Читать книгу Service Level Management in Emerging Environments - Nader Mbarek - Страница 26

Several European research projects have studied the adaptation of access control mechanisms for the IoT environment. ARMOUR (2018) is a European project funded by H2020 (February 2016–February 2018) that addressed some of the challenges surrounding security and trust in the IoT. The work carried out in the framework of this project makes it possible to define a set of components that interact with each other to authorize or block secure data queries in an IoT environment. ARMOUR defines several entities in this environment in order to do this. First, we have the Policy Decision Point (PDP), which is a component that includes the access policies and, by evaluating the access control policies, can authorize or deny authorization to an IoT device (sensor) to carry out an action on a resource (data registration server). For example, a “PERMIT” decision from the PDP allows the Capability Manager (the server communicating with the PDP) to generate and send a token to the sensor to publish the data on the IoT platform. The data publication server (Pub/Sub Server) saves the data and thus allows the data query to be updated and executed if the sensor token received by the Capability Manager allows this action (ARMOUR 2016).

SMARTIE (Secure and SMArter ciTIes data management) (Pokric et al. 2015) is another European project funded by FP7 (September 2013–December 2016) focused on access control in the IoT. SMARTIE’s goal was to develop new mechanisms to establish trust and security in the different IoT layers. The results of the project indicate that Attribute-Based Access Control (ABAC) is an appropriate solution to specify finer access control policies. In ABAC, the identity of an IoT service user is no longer limited to a single attribute but is based on multiple attributes (i.e. user ID, role, etc.) that make up this identity. This is why ABAC provides substantial improvements in authorization and access control within the IoT. ABAC-based solutions make it possible to overcome the disadvantages of centralized access control solutions. Each query requires two steps: an authorization check (identity control and authentication) and, consequently, an access control decision (authorization or prohibition). For each access request, the IoT service user is authenticated with the domain and the access authorization request is obtained for the user. The user’s access authorization request is signed by a trusted domain authority. Thus, the user may send the query to the IoT devices that verify the signature. If the signature is successfully verified, the required information is sent to the user (SMARTIE 2014a, 2014b; Pokric et al. 2015).