User-To-Device Access Control Models for Cloud-Enabled IoT with Smart Home Case Study
The Internet of Things (IoT), sometimes called the Internet of Everything, is a new technology paradigm envisioned as a global network of physical objects (things) that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet . The concept of IoT has attracted many application domains including consumer applications (smart homes, elder care), organizational applications (medical and health care, vehicular communication systems), industrial applications (manufacturing, agriculture),infrastructure applications (smart cities, energy management), and military applications(Internet of Battlefield Things). Soon IoT will affect all industries and everyone's daily life. This requires usable authentication and sophisticated access control specification mechanisms that are currently lacking. It is widely recognized that the potential benefits of IoT can be fully realized only in combination with cloud computing. Cloud support enables long-term storage of the massive amounts of data produced by IoT devices and the compute-intensive analysis of this data to improve overall operations, especially in context of limited capacity of IoT devices. Moreover, cloud support enables data and analytical sharing. Hence the concept of cloud-enabled IoT (also sometimes called cloud-assisted IoT).In rapidly evolving IoT domains, security and privacy of data and information is always at considerable risk from unauthorized actors and malicious attackers. One of the critical security services in IoT that mostly all researchers agree upon is access control (AC). Insecure access to web, backend APIs (Application Programming Interfaces), cloud and mobile interfaces are among the top vulnerabilities for IoT applications. However, commercial IoT frameworks fall short in implementing access control to these interfaces. Soon IoT will be part of every home turning our houses into smart houses, in which we have multiple users with complex social relationships between them using the same smart devices. Providing an appropriate access control model for home IoT services is a vital but challenging topic. Authorization issues have been explored extensively for many different domains. However, home IoT is significantly different from traditional domains which necessitate a rethinking of access control and authentication. This dissertation investigates user-to-device access control requirements in home IoT, and then develops and demonstrates four different access control models for user-to-device interaction in smart home IoT. First, it proposes the extended generalized role-based access control (EGRBAC) model for smart home IoT. It provides a formal definition for EGRBAC and illustrates its features with a use case. A proof-of-concept demonstration utilizing AWS-IoT Greengrass is also discussed. Second, it introduces the smart home IoT attribute-based access control model (HABAC). It provides a formal definition for HABAC and illustrates its features with a use case. It provides an analysis of HABAC relative to EGRBAC. It compares the theoretical expressive power of these models by providing algorithms for converting an HABAC specification to EGRBAC and vice versa. Moreover, it discusses the insights for practical deployment of these models resulting from these constructions. This dissertation identifies the need for a combined (role-based and attribute-based) access control model for smart home IoT. Third, this dissertation develops a formal role-centric hybrid access control model (HyBACRC).It further demonstrates the features of HyBACRC through a use case scenario, and a proof of concept implementation. Fourth, it introduces an attribute-centric hybrid access control model (HyBACAC). It formally defines the model, and illustrates its features with a use case scenario and a proof of concept implementation. It analyzes this model relative to HyBACRC, HABAC and EGRBAC models. Moreover, it provides approaches for converting an HyBACRC specification to HyBACAC and vice versa. It argues that a role-centric hybrid access control model combining ABAC and RBAC features may be the most suitable for user-to-device smart home IoT access control.