The Internet of Things describes all the physical objects that are connected to the internet, providing automated services, the most common ones referring to collecting and sharing data. IoT devices require network access in order to send data to other devices or services on the internet. Due to the emergence of affordable computer chips as well as fast communication networks (5G), the exploitation of IoT devices is growing faster than ever. Specifically, GSMA estimates that there will be more than 25 billion IoT connections by 2025. The connected IoT devices will gather and exchange large volumes of data, including private and sensitive information. Therefore, security and privacy issues are critical components for the creation of successful IoT environment.
In an IoT system, many of the gathered data may be personal or sensitive, mandating for protection of and access control for the data. Appropriate mechanisms and methods should ensure that sensitive data, services, and assets would be protected from attackers. Therefore, the ability to manage the identity as well as to control access of different IoT devices is crucial. Particularly, access control is a comprehensive approach, that protects the system from intrusion and malicious exploitation of the data, while it can be considered as the first line of defense against adversarial activities.
Access control is a set of permissions and restrictions, specifying which users have access as well as the operations that are permitted to perform and on which resources. The action to grant access is characterized as authorization. Moreover, access control guarantees confidentiality, since it is ensured that information is accessible to the authorized users. In the case of IoT environment, the involved users are the IoT devices.
Different access control methods have been proposed to tackle security issues in IoT environment. Access control mechanism can be either centralized or distributed. In centralized approaches, a central entity is responsible for managing the authorization by granting or denying access for the external entities. However, this centralization raises concerns regarding scalability, flexibility and resilience, mainly due to Single Point of Failure (SPOF) issues. On the other hand, in distributed access control methods, IoT devices may apply authorization actions without the need of a central entity, providing privacy at low cost. Nevertheless, those access control mechanisms have difficulties to manage them.
The development of an appropriate access control mechanism for billions of IoT devices is a challenging task. Some of the most well-known access control mechanisms are Access Control List (ACL), Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). ACL consists of rules that deny or grant access to specific devices. RBAC is one of the main methods for advanced access control, restricting the network access based on the user’s role in the IoT network. Specifically, roles are defined among IoT devices, entities are assigned to those roles, while the resources that a role can access are defined. ABAC method evaluates attributes or characteristics instead of roles to provide access of an IoT device.
In the IoT-NGIN project, a successful access control mechanism will be developed based on dynamic personalized access rights and intelligence, enabling pervasive security. As a result, the access control method will ensure security, privacy, and trust management of different IoT devices.