From Conventional to State-of-the-Art IoT Access Control Models
Abstract
1. Introduction
Comparison with Other Surveys
2. Access Control Requirements and Challenges
2.1. Requirements of Access Control Models
- For collaboration, access controls need scalability in terms of operations’ quantity because it serves best in a collaborative environment than a single user system.
- Access control models are required to enable transparent access for legitimate users and heavy segregation of unauthorized users.
- High level rules/conditions of access rights must be allowed by the access control models for better management of increased complexity [11].
- Access control models should be dynamic; it should be able to modify the policies at runtime according to the requirements [14].
- Cost and performance of the resources should be under acceptable bounds.
- Access control models are required to design in such a way that each corporation must have the freedom of enforcement and design of their security policies [15].
- Access control policies’ management should be easy to maintain the trust and usability in the system.
- To ensure the availability of the systems and overruling “need-to-know” requirements of data access in an emergency [15].
- The application and enforcement of access control should also include distributed level security.
- Access control must be accessible in a fine-grained format with the protection of sensitive assets [16].
- Access control should be interoperable between different resources. Ideally, relationship groups and access policies given by the user must ‘follow the user’ instead of redevelopment for each resource.
- Policies in an access control should follow the data of the object to which they are applied [16].
2.2. Security Issues and Challenges in Access Control
- Preventive: It keeps unwanted events from happening.
- Detective: Recognize unauthorized events.
- Corrective: Correct the undesirable events that happen.
- Deterrent: Prevent security violations from happening.
- Recovery: After security violation, it restores the capabilities and resources.
- Compensation: Provides control alternatives.
- Providing fine-grained access is one of the key issues in the access control models while accessing data.
- Access control mechanism should be efficient enough to make difference between sensitive and common data, to prevent common data from public access.
- High possibility of data leakage by the malevolent user.
- Scalability is one of the key features in access control models. Performance attribute must be maintained by the mechanism as the number of users, roles, attributes, or resources increase.
- Fairness in resource offers and consumption.
- Resource management capabilities should be provided such as delegation, management, addition, deletion of roles, resources, and operations [26].
- Semantic-grouping of information is the basic need in access controls [26].
3. Conventional Access Control Models
3.1. Access Control Lists (ACL)
3.2. Access Control Matrix
3.3. Mandatory Access Control (MAC)
- Multilevel Security
- Multilateral Security
Multilevel Security
3.4. Discretionary Access Control (DAC)
3.5. Role-Based Access Control (RBAC)
3.6. Context-Based Access Control
3.7. Attribute-Based Access Control (ABAC)
3.7.1. Lattice-Based Access Control (LBAC)
- Set of the security classes (SC) is finite
- The partial order on SC is a → (can-flow relation)
- SC contains lower bound regarding →
- The join operator ⋈ is the least bound operator.
- Denning’s axioms are as follows:
3.7.2. Bell–LaPadula Lattice Model
3.7.3. Biba Model and Duality
3.7.4. Chinese Wall Lattice Model
3.8. Identity-Based Access Control (IBAC)
- Type1: Something that you know i.e., pin, password, etc.
- Type2: Something that you have i.e., tokens, smart-cards, keys, etc.
- Type3: Something which you are i.e., biometrics (fingerprints, iris, face/voice recognition), etc.
4. Access Control Models for Online Social Network (OSN)
Relationship-Based Access Control (ReBAC)
5. Access Control for IoT
5.1. Access Control Models for IoT Using RBAC
5.2. Access Control Models for IoT Using ABAC
5.3. Access Control Models for IoT Using UCON
5.4. Access Control Models for IoT Using CapBAC
5.5. Access Control Models for IoT Using OrBAC
6. Analysis and Discussion
6.1. Evaluation Criteria for Conventional Access Control Models
- Complexity: It defines the access control model’s nature. More complex models do not have implementations and lead to unexpected problems. There is a tradeoff between the complexity and the functionality of the models.
- Understandability: It defines the underlying principles of the models and their transparency. The significance of the change in access privileges and manipulation should be clear for the proper usage of the system.
- Ease of use: It indicates the usage of the access model from the standpoint of end-users that how simple the models are for them. If the models are difficult to use, then they will not be appreciated by the users—nonetheless, security brings complexity. The simpler the model is, the more popular it would be.
- Applicability: It defines the signs of the access control model’s practicality. Theoretical models may have some benefits. There should be an infrastructure for the deployment of the model.
- User’s group: Access control environment suggests a common task commenced by the user’s group. Changes, specifications, and manipulations made for the user’s group should be represented by the access control models.
- Policy Enforcement: it should be ensured that the access control model enforces the policies and constraints correctly.
- Flexibility: It is defined as the flexible formation of access control policies, giving supple control over access control operations. In this way, it will provide better interoperability through administrative boundaries.
- Policy specifications: The basis of access control models are the representation and specification of the policies. The model must have support for appropriate syntax, specifying policies and language for modification and extension transparently and simply. It helps in the scalability of the access control system.
- Fine-Grained Control: An access control model should provide fine-grained control over a situation where a user needs some set of permissions on the occurrence of an object at a specific point without the complexities or compromises into the system.
- Resistance: It is defined as the security of the system that how to secure the access control model. It is designed to tackle the deliberate attacks or fend off situations, which restrict the users from a large consumption of resources.
6.2. Evaluation of Access Control Models for IoT
7. Conclusions
Author Contributions
Funding
Acknowledgments
Conflicts of Interest
References
- Bokefode, J.D.; Ubale, S.A.; Apte, S.S.; Modani, D.G. Analysis of DAC MAC RBAC Access Control based Models for Security. Int. J. Comput. Appl. 2014, 104, 6–13. [Google Scholar]
- Aho, A.; Hoperoft, J.; Ullman, J. The Design and Analysis of Computer Algorithms; Addison-Wesley: Boston, MA, USA, 1974. [Google Scholar]
- Damianou, N.; Bandara, A.; Sloman, M.; Lupu, E. A Survey of Policy Specification Approaches; Department of Computing, Imperial College of Science Technology and Medicine: London, UK, 2002; Volume 3, pp. 142–156. [Google Scholar]
- Emmanuel, N.; Anjum, A.; Shafiq, S.; Adam, M. Current State of Art in Security of Data Aggregator in Smart Grids. Preprints 2016, 2016070077. [Google Scholar] [CrossRef]
- Sicari, S.; Rizzardi, A.; Grieco, L.A.; Coen-Porisini, A. Security, privacy and trust in Internet of Things: The road ahead. Comput. Netw. 2015, 76, 146–164. [Google Scholar] [CrossRef]
- Khattak, H.A.; Shah, M.A.; Khan, S.; Ali, I.; Imran, M. Perception layer security in Internet of Things. Futur. Gener. Comput. Syst. 2019, 100, 144–164. [Google Scholar] [CrossRef]
- Ouaddah, A.; Mousannif, H.; Elkalam, A.A.; Ouahman, A.A. Access control in The Internet of Things: Big challenges and new opportunities. Comput. Netw. 2017, 112, 237–262. [Google Scholar] [CrossRef]
- Bertin, E.; Hussein, D.; Sengul, C.; Frey, V. Access control in the Internet of Things: A survey of existing approaches and open research questions. Ann. Telecommun. 2019, 74, 375–388. [Google Scholar] [CrossRef]
- Zhang, Y.; Wu, X. Access control in internet of things: A survey. arXiv 2016, arXiv:1610.01065. [Google Scholar] [CrossRef]
- Ravidas, S.; Lekidis, A.; Paci, F.; Zannone, N. Access control in Internet-of-Things: A survey. J. Netw. Comput. Appl. 2019, 144, 79–101. [Google Scholar] [CrossRef]
- Tolone, W.; Ahn, G.-J.; Pai, T.; Hong, S.-P. Access control in collaborative systems. ACM Comput. Surv. 2005, 37, 29–41. [Google Scholar] [CrossRef]
- Kirrane, S.; Mileo, A.; Decker, S. Access control and the resource description framework: A survey. Semantic Web 2017, 8, 311–352. [Google Scholar] [CrossRef]
- Peón, P.G.; Uhlemann, E.; Steiner, W.; Björkman, M. Medium access control for wireless networks with diverse time and safety real-time requirements. In Proceedings of the IECON 2016—42nd Annual Conference of the IEEE Industrial Electronics Society, Florence, Italy, 23–26 October 2016. [Google Scholar]
- Ventura, D.; Gómez-Goiri, A.; Catania, V.; López-De-Ipiña, D.; Naranjo, J.; Casado, L.G. Security analysis and resource requirements of group-oriented user access control for hardware-constrained wireless network services. Log. J. IGPL 2015, 24, 80–91. [Google Scholar] [CrossRef]
- Alhaqbani, B.; Fidge, C. Access control requirements for processing electronic health records. In International Conference on Business Process Management; Springer: Berlin/Heidelberg, Germany, 2007. [Google Scholar]
- Gates, C. Access Control Requirements for Web 2.0 Security and Privacy; IEEE Web 2.0; CA Labs: Islandia, NY, USA, 2007. [Google Scholar]
- Subashini, S.; Kavitha, V. A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 2011, 34, 1–11. [Google Scholar] [CrossRef]
- Gusmeroli, S.; Piccione, S.; Rotondi, D. A capability-based security approach to manage access control in the internet of things. Math. Comput. Model. 2013, 58, 1189–1205. [Google Scholar] [CrossRef]
- Choi, C.; Choi, J.; Kim, P. Ontology-based access control model for security policy reasoning in cloud computing. J. Supercomput. 2014, 67, 711–722. [Google Scholar] [CrossRef]
- Singhal, M.; Chandrasekhar, S.; Ge, T.; Sandhu, R.; Krishnan, R.; Ahn, G.J.; Bertino, E. Collaboration in multi-cloud computing environments: Framework and security issues. Computer 2013, 46, 76–84. [Google Scholar]
- Malik, A.K. (Ed.) Innovative Solutions for Access Control Management; IGI Global: Hershey, PA, USA, 2016. [Google Scholar]
- Small, A.; Wainwright, D. Privacy and Security of Electronic Patient Records–Tailoring Multimethodology to Explore the Socio-Political Problems Associated with Role Based Access Control Systems. Eur. J. Oper Res. 2017, 265, 344–360. [Google Scholar] [CrossRef]
- Rexer, P.; Patil, A. Security Enhancement through Application Access Control. U.S. Patent No. 9,691,051, 27 June 2017. [Google Scholar]
- Majumder, A.; Namasudra, S.; Nath, S. Taxonomy and classification of access control models for cloud environments. In Continued Rise of the Cloud; Springer: London, UK, 2014; pp. 23–53. [Google Scholar]
- Singh, A.; Chatterjee, K. Cloud security issues and challenges: A survey. J. Netw. Comput. Appl. 2017, 79, 88–115. [Google Scholar] [CrossRef]
- Androutsellis-Theotokis, S.; Spinellis, D. A survey of peer-to-peer content distribution technologies. ACM Comput. Surv. 2004, 36, 335–371. [Google Scholar] [CrossRef]
- Ryan, A. Methods for access control: Advances and limitations; Harvey Mudd College: Claremont, CA, USA, 2013; Volume 301, p. 20. Available online: https://www.cs.hmc.edu/~mike/public_html/courses/security/s06/projects/ryan.pdf (accessed on 12 October 2020).
- Sandhu, R.S.; Samarati, P. Access control: Principle and practice. IEEE Commun. Mag. 1994, 32, 40–48. [Google Scholar] [CrossRef]
- Barkley, J. Comparing simple role-based access control models and access control lists. In Proceedings of the Second ACM Workshop on Role-Based Access Control, Fairfax, VA, USA, 6–7 November 1997. [Google Scholar]
- Tang, P.; Diep, T.; Hlasnik, W. Access Control Management System Utilizing Network and Application Layer Access Control Lists. U.S. Patent No. 7,054,944, 30 May 2006. [Google Scholar]
- Maw, H.A.; Xiao, H.; Christianson, B.; Malcolm, J. A survey of access control models in wireless sensor networks. J. Sens. Actuator Netw. 2014, 3, 150–180. [Google Scholar] [CrossRef]
- Adams, R.; Puthenkulam, J.P. Control of Access Control Lists Based on Social Networks. U.S. Patent No. 7,467,212, 16 December 2008. [Google Scholar]
- Shalabi, S.M.; Doll, C.L.; Reilly, J.D.; Shore, M.B. Access Control List. U.S. Patent Application No. 13/311,278, 6 June 2013. [Google Scholar]
- Nelson, K.C.; Noronha, M.A. Facilitating Ownership of Access Control Lists by Users or Groups. U.S. Patent No. 9,697,373, 4 July 2017. [Google Scholar]
- Daly, J.; Liu, A.X.; Torng, E. A difference resolution approach to compressing access control lists. IEEE/ACM Trans. Netw. 2016, 24, 610–623. [Google Scholar] [CrossRef]
- Cankaya, H.C. Access control lists. In Encyclopedia of Cryptography and Security; Springer: NewYork, NY, USA, 2011; pp. 9–12. [Google Scholar]
- Abadi, M.; Goldstein, A.C.; Lampson, B.W. Compound Principals in Access Control Lists. U.S. Patent No. 5,315,657, 24 May 1994. [Google Scholar]
- Gai, S.; McCloghrie, K.; Kanekar, B.M. Method and Apparatus for Organizing, Storing and Evaluating Access Control Lists. U.S. Patent No. 6,651,096, 18 November 2003. [Google Scholar]
- Bacis, E.; Mutti, S.; Rosa, M.; Paraboschi, S. Improving Android security by widening the role of Mandatory Access Control. TinyToCS 2016, 4, 1. [Google Scholar]
- Na, J.s.; Kim, D.-Y.; Pak, W.; Choi, Y.-J. Mandatory Access Control for Android Application Security. J. KIISE 2016, 43, 275–288. [Google Scholar] [CrossRef]
- Mell, P.; Shook, J.; Harang, R.; Gavrila, S. Linear Time Algorithms to Restrict Insider Access using Multi-Policy Access Control Systems. J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl. 2017, 8, 4–25. [Google Scholar] [PubMed]
- Shu, Z.; Ji, X.; Lin, Y. A hybrid security model for virtual machines in cloud environment. Int. J. Auton. Adapt. Commun. Syst. 2017, 10, 236–246. [Google Scholar] [CrossRef]
- Brocardo, M.L.; Rolt, C.R.D.; Dias, J.D.S.; Custodio, R.F.; Traore, I. Privacy information in a positive credit system. Int. J. Grid Utility Comput. 2017, 8, 61–69. [Google Scholar] [CrossRef]
- Liu, G.; Song, H.; Wang, C.; Zhang, R.; Wang, Q.; Ji, S. BTG-BIBA: A Flexibility-Enhanced Biba Model Using BTG Strategies for Operating System. World Acad. Sci. Eng. Technol. Int. J. Comput. Electr. Autom. Control Inf. Eng. 2017, 11, 706–712. [Google Scholar]
- Brewer, D.F.C.; Nash, M.J. The Chinese wall security policy. In Proceedings of the 1989 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 1–3 May 1989. [Google Scholar]
- Basu, S.; Sengupta, A.; Mazumdar, C. Modelling operations and security of cloud systems using Z-notation and Chinese Wall security policy. Enterp. Inf. Syst. 2016, 10, 1024–1046. [Google Scholar] [CrossRef]
- Sandhu, R.S. A lattice interpretation of the Chinese Wall policy. In Proceedings of the 15th NIST-NCSC National Computer Security Conference, Baltimore, MA, USA, 13–16 October 1992. [Google Scholar]
- Fehis, S.; Nouali, O.; Kechadi, M.-T. A New Distributed Chinese Wall Security Policy Model. J. Digit. Forensics Secur. Law 2016, 11, 11. [Google Scholar] [CrossRef][Green Version]
- Moffett, J.D. Specification of management policies and discretionary access control. Net. Distrib. Syst. Manag. 1994, 455–480. [Google Scholar]
- Savage, C.; Petro, C.; Goldsmith, S. System for Providing Session-Based Network Privacy, Private, Persistent Storage, and Discretionary Access Control for Sharing Private Data. U.S. Patent No. 9,619,632, 11 April 2017. [Google Scholar]
- Tirosh, O.; Werner, E. Method and System for Implementing Mandatory File Access Control in Native Discretionary Access Control Environments. U.S. Patent No. 9,350,760, 24 May 2016. [Google Scholar]
- Han, D.-J.; Gong, L.; Qin, F. A Dynamic Access Control Policy Based on Hierarchical Description. In Proceedings of the 2016 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), Chengdu, China, 13–15 October 2016. [Google Scholar]
- Thion, R. Access Control Models. Cyber Warfare and Cyber Terrorism; IGI Global: Hershey, PA, USA, 2008; pp. 318–326. [Google Scholar]
- Ferraiolo, D.F.; Sandhu, R.; Gavrila, S.; Kuhn, D.R.; Chandramouli, R. Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 2001, 4, 224–274. [Google Scholar] [CrossRef]
- Sandhu, R.S.; Coyne, E.J.; Feinstein, H.L.; Youman, C.E. Role-based access control models. IEEE Comput. 1996, 29, 38–47. [Google Scholar] [CrossRef]
- Nakamura, S.; Duolikun, D.; Enokido, T.; Takizawa, M. A read-write abortion protocol to prevent illegal information flow in role-based access control systems. Int. J. Space-Based Situated Comput. 2016, 6, 43–53. [Google Scholar] [CrossRef]
- Ferraiolo, D.; Cugini, J.; Kuhn, D.R. Role-based access control (RBAC): Features and motivations. In Proceedings of the 11th Annual Computer Security Application Conference, New Orleans, LA, USA, 13–15 December 1995. [Google Scholar]
- Mishra, A.; Ghodke, A.; Mohanty, S.; Bagul, Y. Access Control and Recovery Model in Cloud. Imperial J. Interdiscip. Res. 2017, 3, 678–681. [Google Scholar]
- Liu, Q.; Zhang, H.; Wan, J.; Chen, X. An Access Control Model for Resource Sharing based on the Role-Based Access Control Intended for Multi-domain Manufacturing Internet of Things. IEEE Access 2017, 5, 7001–7011. [Google Scholar] [CrossRef]
- PV, R.; Sandhu, R. POSTER: Security Enhanced Administrative Role Based Access Control Models. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016. [Google Scholar]
- Ferraiolo, D.; Kuhn, D.R.; Chandramouli, R. Role-Based Access Control; Artech House: Norwood, MA, USA, 2003. [Google Scholar]
- Ghazal, R.; Malik, A.K.; Qadeer, N.; Raza, B.; Shahid, A.R.; Alquhayz, H. Intelligent Role-Based Access Control Model and Framework Using Semantic Business Roles in Multi-Domain Environments. IEEE Access 2020, 8, 12253–12267. [Google Scholar] [CrossRef]
- Kulkarni, D.; Tripathi, A. Context-aware role-based access control in pervasive computing systems. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, Estes Park, CO, USA, 11–13 June 2008. [Google Scholar]
- Corrad, A.; Montanari, R.; Tibaldi, D. Context-based access control management in ubiquitous environments. In Proceedings of the Third IEEE International Symposium on Network Computing and Applications (NCA 2004), Cambridge, MA, USA, 1 September 2004. [Google Scholar]
- Feng, F.; Lin, C.; Peng, D.; Li, J. A trust and context-based access control model for distributed systems. In Proceedings of the 2008 10th IEEE International Conference on High Performance Computing and Communications, Dalian, China, 25–27 September 2008. [Google Scholar]
- Jih, W.-R.; Cheng, S.-Y.; Hsu, J.Y.-J.; Tsai, T.-M. Context-Aware Access Control in Pervasive Healthcare. 2005. Available online: https://scholars.lib.ntu.edu.tw/bitstream/123456789/115216/1/mam05.pdf (accessed on 12 October 2020).
- Hulsebosch, R.J.; Salden, A.H.; Bargh, M.S.; Ebben, P.W.; Reitsma, J. Context sensitive access control. In Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies ACM, Stockholm, Sweden, 1–3 June 2005. [Google Scholar]
- Garcia-Morchon, O.; Wehrle, K. Modular context-aware access control for medical sensor networks. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies (SACMAT ’10), Pittsburgh, PA, USA, 9–11 June 2010; pp. 129–138. [Google Scholar]
- Morchon, O.G.; Wehrle, K. Efficient and context-aware access control for pervasive medical sensor networks. In Proceedings of the 2010 8th IEEE International Conference on Pervasive Computing and CommunicationsWorkshops (PERCOMWorkshops), Mannheim, Germany, 29 March–2 April 2010. [Google Scholar]
- Yuan, E.; Tong, J. Attributed based access control (ABAC) for web services. In Proceedings of the IEEE International Conference on Web Services (ICWS’05), Orlando, FL, USA, 11–15 July 2005. [Google Scholar]
- Hu, V.C.; Kuhn, D.R.; Ferraiolo, D.F. Attribute-Based Access Control. IEEE Comput. 2015, 48, 85–88. [Google Scholar] [CrossRef]
- Servos, D.; Osborn, S.L. Current Research and Open Problems in Attribute-Based Access Control. ACM Comput. Surv. 2017, 49, 65. [Google Scholar] [CrossRef]
- Sandhu, R. Attribute-Based Access Control Models and Beyond. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security - ASIA CCS Association for Computing Machinery (ACM), Singapore, 10 April 2015. [Google Scholar]
- Crampton, J.; Williams, C. Attribute Expressions, Policy Tables and Attribute-Based Access Control. In Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies, Indianapolis, IN, USA, 21–23 June 2017. [Google Scholar]
- Abo-Alian, A.; Badr, N.L.; Tolba, M.F. Hierarchical attribute-role based access control for cloud computing. In Proceedings of the 1st International Conference on Advanced Intelligent System and Informatics (AISI2015), Beni Suef, Egypt, 28–30 November 2015. [Google Scholar]
- Liu, J.K.; Au, M.H.; Huang, X.; Lu, R.; Li, J. Fine-grained two-factor access control for web-based cloud computing services. IEEE Trans. Inf. Forensics Secur. 2015, 11, 484–497. [Google Scholar] [CrossRef]
- Tu, S.-S.; Niu, S.-Z.; Li, H. A fine-grained access control and revocation scheme on clouds. Concurr. Comput. Pract. Exp. 2016, 28, 1697–1714. [Google Scholar] [CrossRef]
- Lim, L.; Marie, P.; Conan, D.; Chabridon, S.; Desprats, T.; Manzoor, A. Enhancing context data distribution for the internet of things using qoc-awareness and attribute-based access control. Ann. Telecommun. 2015, 71, 121–132. [Google Scholar] [CrossRef]
- Jin, X.; Krishnan, R.; Sandhu, R. A unified attribute-based access control model covering DAC, MAC, and RBAC. In IFIP Annual Conference on Data and Applications Security and Privacy; Springer: Berlin/Heidelberg, Germany, 2012. [Google Scholar]
- Sandhu, R.S. Lattice-based access control models. Computer 1993, 26, 9–19. [Google Scholar] [CrossRef]
- Sandhu, R. Role hierarchies and constraints for lattice-based access control. In European Symposium on Research in Computer Security; Springer: Berlin/Heidelberg, Germany, 1996. [Google Scholar]
- Saxena, N.; Tsudik, G.; Yi, J.H. Identity-based access control for ad hoc groups. In International Conference on Information Security and Cryptology; Springer: Berlin/Heidelberg, Germany, 2004. [Google Scholar]
- Kunzinger, C.A. Integrated System for Network Layer Security and Fine-Grained Identity-Based Access Control. U.S. Patent No. 6,986,061, 10 January 2006. [Google Scholar]
- Gong, L. A secure identity-based capability system. In Proceedings of the 1989 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 1–3 May 1989. [Google Scholar]
- Shamir, A. Identity-based cryptosystems and signature schemes. In Workshop on the Theory and Application of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1984. [Google Scholar]
- Al-Mahmud, A.; Morogan, M.C. Identity-based authentication and access control in wireless sensor network. Int. J. Comput. Appl. 2012, 41, 18–24. [Google Scholar] [CrossRef]
- Thomas, R.K. Team-based access control (TMAC) a primitive for applying role-based access controls in collaborative environments. In Proceedings of the Second ACM Workshop on Role-Based Access Control, Fairfax, VA, USA, 6–7 November 1997; pp. 13–19. [Google Scholar]
- Malik, A.K.; Truong, H.L.; Dustdar, S. DySCon: Dynamic sharing control for distributed team collaboration in networked enterprises. In Proceedings of the 2009 IEEE Conference on Commerce and Enterprise Computing, Vienna, Austria, 20–23 July 2009; pp. 279–284. [Google Scholar]
- Oh, S.; Park, S. Task–role-based access control model. Inf. Syst. 2003, 28, 533–562. [Google Scholar] [CrossRef]
- Malik, A.K.; Dustdar, S. Enhanced sharing and privacy in distributed information sharing environments. In Proceedings of the 2011 7th International Conference on Information Assurance and Security (IAS), Melaka, Malaysia, 5–8 December 2011; pp. 286–291. [Google Scholar]
- Ali, A.; Malik, A.K.; Ahmed, M.; Raza, B.; Ilyas, M. Privacy Concerns in Online Social Networks: A Users’ Perspective. Int. J. Adv. Comput. Sci. Appl. 2019, 10, 10. [Google Scholar] [CrossRef][Green Version]
- Asim, Y.; Malik, A.K. A survey on access control techniques for social networks. In Innovative Solutions for Access Control Management; IGI Global: Hershey, PA, USA, 2020; pp. 1–32. [Google Scholar]
- Gollu, K.K.; Saroiu, S.; Wolman, A. A Social Networking-Based Access Control Scheme for Personal Content. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, Skamania Lodge Stevenson, Stevenson, WA, USA, 14–17 October 2017. [Google Scholar]
- Tootoonchian, A.; Ganjali, Y.; Saroiu, S.; Wolman, A. Lockr: Better privacy for social networks. In Proceedings of the 5th ACM International Conference on emerging Networking Experiments and Technologies, Rome, Italy, 1–4 December 2009; pp. 169–180. [Google Scholar]
- Tootoonchian, A.; Gollu, K.K.; Saroiu, S.; Ganjali, Y.; Wolman, A. Lockr: Social access Control for web 2.0. In Proceedings of the WOSN’08, Seattle, WA, USA, 17–22 August 2008; pp. 43–48. [Google Scholar]
- Rizvi, S.Z.R.; Fong, P.W.L. Interoperability of relationship-and role-based access control. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, New Orleans, LA, USA, 9–11 March 2016. [Google Scholar]
- Cheng, Y.; Park, J.; Sandhu, R. A User-to-User Relationship-based Access Control Model for Online Social Networks. Data Appl. Secur. Privacy 2012, 26, 8–24. [Google Scholar]
- Bui, T.; Stoller, S.D.; Li, J. Mining Relationship-Based Access Control Policies. In Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies, Indianapolis, IN, USA, 21–23 June 2017. [Google Scholar]
- Cheng, Y.; Park, J.; Sandhu, R. Relationship-based Access Control for Online Social Networks: Beyond User-to-User Relationships. In Proceedings of the InInternational Conference on Social Computing, Privacy, Security, Risk, and Trust, Amsterdam, The Netherlands, 3–5 September 2012; pp. 646–655. [Google Scholar] [CrossRef]
- Ahmed, T.; Sandhu, R.; Park, J. Classifying and Comparing Attribute-Based and Relationship-Based Access Control. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, Scottsdale, AZ, USA, 22–24 March 2017. [Google Scholar]
- Du, Z.; Liu, Y.; Wang, Y. Relation Based Access Control in Campus Social Network System. Procedia Comput. Sci. 2013, 17, 14–20. [Google Scholar] [CrossRef]
- Bennett, P.; Ray, I.; France, R. Analysis of a relationship based access control model. In Proceedings of the Eighth International C* Conference on Computer Science & Software Engineering, Yokohama, Japan, 13–15 July 2015. [Google Scholar]
- Pang, J.; Zhang, Y. A new access controls scheme for Facebook-style social networks. In Proceedings of the Availability, Reliability and Security, Fribourg, Switzerland, 8–12 September 2014; pp. 1–10. [Google Scholar]
- Cheng, Y.; Bijon, K.; Sandhu, R. Extended ReBAC Administrative Models with Cascading Revocation and Provenance Support. In Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies, Shanghai, China, 5–8 June 2016. [Google Scholar]
- Kumar, A.; Rathore, N.C. Relationship Strength Based Access Control in Online Social Networks; Springer International Publishing: Berlin, Germany, 2016. [Google Scholar]
- Asim, Y.; Malik, A.K.; Raza, B.; Naeem, W.; Rathore, S. Community-centric brokerage-aware access control for online social networks. Futur. Gen. Comput. Syst. 2018, 109, 469–478. [Google Scholar] [CrossRef]
- Manzoor, A.; Shah, M.A.; Khattak, H.A.; Din, I.U.; Khan, M.K. Multi-tier authentication schemes for fog computing: Architecture, security perspective, and challenges. Int. J. Commun. Syst. 2019, e4033. [Google Scholar] [CrossRef]
- Gabillon, A.; Gallier, R.; Bruno, E. Access Controls for IoT Networks. SN Comput. Sci. 2020, 1, 24. [Google Scholar] [CrossRef]
- Gouglidis, A.; Mavridis, I. domRBAC: An Access Control Model for Modern Collaborative Systems. Comput. Secur. 2012, 31, 540–556. [Google Scholar] [CrossRef]
- Yavari, A.; Panah, A.S.; Georgakopoulos, D. Scalable Role-based Data Disclosure Control for the Internet of Things. In Proceedings of the 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), Atlanta, GA, USA, 5–8 June 2017. [Google Scholar]
- Yavari, A.; Jayaraman, P.P.; Georgakopoulos, D.; Nepal, S. ConTaaS: An Approach to Internet-Scale Contextualisation for Developing Efficient Internet of Things Applications. In Proceedings of the 50th Hawaii International Conference on System Sciences (HICSS), Hilton Waikoloa Village, HI, USA, 4–7 January 2017; pp. 5932–5940. [Google Scholar]
- Zhang, G.; Tian, J. An extended role based access control model for the Internet of Things. In Proceedings of the 2010 International Conference on Information, Networking and Automation (ICINA), Kunming, China, 17–19 October 2010; p. V1-319. [Google Scholar]
- Jindou, J.; Xiaofeng, Q.; Cheng, C. Access Control Method for Web of Things Based on Role and SNS. In Proceedings of the 2012 IEEE 12th International Conference on Computer and Information Technology, Chengdu, China, 20–22 October 2012; pp. 316–321. [Google Scholar]
- Barka, E.; Mathew, S.S.; Atif, Y. Securing the Web of Things with Role-Based Access Control. In Proceedings of the International Conference on Codes, Cryptology, and Information Security, Rabat, Morocco, 18–19 July 2015; pp. 14–26. [Google Scholar]
- Soni, A.; Keoh, S.L.; Kumar, S.S.; Garcia-Morchon, O. HADA: Hybrid Access Decision Architecture for Building Automation and Control Systems. In Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research 2013, Leicester, UK, 16–17 September 2013; pp. 1–11. [Google Scholar]
- Liu, J.; Xiao, Y.; Chen, C.L.P. Authentication and Access Control in the Internet of Things. In Proceedings of the 2012 32nd International Conference on Distributed Computing SystemsWorkshops; Institute of Electrical and Electronics Engineers (IEEE), Macau, China, 18–21 June 2012; pp. 588–592. [Google Scholar]
- Sakimura, N.; Bradley, J.; Jones, M.; Jay, E. OpenID Connect Discovery 1.0 Incorporating Errata Set 1; OpenID Foundation: San Ramon, CA, USA, 2014; Available online: https://openid.net/specs/openid-connect-discovery-1_0.html (accessed on 14 October 2020).
- Kayes, A.S.M.; Rahayu, W.; Dillon, T. Critical situation management utilizing IoT-based data resources through dynamic contextual role modeling and activation. Computing 2019, 101, 743–772. [Google Scholar] [CrossRef]
- Oh, S.R.; Kim, Y.G.; Cho, S. An Interoperable Access Control Framework for Diverse IoT Platforms Based on OAuth and Role. Sensors 2019, 19, 1884. [Google Scholar] [CrossRef] [PubMed]
- Bezawada, B.; Haefner, K.; Ray, I. Securing Home IoT Environments with Attribute-Based Access Control. In Proceedings of the Third ACM Workshop on Mobile Cloud Computing and Services—MCS, Tempe, AZ, USA, 21 March 2018; pp. 43–53. [Google Scholar]
- Ye, N.; Zhu, Y.; Wang, R.-C.; Malekian, R.; Qiao-Min, L. An Efficient Authentication and Access Control Scheme for Perception Layer of Internet of Things. Appl. Math. Inf. Sci. 2014, 8, 1617–1624. [Google Scholar] [CrossRef]
- Guoping, Z.; Wentao, G. The research of access control based on UCON in the internet of things. J. Softw. 2011, 6, 724–731. [Google Scholar]
- Quyet, H.C.; Giyyarpuram, M.; Reza, F.; Noel, C. Usage control for data handling in smart cities. In Proceedings of the 2015 IEEE Global Communications Conference (GLOBECOM), San Diego, CA, USA, 6–10 December 2016; pp. 1–6. [Google Scholar]
- Mahalle, P.; Anggorojati, B.; Prasad, N.R.; Rangistty, N.D. Identity Authentication and Capability Based Access Control (IACAC) for the Internet of Things. J. Cyber Secur. Mobil. 2013, 1, 309–348. [Google Scholar]
- Anggorojati, B.; Mahalle, P.N.; Prasad, N.R.; Prasad, R. Capability-based access control delegation model on the federated IoT network. In Proceedings of the 15th International Symposium on Wireless Personal Multimedia Communications, Taipei, Taiwan, 24–27 September 2012; pp. 604–608. [Google Scholar]
- Green, J. The Internet of Things Reference Model. In Proceedings of the Internet of Things World Forum 2014, Chicago, IL, USA, 14–16 October 2014; pp. 1–12. [Google Scholar]
- Hernández-Ramos, J.L.; Jara, A.J.; Marín, L.; Gómez, A.F.S. DCapBAC: Embedding authorization logic into smart things through ECC optimizations. Int. J. Comput. Math. 2016, 93, 345–366. [Google Scholar] [CrossRef]
- Hernández-Ramos, J.; Jara, A. Distributed Capability-based Access Control for the Internet of Things. J. Internet Serv. Inf. Secur. 2013, 3, 1–16. [Google Scholar]
- Bernabe, J.B.; Ramos, J.L.H.; Gomez, A.F.S. TACIoT: Multidimensional trust-aware access control system for the Internet of Things. Soft Comput. 2016, 20, 1763–1779. [Google Scholar] [CrossRef]
- Anggorojati, B.; Prasad, N.R.; Prasad, R. Capability-Based Access Control with ECC Key Management for the M2M Local Cloud Platform. Wirel. Pers. Commun. 2018, 100, 519–538. [Google Scholar] [CrossRef]
- Ouaddah, A.; Bouij-Pasquier, I.; Elkalam, A.A.; Ouahman, A.A. Security analysis and proposal of new access control model in the Internet of Thing. In Proceedings of the 2015 International Conference on Electrical and Information Technologies (ICEIT), Marrakech, Morocco, 25–27 March 2015; pp. 30–35. [Google Scholar]
- Bouij-Pasquier, I.; El, A.A.K.; Ouahman, A.A.; Montfort, M.D. A Security Framework for Internet of Things. In Proceedings of the International Conference on Cryptology and Network Security, Marrakesh, Morocco, 10–12 December 2015; Volume 1, pp. 19–31. [Google Scholar]
- Sandhu, R.; Bhamidipati, V.; Munawer, Q. The ARBAC97 Model for Role-Based Administration of Roles. ACM Trans. Inf. Syst. Secur. 1999, 2, 105–135. [Google Scholar] [CrossRef]
- Ahmed, T.; Patwa, F.; Sandhu, R. Object-to-Object Relationship-Based Access Control: Model and Multi-Cloud Demonstration. In Proceedings of the 2016 IEEE 17th International Conference on Information Reuse and Integration (IRI), Pittsburgh, PA, USA, 28–30 July 2016. [Google Scholar]
- Sandhu, R. Future directions in role-based access control models. In International Workshop on Mathematical Methods, Models, and Architectures for Network Security; Springer: Berlin/Heidelberg, Germany, 2001. [Google Scholar]
- Qiu, M.; Gai, K.; Thuraisingham, B.; Tao, L.; Zhao, H. Proactive user-centric secure data scheme using attribute-based semantic access controls for mobile clouds in the financial industry. Futur. Gen. Comput. Syst. 2016, 80, 421–429. [Google Scholar] [CrossRef]
- Breslin, J.; Decker, S. The future of social networks on the internet: The need for semantics. IEEE Internet Comput. 2007, 11, 86–90. [Google Scholar] [CrossRef]
- Qiu, J.; Tian, Z.; Du, C.; Zuo, Q.; Su, S.; Fang, B. A survey on access control in the age of internet of things. IEEE Internet Things J. 2020, 7, 4682–4696. [Google Scholar] [CrossRef]









| File 1 | File 2 | File 3 | |
|---|---|---|---|
| User1 | RWO | RWX | WX | 
| User2 | RWX | WX | RWX | 
| User3 | R | RWO | RWO | 
| Criteria | Matrix | MAC | DAC | RBAC | CBAC | ABAC | Lattice | Identity | ReBAC | 
|---|---|---|---|---|---|---|---|---|---|
| Ease of use | Med | Med | Med | High | High | High | Low | High | High | 
| Understandability | High | High | High | High | Med | Med | Low | Med | Med | 
| Complexity | Low | High | Med | Med | High | Med | High | Med | Med | 
| Applicability | Med | High | Med | High | Med | High | Low | Med | High | 
| User’s Group | O | O | O | O | O | O | O | O | O | 
| Flexibility | X | Low | O | Low | O | High | Low | O | O | 
| Policy enforcement | Low | High | Low | O | O | O | High | Low | O | 
| Policy specification | Low | High | O | O | O | O | High | O | Low | 
| Fine-Grained control | X | High | X | Low | O | High | O | O | High | 
| Resistance | X | High | Low | Low | Low | High | Low | High | Med | 
| Model | Ref. | Scalability | Usability | Interope- Rability | Context Awareness | Light Weight | User-Driven | Granul- Arity | Delegation | 
|---|---|---|---|---|---|---|---|---|---|
| RBAC | 107 | L | H | L | H | M | M | M | L | 
| 109 | M | M | H | M | L | M | M | L | |
| 110 | M | H | H | L | L | H | M | No | |
| 111 | M | M | H | L | L | M | M | No | |
| ABAC | 115 | L | H | L | H | M | M | H | H | 
| 116 | M | L | M | H | L | M | M | No | |
| UCON | 117 | L | M | L | H | No | M | H | No | 
| CAPBAC | 121 | H | M | L | H | L | M | M | H | 
| 58 | H | M | L | L | L | M | L | M | |
| 120 | H | M | L | L | H | M | L | H | |
| 124 | H | M | L | L | H | M | M | H | |
| 127 | H | H | H | M | M | L | H | L | 
| Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. | 
© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Malik, A.K.; Emmanuel, N.; Zafar, S.; Khattak, H.A.; Raza, B.; Khan, S.; Al-Bayatti, A.H.; Alassafi, M.O.; Alfakeeh, A.S.; Alqarni, M.A. From Conventional to State-of-the-Art IoT Access Control Models. Electronics 2020, 9, 1693. https://doi.org/10.3390/electronics9101693
Malik AK, Emmanuel N, Zafar S, Khattak HA, Raza B, Khan S, Al-Bayatti AH, Alassafi MO, Alfakeeh AS, Alqarni MA. From Conventional to State-of-the-Art IoT Access Control Models. Electronics. 2020; 9(10):1693. https://doi.org/10.3390/electronics9101693
Chicago/Turabian StyleMalik, Ahmad Kamran, Naina Emmanuel, Sidra Zafar, Hasan Ali Khattak, Basit Raza, Sarmadullah Khan, Ali H. Al-Bayatti, Madini O. Alassafi, Ahmed S. Alfakeeh, and Mohammad A. Alqarni. 2020. "From Conventional to State-of-the-Art IoT Access Control Models" Electronics 9, no. 10: 1693. https://doi.org/10.3390/electronics9101693
APA StyleMalik, A. K., Emmanuel, N., Zafar, S., Khattak, H. A., Raza, B., Khan, S., Al-Bayatti, A. H., Alassafi, M. O., Alfakeeh, A. S., & Alqarni, M. A. (2020). From Conventional to State-of-the-Art IoT Access Control Models. Electronics, 9(10), 1693. https://doi.org/10.3390/electronics9101693
 
        





 
       