Access Control for IoT: Problems and Solutions in the Smart Home

The Internet of Things (IoT) is receiving considerable amount of attention from both industry and academia due to the business models that it enables and the radical changes it introduced in the way people interact with technology. The widespread adaption of IoT in our everyday life generates new security and privacy challenges. In this thesis, we focus on "access control in IoT": one of the key security services that ensures the correct functioning of the entire IoT system. We highlight the key differences with access control in traditional systems (such as databases, operating systems, or web services) and describe a set of requirements that any access control system for IoT should fulfill. We demonstrate that the requirements are adaptable to a wide range of IoT use case scenarios by validating the requirements for access control elicited when analyzing the smart lock system as sample use case from smart home scenario. We also utilize the CAP theorem for reasoning about access control systems designed for the IoT. We introduce MQTT Security Assistant (MQTTSA), a tool that automatically detects misconfigurations in MQTT-based IoT deployments. To assist IoT system developers, MQTTSA produces a report outlining detected vulnerabilities, together with (high level) hints and code snippets to implement adequate mitigations. The effectiveness of the tool is assessed by a thorough experimental evaluation. Then, we propose a lazy approach to Access Control as a Service (ACaaS) that allows the specification and management of policies independently of the Cloud Service Providers (CSPs) while leveraging its enforcement mechanisms. We demonstrate the approach by investigating (also experimentally) alternative deployments in the IoT platform offered by Amazon Web Services on a realistic smart lock solution

Security Policies That Make Sense for Complex Systems: Comprehensible Formalism for the System Consumer

Information Systems today rarely are contained within a single user workstation, server, or networked environment. Data can be transparently accessed from any location, and maintained across various network infrastructures. Cloud computing paradigms commoditize the hardware and software environments and allow an enterprise to lease computing resources by the hour, minute, or number of instances required to complete a processing task. An access control policy mediates access requests between authorized users of an information system and the system\u27s resources. Access control policies are defined at any given level of abstraction, such as the file, directory, system, or network, and can be instantiated in layers of increasing (or decreasing) abstraction. For the system end-user, the functional allocation of security policy to discrete system components, or subsystems, may be too complex for comprehension. In this dissertation, the concept of a metapolicy, or policy that governs execution of subordinate security policies, is introduced. From the user\u27s perspective, the metapolicy provides the rules for system governance that are functionally applied across the system\u27s components for policy enforcement. The metapolicy provides a method to communicate updated higher-level policy information to all components of a system; it minimizes the overhead associated with access control decisions by making access decisions at the highest level possible in the policy hierarchy. Formal definitions of policy often involve mathematical proof, formal logic, or set theoretic notation. Such policy definitions may be beyond the capability of a system user who simply wants to control information sharing. For thousands of years, mankind has used narrative and storytelling as a way to convey knowledge. This dissertation discusses how the concepts of storytelling can be embodied in computational narrative and used as a top-level requirements specification. The definition of metapolicy is further discussed, as is the relationship between the metapolicy and various access control mechanisms. The use of storytelling to derive the metapolicy and its applicability to formal requirements definition is discussed. The author\u27s hypothesis on the use of narrative to explain security policy to the system user is validated through the use of a series of survey instruments. The survey instrument applies either a traditional requirements specification language or a brief narrative to describe a security policy and asks the subject to interpret the statements. The results of this research are promising and reflect a synthesis of the disciplines of neuroscience, security, and formal methods to present a potentially more comprehensible knowledge representation of security policy

Designing learning-skills towards industry 4.0

The world is shrinking now more than ever due to new scientific and technological breakthroughs that expand the boundaries of human knowledge, resulting in improvements in transportation, communication, space exploration and educational technologies. Today’s students will compete in a technological, diverse, multi-cultural world and must be prepared to thrive in this futuristic environment. Therefore, it is vital that today’s pedagogy produce lifelong learners, who can succeed in a global pulpit. To ensure our educational technology progresses at the rate demanded by today’s ubiquitous digital learners, we review emerging technologies and traditional teaching methods and propose desirable changes. Future companies will need employees with specific Internet of Things connected additive manufacturing skills across the value stream, including computer-aided design, machine operation, raw material development, robotics and supply chain management; but these are only island of excellence in industry 4.0 and not the consummate requirement of the manufacturing process

Walking the talk in digital transformation of regulatory review

Cloud-based regulatory platforms have the potential to substantially transform how regulatory submissions are developed, transmitted, and reviewed across the full life cycle of drug development. The benefits of cloud-based submission and review include accelerating critical therapies to patients in need globally and efficiency gains for both drug developers and regulators. The key challenge is turning the theoretical promise of cloud-based regulatory platforms into reality to further the application of technology in the regulatory processes. In this publication we outline regulatory policy journeys needed to effect the changes in the external environment that would allow for use of a cloud-based technology, discuss the prerequisites to successfully navigate the policy journeys, and elaborate on future possibilities when adoption of cloud-based regulatory technologies is achieved

Challenges in Cybersecurity and Privacy - the European Research Landscape

Cybersecurity and Privacy issues are becoming an important barrier for a trusted and dependable global digital society development. Cyber-criminals are continuously shifting their cyber-attacks specially against cyber-physical systems and IoT, since they present additional vulnerabilities due to their constrained capabilities, their unattended nature and the usage of potential untrustworthiness components. Likewise, identity-theft, fraud, personal data leakages, and other related cyber-crimes are continuously evolving, causing important damages and privacy problems for European citizens in both virtual and physical scenarios. In this context, new holistic approaches, methodologies, techniques and tools are needed to cope with those issues, and mitigate cyberattacks, by employing novel cyber-situational awareness frameworks, risk analysis and modeling, threat intelligent systems, cyber-threat information sharing methods, advanced big-data analysis techniques as well as exploiting the benefits from latest technologies such as SDN/NFV and Cloud systems. In addition, novel privacy-preserving techniques, and crypto-privacy mechanisms, identity and eID management systems, trust services, and recommendations are needed to protect citizens’ privacy while keeping usability levels. The European Commission is addressing the challenge through different means, including the Horizon 2020 Research and Innovation program, thereby financing innovative projects that can cope with the increasing cyberthreat landscape. This book introduces several cybersecurity and privacy research challenges and how they are being addressed in the scope of 15 European research projects. Each chapter is dedicated to a different funded European Research project, which aims to cope with digital security and privacy aspects, risks, threats and cybersecurity issues from a different perspective. Each chapter includes the project’s overviews and objectives, the particular challenges they are covering, research achievements on security and privacy, as well as the techniques, outcomes, and evaluations accomplished in the scope of the EU project. The book is the result of a collaborative effort among relative ongoing European Research projects in the field of privacy and security as well as related cybersecurity fields, and it is intended to explain how these projects meet the main cybersecurity and privacy challenges faced in Europe. Namely, the EU projects analyzed in the book are: ANASTACIA, SAINT, YAKSHA, FORTIKA, CYBECO, SISSDEN, CIPSEC, CS-AWARE. RED-Alert, Truessec.eu. ARIES, LIGHTest, CREDENTIAL, FutureTrust, LEPS. Challenges in Cybersecurity and Privacy - the European Research Landscape is ideal for personnel in computer/communication industries as well as academic staff and master/research students in computer science and communications networks interested in learning about cyber-security and privacy aspects

CONTEXT BASED ANDROID APPLICATIONADMINISTRATIVE ACCESS CONTROL (CBAA–AAC) FOR SMART PHONES

Android applications in smart phones are generally towards provide greater flexibility and convince for users. Considering the fact that the Android applications are having privilege to access data and resources in mobile after it gets installed (one time permission provided by end user on the time installation), these application may also lead to issues in security for the user data as well as issues relate smart phone with peripheral environment. A practical example for an issue which relates smart phone with peripheral environment can be even an Android smart phone application of a college student use camera resource to capture photos of R&D cell and transfer without user or organization permission. The security of the organization and user should be prevented by providing an adoptable solution. The proposed concept of CBAA-AAC (Context Based Android Application Administrative Access Control) is used to control the privileges of any Android application over a corresponding longitude and latitude by the organization administrator. In this way, administrator is able to block malicious application of every individual smart phone which can have activity towards utilizing services and resources that may affect the security of the organization, such an move is must for assuring security of any organization and educational institutions while they allow users to “bring their own smart phones/mobile devices” into the campus

FAIR Metadata Standards for Low Carbon Energy Research—A Review of Practices and How to Advance

The principles of Findability, Accessibility, Interoperability, and Reusability (FAIR) have been put forward to guide optimal sharing of data. The potential for industrial and social innovation is vast. Domain-specific metadata standards are crucial in this context, but are widely missing in the energy sector. This report provides a collaborative response from the low carbon energy research community for addressing the necessity of advancing FAIR metadata standards. We review and test existing metadata practices in the domain based on a series of community workshops. We reflect the perspectives of energy data stakeholders. The outcome is reported in terms of challenges and elicits recommendations for advancing FAIR metadata standards in the energy domain across a broad spectrum of stakeholders