A Community-Driven Access Control Approach in Distributed IoT Environments
The distributed Internet of Things is emerging in the literature as a new paradigm for IoT where remotely controlled smart objects can act on their own to sense/actuate, store, and interpret information either created by them or within the surrounding environment. This paradigm calls for novel security and access control mechanisms to enable smart objects with various resource limitations to evaluate a claimed access right from external entities without relying on central authorization systems. This article proposes utilizing a community-based structure to define the notion of access rights in a distributed IoT environment. With this structure, within a given community of smart objects sharing a common mission, access rights are to be evaluated based on the community norms by smart objects with sufficient resources on behalf of those with resource limitations. A novel, community-driven, access control framework is proposed in addition to a prototype to demonstrate access control granting in a user-friendly manner.
This conceptualization of communities, as we argue in this article, is helpful to clarify the notion of rights in distributed IoT. That is, the vision of edge intelligence as proposed in the literature [1, 2] is hardly possible to achieve by smart objects (SOs) with limited capabilities. Thus, relying on a community-based structure would enable SOs that share common missions and have sufficient resources to make authorization decisions on behalf of those with less capability. Additionally, this community structure would enable a finely tuned set of AC policies to be stored and managed locally to fit the goals of the community. From a computational perspective, the overhead required to process and enforce AC policies at the individual device level will be scaled down when policies are designed to secure access to a community of devices sharing common missions and therefore access requirements. Finally, external entities that, temporarily or permanently, share a common mission and are capable of providing sufficient assertions to prove compliance to the community rules can be entitled to get a key to enable access to the community.
article proposes a community structure for distributed IoT environments in order to manage AC rights. We define an IoT community as composed of the following elements: • An evolving set of SOs, each one having a specific position within the community according to its resource capability (sensor, actuator, controller, etc.) • A set of shared goals that defines the mission statement of the community • A set of policies defining the rights and obligations toward the community Community capability-based access control (COCapBAC) is proposed in this article where AC is managed at the level of IoT communities sharing the same mission (e.g., entertaining guests in a smart home, managing kitchen and cooking appliances). At the bootstrapping stage, a community is created with one or more resource-capable IoT objects, named gatekeepers, that have the role of making AC decisions on behalf of other resource-constrained objects in the community. Additionally, owning a community key token, named capability, enables access to devices and resources within the community without the need to issue and validate tokens prior to each access attempt
This article proposes a novel framework for AC in distributed IoT: community-driven AC. From an IoT perspective, the concept of community seems well suited. This assumption is driven by the fact that IoT objects are indeed rarely fully isolated; instead, they operate in conjunction with other objects and services to fulfill a common mission. In this article we build on the concept of community to define the notion of rights. That is, an IoT entity “having an access right” means it has to play the role of the entitled party toward an obliged party in a relationship defined by the system of norms of a given community. In fact, the importance of AC in IoT will be emphasized in the years to come, as the number of connected objects increases and IoT business models become more sophisticated. In this article we provide a set of requirements for realizing AC in IoT, independent from any particular AC mechanism. In the future, it is an important task to tailor standard AC mechanisms for applying these requirements to daily-life scenarios. In the future, we plan to study the phases of community creation and development with AC rights associated with each phase. Additionally, we plan to extend our prototype to demonstrate access policy specification by a community manager at a bootstrapping phase. We also plan to extend our prototype to large-scale IoT systems, particularly in an enterprise.
 V. G. Cerf, “Access Control and the Internet of Things,” IEEE Internet Computing, 2015, vol. 19, no. 5, p. 96.
 R. Roman, J. Zhou, and J. Lopez, “On the Features and Challenges of Security and Privacy in Distributed Internet of Things,” Computer Networks, 2013, vol. 57, no. 10, pp. 2266–79.
 M. Archer et al., Critical Realism: Essential Readings, Routledge, 2013.
 L. Atzori, A. Iera, and G. Morabito, 2014, “From ‘Smart Objects’ to ‘Social Objects’: The Next Evolutionary Step of the Internet of Things,” IEEE Commun. Mag., vol. 52, no. 1, Jan. 2014, pp. 97–105.
 S. Sicari et al., “Security, Privacy and Trust in Internet of Things: The Road Ahead,” Computer Networks, 2015, vol. 76, pp. 146–64.
 E. Vasilomanolakis et al., “On the Security and Privacy of Internet of Things Architectures and Systems,” Int’l. Wksp. Secure Internet of Things, 2015, pp. 49–57.
 J. Qian, S. Hinrichs, and K. Nahrstedt, “ACLA: A Framework for Access Control List (ACL) Analysis and Optimization,” Communications and Multimedia Security Issues of the New Century, Springer, 2001, pp. 197–211.
 D. Ferraiolo, D. R. Kuhn, and R. Chandramouli, Role-Based Access Control, Artech House, 2003.
 C. A. Ardagna et al., “Enabling Privacy-Preserving Credential- Based Access Control with XACML and SAML,” 2010 IEEE 10th Int’l. Conf. Computer and Info. Tech., pp. 1090–95.
 L. Gong, “A Secure Identity-Based Capability System,” IEEE Symp. Proc. Security and Privacy, 1989, pp. 56–63.
 R. S. Sandhu and P. Samarati, “Access Control: Principle and Practice,” IEEE Commun. Mag., vol. 32, no. 9, Sept. 1994, pp. 40–48.