Validation of an Adaptive Risk-based Access Control Model for the Internet of Things

• Published in: International journal of computer network and information security Vol. 10; no. 1; pp. 26 - 35
• Main Authors: F. Atlam, Hany, Alenezi, Ahmed, Khalid Hussein, Raid, B. Wills, Gary
• Format: Journal Article
• Language: English
• Published: Hong Kong Modern Education and Computer Science Press 08.01.2018
• Subjects: Access control; Adaptive control; Implantation; Information sharing; Internet of Things; New technology; Risk analysis; Risk factors; Risk management
• ISSN: 2074-9090; 2074-9104
• DOI: 10.5815/ijcnis.2018.01.04

The Internet of Things (IoT) has spread into multiple dimensions that incorporate different physical and virtual things. These things are connected together using different communication technologies to provide unlimited services. These services help not only to improve the quality of our daily lives, but also to provide a communication platform for increasing object collaboration and information sharing. Like all new technologies, the IoT has many security challenges that stand as a barrier to the successful implementation of IoT applications. These challenges are more complicated due to the dynamic and heterogeneous nature of IoT systems. However, authentication and access control models can be used to address the security issue in the IoT. To increase information sharing and availability, the IoT requires a dynamic access control model that takes not only access policies but also real-time contextual information into account when making access decisions. One of the dynamic features is the security risk. This paper proposes an Adaptive Risk-Based Access Control (AdRBAC) model for the IoT and discusses its validation using expert reviews. The proposed AdRBAC model conducts a risk analysis to estimate the security risk value associated with each access request when making an access decision. This model has four inputs/risk factors: user context, resource sensitivity, action severity and risk history. These risk factors are used to estimate a risk value associated with the access request to make the access decision. To provide the adaptive features, smart contracts will be used to monitor the user behaviour during access sessions to detect any malicious actions from the granted users. To validate and refine the proposed model, twenty IoT security experts from inside and outside the UK were interviewed. The experts have suggested valuable information that will help to specify the appropriate risk factors and risk estimation technique for implantation of the AdRBAC model.