research-article

BlueSky: Towards Convergence of Zero Trust Principles and Score-Based Authorization for IoT Enabled Smart Systems

Authors:

Ravi SandhuAuthors Info & Claims

SACMAT '22: Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies

Pages 235 - 244

https://doi.org/10.1145/3532105.3535020

Published: 08 June 2022 Publication History

Abstract

Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. It assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location. We have billions of devices in IoT ecosystems connected to enable smart environments, and these devices are scattered around different locations, sometimes multiple cities or even multiple countries. Moreover, the deployment of resource-constrained devices motivates the integration of IoT and cloud services. This adoption of a plethora of technologies expands the attack surface and positions the IoT ecosystem as a target for many potential security threats. This complexity has outstripped legacy perimeter-based security methods as there is no single, easily identified perimeter for different use cases in IoT. Hence, we believe that the need arises to incorporate ZT guiding principles in workflows, systems design, and operations that can be used to improve the security posture of IoT applications. This paper motivates the need to implement ZT principles when developing access control models for smart IoT systems. It first provides a structured mapping between the ZT basic tenets and the PEI framework when designing and implementing a ZT authorization system. It proposes the ZT authorization requirements framework (ZT-ARF), which provides a structured approach to authorization policy models in ZT systems. Moreover, it analyzes the requirements of access control models in IoT within the proposed ZT-ARF and presents the vision and need for a ZT score-based authorization framework (ZT-SAF) that is capable of maintaining the access control requirements for ZT IoT connected systems.

References

[1]

Accessed February 2022. Internet of things. https://en.wikipedia.org/wiki/ Internet_of_things.

[2]

S. Ameer, et al. 2020. The EGRBAC Model for Smart Home IoT. In (IRI). IEEE.

[3]

S. Ameer, et al. 2022. An Attribute-Based Approach toward a Secured Smart-Home IoT Access Control and a Comparison with a Role-Based Approach. Information (2022).

[4]

S. Ameer and R. Sandhu. 2021. The HABAC Model for Smart Home IoT and Comparison to EGRBAC. In (SAT-CPS).

[5]

O. Arias, et al. 2015. Privacy and security in internet of things and wearable devices. TMSCS (2015).

[6]

H. F. Atlam, et al. 2017. Developing an adaptive Risk-based access control model for the Internet of Things. In (iThings). IEEE.

[7]

S. Bandara, et al. 2016. Access control framework for api-enabled devices in smart buildings. In APCC. IEEE.

[8]

N. Baracaldo and J. Joshi. 2013. An adaptive risk management and access control framework to mitigate insider threats. Computers & Security (2013).

[9]

B. Bezawada, et al. 2018. Securing Home IoT Environments with Attribute-Based Access Control. In ABAC'18. ACM.

[10]

S. Bhatt, et al. 2017. Access control model for AWS internet of things. In NISecurity.

[11]

S. Bhatt and R. Sandhu. 2020. Abac-cc: Attribute-based access control and communication control for internet of things. In SACMAT'20.

[12]

S. Bhatt and R. Sandhu. 2020. Convergent access control to enable secure smart communities. In (TPS-ISA). IEEE.

[13]

K. Z. Bijon, et al. 2013. A framework for risk-aware role based access control. In (CNS). IEEE.

[14]

Z. B. Celik, et al. 2018. Sensitive Information Tracking in Commodity {IoT}. In 27th USENIX Security Symposium (USENIX Security 18).

[15]

Z. B. Celik, et al. 2019. IoTGuard: Dynamic Enforcement of Security and Safety Policy in Commodity IoT. In NDSS.

[16]

M. J. Covington, et al. 2000. Generalized role-based access control for securing future applications. Technical Report. Georgia Tech.

[17]

T. Denning, et al. 2013. Computer security and the modern home. Commun. ACM (2013).

[18]

T. Dimitrakos, et al. 2020. Trust aware continuous authorization for zero trust in consumer internet of things. In TrustCom. IEEE.

[19]

E. Fernandes, et al. 2016. Security analysis of emerging smart home applications. In SP. IEEE.

[20]

M. Fernández, et al. 2020. A data access model for privacy-preserving cloud-IoT architectures. In SACMAT'20.

Digital Library

[21]

D. F. Ferraiolo, et al. 2001. Proposed NIST standard for role-based access control. TISSEC (2001).

[22]

J. Granjal, et al. 2015. Security for the internet of things: a survey of existing protocols and open research issues. IEEE Comm. Surv. & Tutorials (2015).

[23]

Z. Guoping and G. Wentao. 2011. The research of access control based on UCON in the internet of things. Journal of Software (2011).

[24]

M. Gupta and R. Sandhu. 2021. Towards Activity-Centric Access Control for Smart Collaborative Ecosystems. In SACMAT'21.

[25]

G. Ho, et al. 2016. Smart locks: Lessons for securing commodity internet of things devices. In ASIA CCS '16. ACM.

Digital Library

[26]

V. C. Hu, et al. 2015. Attribute-based access control. Comp. (2015).

[27]

X. Jin, et al. 2012. A unified attribute-based access control model covering DAC, MAC and RBAC. In IFIP Annual Conf. on Data and App. Sec.

Digital Library

[28]

S. Kandala, et al. 2011. An attribute based framework for risk-adaptive access control models. In 2011 ARES. IEEE.

[29]

D. R. Kuhn, et al. 2010. Adding attributes to role-based access control. Computer (2010).

[30]

A. La Marra, et al. 2017. Implementing usage control in internet of things: A smart home use case. In 2017 IEEE Trustcom/BigDataSE/ICESS. IEEE.

[31]

F. Martinelli, et al. 2018. Too long, did not enforce: a qualitative hierarchical riskaware data usage control model for complex policies in distributed environments. In CPSS '18. ACM.

Digital Library

[32]

R. McGraw. 2009. Risk-adaptable access control (radac). In Privilege (Access) Management Workshop. NIST Information Technology Laboratory.

[33]

O. Novo. 2018. Blockchain meets IoT: An architecture for scalable access management in IoT. IEEE IoT Journal (2018).

[34]

A. Ouaddah, et al. 2017. Towards a novel privacy-preserving access control model based on blockchain technology in IoT. In Europe and MENA Coop. Adv. in Inf. and Comm. Tech. Springer.

[35]

A. Ouaddah, et al. 2017. Access control in the Internet of Things: Big challenges and new opportunities. Comp. NW 112 (2017).

[36]

F. Paci, et al. 2018. Survey on access control for community-centered collaborative systems. ACM Computing Surveys (CSUR) (2018).

[37]

J. Park and R. Sandhu. 2002. Towards usage control models: beyond traditional access control. In SACMAT '02. ACM.

[38]

J. Park and R. Sandhu. 2004. The UCONABC usage control model. ACM transactions on information and system security (TISSEC) (2004).

[39]

J. Park, et al. 2011. Acon: Activity-centric access control for social computing. In ARES. IEEE.

[40]

J. Park, et al. 2021. Activity Control Design Principles: Next Generation Access Control for Smart and Collaborative Systems. IEEE Access (2021).

[41]

K. K. Patel, et al. 2016. Internet of things-IOT: definition, characteristics, architecture, enabling technologies, application & future challenges. International journal of engineering science and computing 6, 5 (2016).

[42]

A. Pretschner, et al. 2006. Distributed usage control. Commun. ACM (2006).

[43]

J. Qiu, et al. 2020. A survey on access control in the age of internet of things. IEEE Internet of Things Journal (2020).

[44]

A. Rahmati, et al. 2018. Tyche: A risk-based permission model for smart homes. In 2018 IEEE Cybersecurity Development (SecDev). IEEE.

[45]

S. Ravidas, et al. 2019. Access control in Internet-of-Things: A survey. Journal of Network and Computer Applications (2019).

[46]

S. W. Rose, et al. 2020. Zero trust architecture. (2020).

[47]

R. Sandhu. 1998. Role-based access control. In Advances in computers. Vol. 46.

[48]

R. Sandhu, et al. 2000. The NIST model for role-based access control: towards a unified standard. In ACM workshop on Role-based access control.

Digital Library

[49]

R. Sandhu and J. Park. 2003. Usage control: A vision for next generation access control. In International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security. Springer.

[50]

R. Sandhu, et al. 2006. Secure information sharing enabled by trusted computing and PEI models. In ASIACCS '06.

Digital Library

[51]

R. S. Sandhu, et al. 1996. Role-based access control models. Comp. (1996).

[52]

R. S. Sandhu and P. Samarati. 1994. Access control: principle and practice. IEEE communications magazine 32, 9 (1994), 40--48.

[53]

B. Tang, et al. 2019. Iot passport: A blockchain-based trust framework for collaborative internet-of-things. In SACMAT '19.

Digital Library

[54]

Y. Tian, et al. 2017. SmartAuth:User-Centered Authorization for the Internet of Things. In USENIX Security 17.

Cited By

Dhiman PSaini NGulzar YTuraev SKaur ANisa KHamid Y(2024)A Review and Comparative Analysis of Relevant Approaches of Zero Trust Network ModelSensors10.3390/s2404132824:4(1328)Online publication date: 19-Feb-2024
https://doi.org/10.3390/s24041328
Liu CTan RWu YFeng YJin ZZhang FLiu YLiu Q(2024)Dissecting zero trust: research landscape and its implementation in IoTCybersecurity10.1186/s42400-024-00212-07:1Online publication date: 3-May-2024
https://doi.org/10.1186/s42400-024-00212-0
Ameer SPraharaj LSandhu RBhatt SGupta M(2024)ZTA-IoT: A Novel Architecture for Zero-Trust in IoT Systems and an Ensuing Usage Control ModelACM Transactions on Privacy and Security10.1145/367114727:3(1-36)Online publication date: 17-Jun-2024
https://dl.acm.org/doi/10.1145/3671147
Show More Cited By

Index Terms

BlueSky: Towards Convergence of Zero Trust Principles and Score-Based Authorization for IoT Enabled Smart Systems
1. Security and privacy
  1. Systems security
    1. Information flow control

Recommendations

Enabling Multi-user Controls in Smart Home Devices
IoTS&P '17: Proceedings of the 2017 Workshop on Internet of Things Security and Privacy

The Internet of Things (IoT) devices have expanded into many aspects of everyday life. As these smart home devices grow more popular, security concerns increase. Researchers have modeled the privacy and security threats for smart home devices, but have ...
Utilizing The DLBAC Approach Toward a ZT Score-based Authorization for IoT Systems
CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy

The internet of Things (IoT) refers to a network of physical objects that are equipped with sensors, software, and other technologies in order to communicate with other devices and systems over the internet. IoT has emerged as one of the most important ...
The HABAC Model for Smart Home IoT and Comparison to EGRBAC
SAT-CPS '21: Proceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems

In the near future IoT will be part of every home turning our houses into smart houses, in which we have multiple users with complex social relationships between them using the same smart devices. This requires sophisticated access control specification ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '22: Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies

June 2022

282 pages

ISBN:9781450393577

DOI:10.1145/3532105

General Chair:
Sven Dietrich
City University of New York
,
Program Chairs:
Omar Chowdhury
The University of Iowa
,
Daniel Takabi
Georgia State University

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 June 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF CREST Grant
NSF CREST-PRF Award

Conference

SACMAT '22

Sponsor:

SIGSAC

SACMAT '22: The 27th ACM Symposium on Access Control Models and Technologies

June 8 - 10, 2022

NY, New York, USA

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
455
Total Downloads

Downloads (Last 12 months)211
Downloads (Last 6 weeks)8

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Dhiman PSaini NGulzar YTuraev SKaur ANisa KHamid Y(2024)A Review and Comparative Analysis of Relevant Approaches of Zero Trust Network ModelSensors10.3390/s2404132824:4(1328)Online publication date: 19-Feb-2024
https://doi.org/10.3390/s24041328
Liu CTan RWu YFeng YJin ZZhang FLiu YLiu Q(2024)Dissecting zero trust: research landscape and its implementation in IoTCybersecurity10.1186/s42400-024-00212-07:1Online publication date: 3-May-2024
https://doi.org/10.1186/s42400-024-00212-0
Ameer SPraharaj LSandhu RBhatt SGupta M(2024)ZTA-IoT: A Novel Architecture for Zero-Trust in IoT Systems and an Ensuing Usage Control ModelACM Transactions on Privacy and Security10.1145/367114727:3(1-36)Online publication date: 17-Jun-2024
https://dl.acm.org/doi/10.1145/3671147
Rabehaja TPal SHill AHitchens M(2024)A Blockchain-Based Approach for Parametric Insurance Under Multiple Sources of TruthIEEE Transactions on Services Computing10.1109/TSC.2023.329680817:3(718-732)Online publication date: May-2024
https://doi.org/10.1109/TSC.2023.3296808
Hussain MPal SJadidi ZFoo EKanhere S(2024)Federated Zero Trust Architecture using Artificial IntelligenceIEEE Wireless Communications10.1109/MWC.001.230040531:2(30-35)Online publication date: 11-Apr-2024
https://dl.acm.org/doi/10.1109/MWC.001.2300405
Cai RChen LZhu Y(2024)Using private set intersection to achieve privacy-preserving authorization for IoT systemsJournal of Information Security and Applications10.1016/j.jisa.2024.10375983(103759)Online publication date: Jun-2024
https://doi.org/10.1016/j.jisa.2024.103759
Jeffrey NTan QVillar J(2023)A Review of Anomaly Detection Strategies to Detect Threats to Cyber-Physical SystemsElectronics10.3390/electronics1215328312:15(3283)Online publication date: 30-Jul-2023
https://doi.org/10.3390/electronics12153283
Ameer SBenson JSandhu R(2023)Hybrid Approaches (ABAC and RBAC) Toward Secure Access Control in Smart Home IoTIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.321629720:5(4032-4051)Online publication date: 1-Sep-2023
https://dl.acm.org/doi/10.1109/TDSC.2022.3216297
Sefati SHalunga S(2023)Service Recommendation for a Group of Users on the Internet of Things Using the Most Popular Service2023 12th International Conference on Modern Circuits and Systems Technologies (MOCAST)10.1109/MOCAST57943.2023.10176696(1-4)Online publication date: 28-Jun-2023
https://doi.org/10.1109/MOCAST57943.2023.10176696
Shi FCao SZhang X(2023)A Hash-based Multidimensional Graph Neural Network Approach for Zero Trust Oriented Access Control Security2023 IEEE 29th International Conference on Parallel and Distributed Systems (ICPADS)10.1109/ICPADS60453.2023.00319(2387-2394)Online publication date: 17-Dec-2023
https://doi.org/10.1109/ICPADS60453.2023.00319
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents