] [CrossRef]
- Rana, B.; Singh, Y.; Singh, P.K. A systematic survey on internet of things: Energy efficiency and interoperability perspective. Trans. Emerg. Telecommun. Technol. 2021, 32, e4166. [Google Scholar] [CrossRef]
- Hazra, A.; Adhikari, M.; Amgoth, T.; Srirama, S.N. A Comprehensive Survey on Interoperability for IIoT: Taxonomy, Standards, and Future Directions. ACM Comput. Surv. 2021, 55, 9. [Google Scholar] [CrossRef]
- Al-Masri, E.; Kalyanam, K.R.; Batts, J.; Kim, J.; Singh, S.; Vo, T.; Yan, C. Investigating Messaging Protocols for the Internet of Things (IoT). IEEE Access 2020, 8, 94880–94911. [Google Scholar] [CrossRef]
Features | DAC | RBAC | ABAC | OrBAC | CapBAC | UCON | ReBAC | BBAC |
---|---|---|---|---|---|---|---|---|
Granularity | Coarse | Coarse | Fine | Coarse | Coarse | Fine | Fine | Fine |
Context-Aware | No | No | Yes | Yes | No | Yes | Yes | Yes |
Dynamicity | No | No | Yes | No | Yes | Yes | Yes | Yes |
Distributed Nature | No | No | No | No | Yes | No | No | Yes |
Interoperability | No | No | Yes | Yes | Yes | No | Yes | Yes |
Delegation | No | No | No | No | Yes | No | Yes | Yes |
Revocation | No | No | No | No | Yes | Yes | Yes | Yes |
Scalability | No | No | Yes | No | Yes | Yes | Yes | Yes |
Contributions | Challenges | |
---|---|---|
[77] | RBAC-based approach for resource sharing | Scalability and resource efficiency |
[34] | Extended XACML and added three | No verification of who is going to use |
functionalities to implement adaptive policies | the access decisions | |
[78] | An ABAC-based framework for the MQTT | The approach is not tested in real time |
protocol | ||
[79] | An adaptive XACML policy-based approach | Utilization of many attributes may |
to specify access control decisions | potentially affect the performance | |
[80] | An attribute-based access control | The solution is a generic framework. It |
framework for smart health applications | is not implemented in real time | |
[36] | ASG-based architecture to generate | Noisy dataset which may result in |
policies at runtime | conflict policies | |
[33] | Proposed an architecture to generate runtime | Centralized architecture |
policies for autonomous vehicles | ||
[82] | Risk-based access control approach | Computation time is high |
based on LSTM and GANs | ||
[83] | Federated learning approach to learn | Real-time implementation |
policies at runtime | ||
[84] | Distributed technique for battery state | Efficiency depends on energy |
prediction for remote sensor devices | availability in sensors | |
[85] | ABAC policies are coded in smart contracts | Huge storage space requirement, |
and executed as distributed smart contracts. | computational overhead | |
Utilizes Ethereum protocol | ||
[86] | Distributed and dynamic access control based | Susceptible to tampering |
on blockchain and fog computing | ||
[87] | A three-layer interconnection architecture | Interoperability |
to enforce policies for smart grid | ||
[88] | Smart contract-based framework and | Throughput |
ABAC model for access decision-making | ||
in smart cities | ||
[90] | A formal model using first-order logic | Complex language, centralized |
to regulate data access, and a computational | architecture | |
model to verify policies | ||
[91] | Dynamic policy enforcement framework | Real-time implementation |
with a distribution and synchronization | ||
system | ||
[92] | Decentralized privacy enforcement | Information flows to be declared |
framework using sticky policies | beforehand | |
[37] | Middleware architecture to distribute | Testing performed in simulation. |
and update policies in an IoT environment | The exact implications need to be | |
tested in real time |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Ragothaman, K.; Wang, Y.; Rimal, B.; Lawrence, M. Access Control for IoT: A Survey of Existing Research, Dynamic Policies and Future Directions. Sensors 2023, 23, 1805. https://doi.org/10.3390/s23041805
Ragothaman K, Wang Y, Rimal B, Lawrence M. Access Control for IoT: A Survey of Existing Research, Dynamic Policies and Future Directions. Sensors. 2023; 23(4):1805. https://doi.org/10.3390/s23041805
Chicago/Turabian StyleRagothaman, Kaushik, Yong Wang, Bhaskar Rimal, and Mark Lawrence. 2023. "Access Control for IoT: A Survey of Existing Research, Dynamic Policies and Future Directions" Sensors 23, no. 4: 1805. https://doi.org/10.3390/s23041805
APA StyleRagothaman, K., Wang, Y., Rimal, B., & Lawrence, M. (2023). Access Control for IoT: A Survey of Existing Research, Dynamic Policies and Future Directions. Sensors, 23(4), 1805. https://doi.org/10.3390/s23041805