Access Control Models for Cloud-Enabled Internet of Things




Alshehri, Asma Hassan

Journal Title

Journal ISSN

Volume Title



The concept and deployment of Internet of Things (IoT) has continued to develop momentum over recent years. The rapid development of IoT in recent years has triggered a wave of potentially unreasonable expectations. Many industries have started big projects with key technologies that incorporate the basic architecture of IoT, which has not been determined yet. Several different layered architectures for IoT have been proposed. In general, the proposed IoT architectures comprise three main components: an object layer, one or more middle layers, and an application layer. The main difference in detail between them is in the middle layers. Some architectures include a cloud services layer for managing IoT things. Some suggest the use of virtual objects as digital counterparts for physical IoT objects. Sometimes both cloud services and virtual objects are included.

In this dissertation, we initially propose an IoT architecture that can be used to develop an authoritative family of access control models for a cloud-enabled Internet of Things. Our proposed access-control oriented (ACO) architecture for IoT comprises four layers: an object layer, a virtual object layer, a cloud services layer, and an application layer. This 4-layer architecture serves as a framework to build access control models for a cloud-enabled IoT. Within this architecture, we present illustrative examples that highlight some IoT access control issues leading to a discussion of needed access control research. We identify the need for communication control within each layer and across adjacent layers (particularly in the lower layers), coupled with the need for data access control (particularly in the cloud services and application layers).

The ACO architecture is proposed for the cloud-enabled IoT, with virtual objects (VOs) and cloud services in the middle layers. A central aspect of ACO is to control communication among VOs. To this end, we develop operational and administrative access control models, assuming topic-based publish-subscribe interaction among VOs. Operational models are developed using (i) access control lists for topics and capabilities for virtual objects, and (ii) attribute-based access control, and it is argued that role-based access control is not suitable for this purpose. Administrative models for these two operational models are developed using (i) access control lists, (ii) role-based access control, and (iii) attribute-based access control. A use case of sensing speeding cars illustrates the details of these access control models for VO communication, and their differences. An assessment of these models with respect to security and privacy preserving objectives of IoT is also provided.

Finally, we study AWS IoT as a major commercial cloud-IoT platform and investigate its suitability for implementing the afore-mentioned academic models of ACO and VO communication control. While AWS IoT has a notion of digital shadows closely analogous to VOs, it lacks explicit capability for VO communication and thereby for VO communication control. Thus, there is a significant mismatch between AWS IoT and these academic models. Our principal contribution in this regard is to reconcile this mismatch by showing how to use the mechanisms of AWS IoT to effectively implement VO communication models. To this end, we develop an access control model for virtual objects (shadows) communication in AWS IoT called AWS-IoT-ACMVO. We develop a proof-of-concept implementation of the speeding cars use case in AWS IoT under guidance of this model, and provide selected performance measurements. We conclude with a discussion of possible alternate implementations of this use case in AWS IoT.


This item is available only to currently enrolled UTSA students, faculty or staff. To download, navigate to Log In in the top right-hand corner of this screen, then select Log in with my UTSA ID.


Access Control, Authorization, Internet of Things (IoT), IoT Architecture, Security and Privacy, Virtual Objects



Computer Science