Attribute-based Access and Communication Control Models for Cloud and Cloud-enabled Internet of Things
The essence of Attribute-Based models lies in their nature of employing attributes of various entities for controlling different aspects in a system, as defined by customized policies based on the model's objectives and application domain. In Attribute-Based Access Control (ABAC), a subject's (e.g., a user's) access to different objects (e.g., files, databases) or to subjects (e.g., other users in Online Social Networks) is secured based on the attributes of subjects and objects. ABAC controls access to data and information stored in a system by abstracting them in the form of protected objects or resources. Due to its object focused approach, ABAC is insufficient to control communications occurring in the form of streaming data and information sharing among different system components. There is some literature on controlling communications using ABAC; however, there is lack of focused treatment of Attribute-Based Communication Control (ABCC).
In today's world, two pervasive application domains are Cloud Computing and the Cloud-Enabled Internet of Things (CE-IoT). In these rapidly evolving domains, security and privacy of data and information at rest and in motion is at considerable risk at all times from unauthorized actors and malicious attackers. It is crucial to appropriately address security and privacy concerns in these two emerging domains by conducting fundamental research on specialized ABAC and ABCC models for Cloud and CE-IoT, which is currently lacking in the academic literature.
This dissertation investigates, develops, and demonstrates ABAC and ABCC models in four different contexts concerning Cloud Computing and CE-IoT. First, it develops formal ABAC models with user attributes, group attributes, and group and attribute hierarchies, viz. User-Attribute Enhanced OSAC (UAE-OSAC) model for OpenStack, and restricted Hierarchical Group and Attribute-Based Access Control (rHGABAC) model. It demonstrates enforcement of these models utilizing unified attribute-based access control tool, the Policy Machine (PM), developed by National Institute of Standards and Technology (NIST), augmented with the Authorization Engine (AE) developed in this research.
Second, it investigates a real-world CE-IoT architecture, the AWS IoT, recently introduced by Amazon Web Services (AWS). It then develops an abstract access control model for AWS IoT known as AWS-IoTAC, based on the earlier published AWS Access Control (AWSAC) model. In contrast to AWS's policy-based approach, this dissertation identifies the need for an attribute-based approach for fine-grained authorizations in IoT and proposes ABAC enhancements to the AWS-IoTAC model. A Smart Home use case is implemented in AWS IoT to demonstrate the model and proposed ABAC enhancements.
Third, it enhances the Access Control Oriented (ACO) architecture for IoT motivated by a Wearable IoT (WIoT) use case, called the EACO architecture. It then develops an Access Control (AC) framework to comprehensively capture different types of accesses and communications within the EACO architecture for CE-IoT.
Fourth, this dissertation introduces a novel concept of Attribute-Based Communication Control (ABCC) and develops a general conceptual ABCC model. It then proposes a formal ABCC model to control data flow and enforce privacy policies between the edge IoT network and the Cloud in the context of CE-IoT. It demonstrates a real-world realization of this model using a WIoT use case and a proof-of-concept implementation employing the AWS IoT and its edge computing service.