Abstract
The Internet of Things operates in a personal-data-rich sector, which makes security and privacy an increasing concern for consumers. Access control is thus a vital issue to ensure trust in the IoT. Several access control models are today available, each of them coming with various features, making them more or less suitable for the IoT. This article provides a comprehensive survey of these different models, focused both on access control models (e.g., DAC, MAC, RBAC, ABAC) and on access control architectures and protocols (e.g., SAML and XACML, OAuth 2.0, ACE, UMA, LMW2M, AllJoyn). The suitability of each model or framework for IoT is discussed. In conclusion, we provide future directions for research on access control for the IoT: scalability, heterogeneity, openness and flexibility, identity of objects, personal data handling, dynamic access control policies, and usable security.
References
Shang C, Zhou MC, Chen C (Mar. 2014) Cellphone data and applications. Int J Intell Control Syst 19(1):35–45
TRUSTe (2015) Majority of consumers want to own the personal data collected from their smart devices, availabile online: https://www.trustarc.com/blog/2015/01/05/majorityconsumers-want-own-personal-data-survey/. Accessed 28 Feb 2019
Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) "An introduction to privacy engineering and risk management in federal systems," National Institute of Standards and Technology Internal Report 8062
Hugo Teufel III CPO (2008) Fair Information Practice Principles: framework for privacy, Privacy Policy Guidance Memorandum
International Organization for Standardization (ISO), ISO/IEC 29100 (2011) Information technology, security techniques, privacy framework, Dec. 2011
Cavoukian A (2012) Privacy by Design and the emerging personal data ecosystem, accessible online: https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-pde.pdf. Accessed 28 Feb 2019
General Data Protection Regulation (GDPR) (2018) General data protection regulation (GDPR) [online]. Available at: https://gdpr-info.eu/. Accessed 28 Feb 2019
Cerf VG (2015) Access control and the Internet of Things. IEEE Internet Comput 19(5):96
Sicari S, Rizzardi A, Grieco LA, Coen-Porisini A (2015) Security privacy and trust in Internet of Things: the road ahead. Comput Netw 76:146–164
Fagin R (1978) On an authorization mechanism. ACM Trans Database Syst 3, 3(September 1978):310–319
Abadi M, Burrows M, Lampson B, Gordon P (1993) A calculus for access control in distributed systems. ACM Trans Program Lang Syst 15, 4(September 1993):706–734
Gusmeroli S, Piccione S, Rotondi D (2013) A capability-based security approach to manage access control in the Internet of Things. Math Comput Model 58(5):1189–1205
Cirani S, Davoli L, Ferrari G, Léone R, Medagliani P, Picone M, Veltri L (2014) A scalable and self-configuring architecture for service discovery in the Internet of Things. IEEE Internet Things J 1(5):508–521
Roman R, Zhou J, Lopez J (2013) On the features and challenges of security and privacy in distributed Internet of Things. Comput Netw 57(10):2266–2279
Tschofenig H, Arkko J, Thaler D, McPherson DR (2015) Architectural considerations in smart object networking. In: RFC 7452, IETF
Ouaddah A, Mousannif H, Abou El Kalam A, Ouahman AAIT (2017) Access control in the Internet of Things: big challenges and new opportunities. Comput Netw 112:237–262
Bui DT, Douville R, Boussard M (2016) "Supporting multicast and broadcast traffic for groups of connected devices," 2016 IEEE NetSoft Conference and Workshops (NetSoft), Seoul, 2016, pp. 48–52
Bell DE, La Padula LJ (1975) Secure computer system: unified exposition and Multics interpretation. In: Technical report, Technical Report MTIS AD-A023588. MITRE Corporation, McLean
Denning DE (1976) A lattice model of secure information flow. Commun ACM 19(2):236–243
Sandhu RS, Samarati P (1994) Access control: principle and practice. IEEE Commun Mag 32(9):40–48
Sandhu RS (1998) Role-based access control. Adv Comput 46:237–286
Samarati P, Di Vimercati SDC (2001) Access control: policies, models, and mechanisms. Found Secur Anal Des 2171:137–196
Kalam A, Baida R, Balbiani P, Benferhat S, Cuppens F, Deswarte Y, Miege A, Saurel C, Trouessin G (2003) Organization based access control. In: Proc. POLICY 2003. IEEE 4th Int. Work. Policies Distrib. Syst. Networks, IEEE Comput. Soc, pp 120–131
Zhang G, Tian J (2010) An extended role based access control model for the Internet of Things, 2010 International Conference on Information, Networking and Automation (ICINA), 1, IEEE, pp. V1–319
Jindou J, Xiaofeng Q, Cheng C (2012) Access control method for Web of Things based on role and SNS, in: 2012 IEEE 12th Int. Conf. Comput. Inf. Technol.,IEEE, pp. 316–321
Barka E, Mathew SS, Atif Y (2015) Securing the Web of Things with role-based access control. Springer International Publishing, New York City, pp 14–26
Liu J, Xiao Y, Chen CP (2012) Authentication and access control in the Internet of Things, in: 2012 32nd Int. Conf. Distrib. Comput. Syst. Work., IEEE, pp. 588–592
I. Bouij - Pasquier, A. Ait Ouahman, A. Abou El Kalam and M. Ouabiba de Montfort, SmartOrBAC security and privacy in the Internet of Things, 2015 IEEE/ACS 12th International Conference of Computer Systems and Applications (AICCSA), Marrakech, 2015, pp. 1–8
E. Yuan, J. Tong, Attributed based access control (ABAC) for Web services, in: IEEE Int. Conf Web Serv, IEEE, 2005
Ye N, Zhu Y, Wang R-C, Malekian R, Qiao-min L (2014) An efficient authentication and access control scheme for perception layer of Internet of Things. Appl Math Inf Sci An Int J 1624(4):1617–1624
Hemdi M, Deters R (2016) Using REST-based protocol to enable ABAC within IoT systems. In: 2016 IEEE 7th Annual Information Technology. Electronics and Mobile Communication Conference (IEMCON), Vancouver, BC, pp 1–7
Sciancalepore S et al (2017) Attribute-based access control scheme in federated IoT platforms. In: Podnar Žarko I, Broering A, Soursos S, Serrano M (eds) Interoperability and open-source solutions for the Internet of Things. InterOSS-IoT 2016. Lecture Notes in Computer Science, vol 10218. Springer, Cham
Ouechtati H, Ben Azzouna N, Ben Said L (2018) "Towards a self-adaptive access control middleware for the Internet of Things," 2018 International Conference on Information Networking (ICOIN), Chiang Mai, Thailand, pp 545–550
Hussein D, Bertin E, Frey V (2017) "Access control in IoT: from requirements to a candidate vision," 2017 20th Conference on Innovations in Clouds. Internet and Networks (ICIN), Paris, pp 328–330
Salama U, Yao L, Wang X, Paik HY, Beheshti A (2017) "Multi-level privacy-preserving access control as a service for personal healthcare monitoring," 2017 IEEE International Conference on Web Services (ICWS), Honolulu, HI, pp 878–881
Sandhu R (1992) The typed access matrix model. In: Proc. 1992 IEEE Comput. Soc. Symp. Res. Secur. Priv., IEEE Comput. Soc. Press, pp 122–136
Lampson B (1974) Protection, ACM SIGOPS. Oper Syst Rev 8:18–24
Oh SW, Kim HS (2014) Decentralized access permission control using resource-oriented architecture for the Web of Things, 16th International Conference on Advanced Communication Technology, Pyeongchang, pp 749–753
Dennis JB, Van Horn EC (1966) Programming semantics for multiprogrammed computations. Commun ACM 9(3):143–155
Anggorojati B, Prasad NR, Prasad R (2012) Capability-based access control delegation model on the federated IoT network, 2012 15th Int’l. Symp. Wireless Personal Multimedia Commun, pp 604–608
Mahalle P (2013) Identity authentication and capability-based access control (IACAC) for the Internet of Things. J Cyber Secur Mobility 1:309–348
Hernández-Ramos JL et al (2013) Distributed capability-based access control for the Internet of Things. J Internet Serv Info Secur 3(3/4):1–16
Hernández-Ramos JL, Jara AJ, Marín L, Gómez AFS (2016) DCapBac: embedding authorization logic into smart things through ECC optimizations. Int J Comput Math 93(2):345–366. https://doi.org/10.1080/00207160.2014.915316
Gusmeroli S, Piccione S, Rotondi D (2012) IoT access control issues: a capability-based approach, 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, Palermo, pp. 787–792
Lynch L (2011) Inside the identity management game. IEEE Internet Comput 15(5):78–82
Beltran V, Bertin E, Crespi N (2014) User identity for WebRTC services: a matter of trust. IEEE Internet Comput 18(6):18–25
Hussein D, Han SN, Lee GM, Crespi N, Bertin E (2017) Towards a dynamic discovery of smart services in the social Internet of Things. Comput Electr Eng 58, C(February 2017):429–443
Armando A, Carbone R, Compagna L, Cuellar J, Tobarra L (2008) Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for Google apps. In: Proceedings of the 6th ACM workshop on Formal methods in security engineering. ACM, New York City, pp 1–10
Hardt D (2012) The OAuth 2.0 authorization framework, IETF RFC 6749, Oct. 2012, IETF. [online] http://tools.ietf.org/html/rfc6749. Accessed 28 Feb 2019
Home - WG – User-Managed Access - Kantara Initiative, [online] Available at https://kantarainitiative.org/confluence/display/uma/Home. Accessed 28 Feb 2019
Zhang G, Liu J (2011) A model of workflow-oriented attributed based access control. Int J Comput Netw Inf Secur 1(February):47–53
Hughes J, Maler E (2005) Security Assertion Markup Language (SAML) v2.0 technical overview. OASIS SSTC Working Group, Clovis
Hughes J, Cantor S, Hodges J, Hirsch F, Mishra P, Philpott R, Maler E (2005) Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, Burlington
Moses T (2005) eXtensible Access Control Markup Language (XACML), version 2.0. OASIS Standard, Burlington
Zhang G, Liu J (2012) The study of access control for service-oriented computing in Internet of Things. Int J Wireless Microwave Technol (IJWMT) 2(3):62–68
Seitz L, Selander G, Gehrmann C (2013) Authorization framework for the Internet of Things, 2013 IEEE 14th International Symposium on “A World of Wireless, Mobile and Multimedia Networks” (WoWMoM), Madrid, pp. 1–6
Hussein D, Bertin E, Frey V (March 2017) A community-driven access control approach in distributed IoT environments. IEEE Commun Mag 55(3):146–153
Jones M, Hildebrand J (2015) JSON Web Encryption (JWE). RFC 7516, IETF, available at http://tools.ietf.org/html/rfc7516. Accessed 28 Feb 2019
Hammer-Lahav E (2010) The OAuth 1.0 protocol. RFC 5849, IETF, available at http://tools.ietf.org/html/rfc5849. Accessed 28 Feb 2019
Leiba B (2012) OAuth web authorization protocol. IEEE Internet Comput 16(1):74–77
Fremantle P, Aziz B, Kopecký J, Scott P (2014) Federated identity and access management for the Internet of Things, 2014 International Workshop on Secure Internet of Things, Wroclaw, pp 10–17
Denniss W, Bradley J, Jones M, Tschofenig H OAuth 2.0 device flow for browserless and input constrained devices, Internet-draft, IETF, draft-ietf-oauth-device-flow-09
Seitz L, Gerdes S, Selander G, Mani M, Kumar S (2016) Use cases for authentication and authorization in constrained environments, RFC 7744, January 2016, IETF
Jones M, Wahlstroem E, Erdtman S, Tschofenig H (2018) CBOR Web Token (CWT), RFC 8392, May 2018. IETF, Fremont
Beltran V, Skarmeta AF (2016) An overview on delegated authorization for CoAP: authentication and authorization for constrained environments (ACE). In: 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), pp 706–710
Su X et al (2016) Privacy as a service: protecting the individual in healthcare data processing. In: Computer, vol. 49, no. 11, pp 49–59
OMA (2017) Lightweight machine to machine requirements, Candidate Version 1.1 – 08 Dec 2017, Open Mobile Alliance
Costa D, Mingozzi E, Tanganelli G, Vallati C (2016) An AllJoyn to CoAP bridge, 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), Reston, VA, pp. 395–400
Fernandes E, Rahmati A, Jung J, Prakash A (2017) Security implications of permission models in smart-home application frameworks. IEEE Secur Priv 15(2):24–30
Zorzi M, Gluhak A, Lange S, Bassi A (2010) From today’s INTRAnet of things to a future INTERnet of things: a wireless- and mobility-related view. IEEE Wirel Commun 17(6):44–51
Dillet R (2017) Netatmo is trying really hard to make the smart home happen. January 3, 2017, Techcrunch. Available at: https://techcrunch.com/2017/01/03/netatmo-is-trying-really-hard-to-make-the-smart-home-happen. Accessed 28 Feb 2019
Bertin E, Crespi N (2009) Service business processes for the next generation of services: a required step to achieve service convergence. Ann Telecommun 64(3–4):187–196
Sloan RH, Warner R (2014) Beyond notice and choice: privacy, norms, and consent. Suffolk Univ J High Technol 14(2):370–412
Rastogi V, Welbourne E, Khoussainova N, Kriplean T, Balazinska M, Borriello G, Kohno T, Suciu D (2007) “Expressing privacy policies using authorisation views,” in Proc. of the 5th International Workshop on Privacy in UbiComp (UbiPriv’07)
Kolias C, Kambourakis G, Stavrou A, Voas J (2017) DDoS in the IoT: Mirai and other botnets. IEEE Comput 50(7):80–84
Kovacs E (2016) Hosting provider OVH hit by 1 Tbps DDoS attack. Retrieved from http://www.securityweek.com/hosting-provider-ovh-hit-1-tbps-ddos-attack. Accessed 28 Feb 2019
Tian Y, Zhang N, Lin Y-H, Wang XF, Ur B, Guo XZ, Tague P (2017) SmartAuth: user-centered authorization for the Internet of Things. In: USENIX security conference
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Bertin, E., Hussein, D., Sengul, C. et al. Access control in the Internet of Things: a survey of existing approaches and open research questions. Ann. Telecommun. 74, 375–388 (2019). https://doi.org/10.1007/s12243-019-00709-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12243-019-00709-7