Operation and Administration of Access Control in IoT Environments
The Internet of Things (IoT) denotes a network of evolving and expanding number of technologies embedded in smart things with at least one network interface to interact with the physical and digital world. IoT has gained widespread use cases in the market, ranging from individual customers implementing IoT in their personal homes to industry and organizational customers utilizing IoT in their business environment. The reason for this widespread popularity of IoT in different application domains include convenience, automation, energy efficiency, and other functionalities which IoT brings to different environments. However, many IoT customers are not aware of potential direct or indirect security hazards to which they or their environment might be posed by utilizing unsecured IoT. The availability and efficiency of security capabilities for IoT environment is often different from conventional IT environments, because of IoT unique characteristics, including being used in dynamic environments, limitation in power and computational resources, and relying on heterogeneous configurable firmware/platforms. Therefore, providing appropriate security mechanisms for IoT application environments gained momentum in both academic and industry communities. One of the most important security concerns in IoT is access control which is still open to novel and effective solutions. In order to design an appropriate access control approach for an IoT environment, the distinct specification and requirements of that environment have to be considered. Although general requirements for designing appropriate access control solutions for IoT applications have been stated in the literature as being scalable, dynamic, interoperable, context-aware, fine-gained, etc., these requirements may be of different priorities for different IoT environments. Therefore, a single access control solution cannot cater to various IoT applications because of their different requirements and characteristics. In this dissertation, we focus on smart home IoT as a prevailing IoT application domain which has unique characteristics. Home IoT environment may include different IoT devices shared among different users. There are complex social relationships among home IoT users, including parents, kids, babysitters, visitors, etc., which offers different threat models. Moreover, a smart home environment might be extended over time through adding new IoT devices to the house by the homeowner. Home IoT devices are probably produced by different vendors, therefore relying on different platforms. Nevertheless, we need different home IoT devices to be interoperable to facilitate home automation. In terms of access control requirements, some of them are of more importance than others. As an example, it is more essential for an control solution in the smart home to be fine-grained rather than being scalable. These especial characteristics and authorization requirements call for tailored access control solutions to be designed for smart home IoT environments. Surprisingly, little attention has been paid to access control specification in smart home IoT. In this dissertation, we investigate three major access control-related topics which affect or directly provide authorization in the home IoT environment. First topic is concerned with the problem of inconsistency which is defined as provision of outdated authorization information to the decision point which may lead to access violation. Due to intermittent Internet connection and limited storage space of home IoT devices, required authorization information might not be available in real time. So, there is an increased risk of making access control decisions based on outdated information. This problem may arise in any attribute-based access control environment in which attributes are provided incrementally to the decision point. We investigate this problem in general, interpreted with use cases in a smart home IoT environment. Another overlooked area in smart home IoT environments is administration of access while overall system security is crucially dependent on both administrative and operational authorization models. Since home users are usually not IT experts and are less likely to spend time to learn complex management interfaces, administration of access in smart home IoT turns is particularly problematic. In this dissertation, we propose an administrative access control model for a smart home IoT considering its specific dynamics and characteristics, which is backed up by a proof-of-concept implementation. Finally, we take a first step towards addressing one of the most unique and novel requisites toward realization of smart home IoT automation, which has received surprisingly little attention so far. A holistic view of home automation demands specific access control specifications to facilitate inter-device interactions. In this dissertation, we propose a novel authorization framework based on attribute-based access control which includes access control model specification, enforcement architecture and a proof-of-concept implementation. The proposed model is designed to regulate device-to-device inter-communications in a smart home IoT environment. We regard our solution to be a first step towards providing more comprehensive access control approaches pertinent to the interoperable IoT requirements. Some future directions and research agenda are discussed in the conclusions of this dissertation.