Policy-Based Contextual Access Control Mechanism for Smart IoT Devices

Abstract

Access control remained an important aspect of computer security, and it has been the focus of extensive research over the past several decades. Access control mechanisms generally composed of two fundamental components: authentication and authorization. Authentication refers to verifying the identity of an entity, and authorization guarantees that only authenticated entity or devices can access the permitted devices or other resources. Various traditional access control schemes, such as Access Control Lists (ACLs), Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC) exist, but these have certain limitations that hinder their direct implementation in the Internet of Things (IoT). For instance, ACLs maintain user-specific access privilege lists, which are feasible for environments with limited users and devices, but impractical for large scale systems like IoT. RBAC assigns devices access through roles associated with permissions, however role management in dynamic IoT environments poses significant challenges. ABAC grants access based on user and devices attributes that requires certain attribute criteria for authorization. We advocate that IoT environments are dynamic in nature and consist of very large volumes of smart IoT devices (such as smart sensors, smart phones and gadgets) that which introduce unique access control challenges. One significant challenge is providing dynamic access to smart IoT devices, as opposed to relying on static rules, roles, or attributes. Considering these challenges, this research advocates for a novel access control scheme tailored for accessing smart IoT devices in internet of things environments. The prototype implementation of the proposed approach is carried out along with conducting the usability study to evaluate the performance and suitability of the proposed system for real world internet of things (IoT) scenarios.