A capability-based security approach to manage access control in the Internet of Things

Resource and information protection plays a relevant role in distributed systems like the ones present in the Internet of Things (IoT). Authorization frameworks like RBAC and ABAC do not provide scalable, manageable, effective, and efficient mechanisms to support distributed systems with many interacting services and are not able to effectively support the dynamicity and scaling needs of IoT contexts that envisage a potentially unbound number of sensors, actuators and related resources, services and subjects, as well as a more relevance of short-lived, unplanned and dynamic interaction patterns. Furthermore, as more end-users start using smart devices (e.g. smart phones, smart home appliances, etc.) the need to have more scalable, manageable, understandable and easy to use access control mechanisms increases. This paper describes a capability based access control system that enterprises, or even individuals, can use to manage their own access control processes to services and information. The proposed mechanism supports rights delegation and a more sophisticated access control customization. The proposed approach is being developed within the European FP7 IoT@Work project to manage access control to some of the project’s services deployed in the shop floor.