Zero trust (ZT) is the term for an evolving set of cybersecurity
paradigms that move defenses from static, network-based perimeters
to focus on users, assets, and resources. It assumes no implicit
trust is granted to assets or user accounts based solely on their
physical or network location. We have billions of devices in IoT
ecosystems connected to enable smart environments, and these
devices are scattered around different locations, sometimes multiple
cities or even multiple countries. Moreover, the deployment of
resource-constrained devices motivates the integration of IoT and
cloud services. This adoption of a plethora of technologies expands
the attack surface and positions the IoT ecosystem as a target for
many potential security threats. This complexity has outstripped
legacy perimeter-based security methods as there is no single, easily
identified perimeter for different use cases in IoT. Hence, we believe
that the need arises to incorporate ZT guiding principles in workflows,
systems design, and operations that can be used to improve
the security posture of IoT applications. This paper motivates the
need to implement ZT principles when developing access control
models for smart IoT systems. It first provides a structured mapping
between the ZT basic tenets and the PEI framework when designing
and implementing a ZT authorization system. It proposes the ZT
authorization requirements framework (ZT-ARF), which provides a
structured approach to authorization policy models in ZT systems.
Moreover, it analyzes the requirements of access control models
in IoT within the proposed ZT-ARF and presents the vision and
need for a ZT score-based authorization framework (ZT-SAF) that
is capable of maintaining the access control requirements for ZT
IoT connected systems.
more »
« less
Utilizing The DLBAC Approach Toward a ZT Score-based Authorization for IoT Systems
The internet of Things (IoT) refers to a network of physical objects that are equipped with sensors, software, and other technologies in order to communicate with other devices and systems over the internet. IoT has emerged as one of the most important technologies of this century over the past few years. To ensure IoT systems' sustainability and security over the long term, several researchers lately motivated the need to incorporate the recently proposed zero trust (ZT) cybersecurity paradigm when designing and implementing access control models for IoT systems. This poster proposes a hybrid access control approach incorporating traditional and deep learning-based authorization techniques toward score-based ZT authorization for IoT systems.
more »
« less
- Award ID(s):
- 2112590
- PAR ID:
- 10483149
- Publisher / Repository:
- Association for Computing Machinery New York NY United States
- Date Published:
- Journal Name:
- CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy
- ISBN:
- 979-8-4007-0067-5
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
We propose and implement Directory-Based Access Control (DBAC), a flexible and systematic access control approach for geographically distributed multi-administration IoT systems. DBAC designs and relies on a particular module, IoT directory, to store device metadata, manage federated identities, and assist with cross-domain authorization. The directory service decouples IoT access into two phases: discover device information from directories and operate devices through discovered interfaces. DBAC extends attribute-based authorization and retrieves diverse attributes of users, devices, and environments from multi-faceted sources via standard methods, while user privacy is protected. To support resource-constrained devices, DBAC assigns a capability token to each authorized user, and devices only validate tokens to process a request.more » « less
-
Internet of Things has become a predominant phenomenon in every sphere of smart life. Connected Cars and Vehicular Internet of Things, which involves communication and data exchange between vehicles, traffic infrastructure or other entities are pivotal to realize the vision of smart city and intelligent transportation. Vehicular Cloud offers a promising architecture wherein storage and processing capabilities of smart objects are utilized to provide on-the-fly fog platform. Researchers have demonstrated vulnerabilities in this emerging vehicular IoT ecosystem, where data has been stolen from critical sensors and smart vehicles controlled remotely. Security and privacy is important in Internet of Vehicles (IoV) where access to electronic control units, applications and data in connected cars should only be authorized to legitimate users, sensors or vehicles. In this paper, we propose an authorization framework to secure this dynamic system where interactions among entities is not pre-defined. We provide an extended access control oriented (E-ACO) architecture relevant to IoV and discuss the need of vehicular clouds in this time and location sensitive environment. We outline approaches to different access control models which can be enforced at various layers of E-ACO architecture and in the authorization framework. Finally, we discuss use cases to illustrate access control requirements in our vision of cloud assisted connected cars and vehicular IoT, and discuss possible research directions.more » « less
-
We present CAPLets, an authorization mechanism that extends capability based security to support fine grained access control for multi-scale (sensors, edge, cloud) IoT deployments. To enable this, CAPLets uses a strong cryptographic construction to provide integrity while preserving computational efficiency for resource constrained systems. Moreover, CAPLets augments capabilities with dynamic, user defined constraints to describe arbitrary access control policies. We introduce an application specific, turing complete virtual machine, CapVM, alongside with eBPF and Wasm, to describe constraints. We show that CAPLets is able to express permissions and requirements at a fine grain, facilitating construction of non-trivial access control policies. We empirically evaluate the efficiency and flexibility of CAPLets abstractions using resource constrained devices and end-to-end IoT deployments, and compare it against related mechanisms in wide use today. Our empirical results show that CAPLets is an order of magnitude faster and more energy efficient than current IoT authorization systems.more » « less
-
The pervasive nature of smart connected devices has intruded on our daily lives and has become an intrinsic part of our world. However, the wide use of the Internet of Things (IoT) in critical application domains has raised concerns for user privacy and security against growing cyber threats. In particular, the implications of cyber exploitation for IoT devices are beyond financial losses and could constitute risks to human life. Most deployed access control solutions for smart IoT systems do not offer policy individualization, the ability to specify or change the policy according to the individual user’s preference. As a result, currently deployed systems are not well suited to specify access control policies in a multi-user environment, where users access the same devices to perform different operations. The system’s security gets tricky when the smart ecosystem involves complicated social relationships, much like in a smart home. Relationship-based access control (ReBAC), widely used in online social networks, offers the ability to consider user relationships in defining access control decisions and supports policy individualization. However, to the best of our knowledge, no such attempt has been made to develop a formal ReBAC model for smart IoT systems. This paper proposes a ReBAC IoT dynamic and fine-grained access control model which considers the social relationships among users along with the attributes to support an attributes-aware relationship-based access control model for smart IoT systems. ReBAC IoT is formally defined, illustrated through different use cases, implemented, and tested.more » « less