Abstract-Access Control is crucial for security management, but in the context of the Internet of Things it cannot be implemented the same way as traditional systems do. Indeed, devices that make the Internet of Things impose some constraints that encourage the design of new access control mechanisms, which should provide flexibility of configuration, as well as support several authorization scopes at the same time, yet being computationally light, dynamic and scalable in order to be ready for the forthcoming Cloud Computing paradigm. In this paper we propose an authorization model that is based on the OAuth 2.0 protocol. From the point of view of the identity provider, this model allows managing roles and permissions for an application-scoped authorization, to enable more flexible scenarios in which multiple tenants take part. With regard to devices, the OAuth 2.0 makes authorization extremely light, because all the required information is provided with a token. Considering all this, authorization management is completely delegated to an external system, so that an as-a-service access control mechanism is provided. The proposed model complies with the security, flexibility and performance requirements that are needed in the Internet of Things paradigm.
In recent years, a new business paradigm has emerged which revolves around effectively extracting value from data. In this scope, providing a secure ecosystem for data sharing that ensures data governance and traceability is of paramount importance as it holds the potential to create new applications and services. Protecting data goes beyond restricting who can access what resource (covered by identity and Access Control): it becomes necessary to control how data are treated once accessed, which is known as data Usage Control. Data Usage Control provides a common and trustful security framework to guarantee the compliance with data governance rules and responsible use of organizations’ data by third-party entities, easing and ensuring secure data sharing in ecosystems such as Smart Cities and Industry 4.0. In this article, we present an implementation of a previously published architecture for enabling access and Usage Control in data-sharing ecosystems among multiple organizations using the FIWARE European open source platform. Additionally, we validate this implementation through a real use case in the food industry. We conclude that the proposed model, implemented using FIWARE components, provides a flexible and powerful architecture to manage Usage Control in data-sharing ecosystems.
access control is a key element when guaranteeing the security of online services. However, devices that make the Internet of Things have some special requirements that foster new approaches to access control mechanisms. Their low computing capabilities impose limitations that make traditional paradigms not directly applicable to sensors and actuators. In this paper, we propose a dynamic, scalable, IoT-ready model that is based on the OAuth 2.0 protocol and that allows the complete delegation of authorization, so that an as a service access control mechanism is provided. Multiple tenants are also supported by means of application-scoped authorization policies, whose roles and permissions are fine-grained enough to provide the desired flexibility of configuration. Besides, OAuth 2.0 ensures interoperability with the rest of the Internet, yet preserving the computing constraints of IoT devices, because its tokens provide all the necessary information to perform authorization. The proposed model has been fully implemented in an open-source solution and also deeply validated in the scope of FIWARE, a European project with thousands of users, the goal of which is to provide a framework for developing smart applications and services for the future Internet. We provide the details of the deployed infrastructure and offer the analysis of a sample smart city setup that takes advantage of the model. We conclude that the proposed solution enables a new access control as a service paradigm that satisfies the special requirements of IoT devices in terms of performance, scalability and interoperability.
Secure electronic identification (eID) is one of the key enablers of data protection, privacy, and the prevention of online fraud. However, until now, the lack of common legal basis prevented European Member States from recognizing and accepting eIDs issued in the other Member States. The electronic identification and trust services (eIDAS) regulation provides a solution to these issues by ensuring the cross-border mutual recognition of eIDs. FIWARE is a European initiative that provides a rather simple yet powerful set of application programming interfaces (APIs) that ease the development of smart applications in multiple vertical sectors and oriented to the future internet. In this paper, we propose a model that enables the connection of FIWARE OAuth 2.0-based services with the eID authentication provided by eIDAS reference. Thanks to this model, services already connected with an OAuth 2.0 identity provider can be automatically connected with eIDAS nodes for providing eID authentication to European citizens. For validating the proposed model, we have deployed an instance of the FIWARE identity manager connected to the Spanish eIDAS node. Then, we have registered two services, a private videoconferencing system, and a public smart city deployment, and extended their functionalities for enriching the user experience leveraging the eID authentication. We have evaluated the integration of both services in the eIDAS network with real users from seven different countries. We conclude that the proposed model facilitates the integration of generic and FIWARE-based OAuth 2.0 services to the eIDAS infrastructure, making the connection transparent for developers. INDEX TERMS Access Control, eIDAS, electronic identification, identity, FIWARE.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.