Förderjahr 2020 / Stipendien Call #15 / ProjektID: 5294 / Projekt: Trustworthy Context-Aware Access Control in IoT Environments based on the Fog Computing Paradigm
IoT systems offer numerous novel and appealing services that users enjoy using. Yet, IoT services' security is somewhat overseen. Once you install new smart light in your home, do you check if your private data is protected from (malicious) users?
Emerging IoT concepts and technologies enable a multitude of novel services that make our life easier. It is always appealing to turn on the light or check room temperature from your cell-phone, start music using your voice, or have your smartwatch constantly monitor your health. Yet, who else can read the temperature in your Smart Home or obtain your health analytics without you being aware of it? If you are protecting your bank account with strict security policies, shouldn't you apply them to your home and workplace as well? If yes, how can it be achieved, and how the IoT system can help us achieve that?
Traditional security mechanisms are widely applied in IT systems. They follow the CIA (Confidentiality, Integrity, Availability) principles, meaning that information once sent across a computer network can't be altered, read, or destroyed by attackers. To achieve that, the transmitted data is encrypted using credentials known only by communicating parties. Moreover, the stored information is protected through access control policies that allow or deny access based on preconfigured security policies. So, if these concepts are already known and widely applied, why can't they be applied in IoT?
Well, they can be, and they are applied, but to some degree. The main problem is that IoT devices (sensors, actuators) are very resource-constrained, meaning that they are often incapable of storing security policies and performing resource-greedy cryptographic operations. That leads to the usage of weaker credentials (encryption keys), which makes stealing data easier since attackers need less time to crack security credentials and steal information. A further disadvantage is that IoT platforms are hosted in the Cloud. Thus, long data transmission path from IoT devices to Cloud servers allow attackers to endanger the CIA principles of IoT services and over IoT security.
Novel computing paradigms like Fog Computing and Edge Computing tend to shift the computing capabilities closer to the IoT devices, are offload the required computations both from IoT devices and Cloud servers. For example, it is much better to have your data stored, secured, and analyzed in your Smart Home and not on some remote Cloud Server somewhere in Europe or the USA. Still, having Fog Node and offered processing capabilities deployed in your Smart Home offer employment of innovative, automated security mechanisms. In the end, automated services minimize required users' effort for configuration and are less error-prone.
These facts influenced my basic idea and motivation for my research and Ph.D. topic. In the previous years, during the development of various IoT systems, I've noticed that IoT automation and smartification are used for creating newer, better, more intelligent IoT services, whereas security has been neglected. Moreover, a very specific characteristic of IoT systems is that users that configure IoT environment (e.g., Smart Home) are not aware of the required security policies, such as - "change the default password on your surveillance camera.". That is why I've chosen to research the trinity of Fog Computing, IoT security, and IoT intelligence. Bound together, this trinity represents the tools to answer my central research question: "How to create automated, adaptive security policies for local IoT environments and improve overall IoT security using computational resources of Fog computing?".