Since IoT application systems operate in multi-user, multi-tasking environments, this creates opportunities for unauthorized use of system resources. Therefore, it is imperative to take effective security measures for computers and their network systems to prevent unauthorized users from entering the system and legitimate users from using system resources illegally.
This necessitates the use of an access control system, which encompasses three aspects.
① Legality: Prevent unauthorized users from accessing the site illegally, as well as unauthorized users from accessing the site illegally.
② Integrity: In the series of steps including data collection, information transmission, and information storage, the data information must be kept intact and cannot be arbitrarily added, deleted, or modified.
③ Timeliness: Within a certain time frame, ensure that system resources cannot be tampered with or used by unauthorized users, and guarantee the integrity of the system within the time frame.
Access control allows the system to prevent and block unauthorized users from accessing operating system resources.
I. Basic Principles of Access Control
Access control mechanisms are used to implement policies that restrict access to resources, granting access only to authorized users. Strict procedures for requesting, creating, issuing, and revoking user authorizations, as well as mechanisms for managing and monitoring user accountability, should be established.
To ensure system security, authorization should adhere to three basic principles of access control.
1. Principle of Least Privilege
The principle of least privilege is one of the most fundamental principles of system security. Least privilege refers to "the privileges that are absolutely necessary for each entity (user or process) in the network to perform a certain operation." The principle of least privilege means that "the minimum privileges required for each entity in the network should be limited to ensure that losses caused by possible accidents, errors, tampering with network components, etc., are minimized."
The principle of least privilege ensures that a user's power cannot exceed the permissions required to perform a task. On the one hand, the principle of least privilege grants subjects the "essential" privileges, guaranteeing that all subjects can complete the necessary tasks or operations under the granted privileges; on the other hand, it only grants subjects the "essential" privileges, which also limits the operations that each subject can perform.
2. Principle of multiple people in charge
Multiple people in charge means decentralized authorization. Functionally, key tasks are divided among multiple people to ensure that no single person has all the authorization or information to complete the task. For example, responsibility is broken down to ensure that no one has the complete key.
3. Separation of duties principle
Separation of duties is a fundamental principle of security. Separation of duties refers to assigning different responsibilities to different personnel to achieve a system of checks and balances, eliminating the risk of one person performing two incompatible tasks. For example, cashiers, tellers, and auditors should be held by different people. Separation of duties should also be applied in a computer environment. To avoid security vulnerabilities, certain licenses cannot be granted to the same user simultaneously.
II. Basic Concepts of Access Control
1. Access control functions
Access control should have key functions such as authentication, authorization, file protection, and auditing.
1.1 Authentication
Authentication verifies a user's identity. Authentication must work in conjunction with an identifier. The authentication process first requires the user to enter a username, user identifier, or registration identifier to demonstrate their identity. The username should be confidential and not possessed by any other user. However, to prevent unauthorized access due to the disclosure of usernames or user identifiers, further authentication technology is needed to verify the user's legitimate identity.
1.2 Authorization
After the system correctly authenticates a user, it assigns them different resources based on their unique identifier; this task is called authorization. Authorization is achieved through access control. Access control is a special task that uses an identifier (ID) as a key to control which programs and data a user can access. Access control is primarily used on critical nodes, hosts, and servers, and less so on general nodes. In practical applications, user access permissions are typically defined based on three aspects: user type, application resources, and access rules.
① User Type. Even for a user who has been identified and authenticated by the system, certain restrictions must be placed on their access operations. In a general computer system, the user base is broad, with different levels and permissions. User types typically include system administrators, regular users, audit users, and unauthorized users.
System administrators have the highest privileges, granting access to all resources within the system and all types of access rights. Regular users face certain restrictions on their access, with system administrators assigning different access rights to these users as needed. Auditing users are responsible for auditing the overall system security controls and resource usage. Unauthorized users are those whose access rights have been revoked or who have been denied access to the system.
② Application Resources. Application resources refer to system resources that can be shared by every user in the system. The system needs to protect system resources; therefore, an Access Control Packet (ACP) needs to be defined for each protected resource. The ACP will create an Access Control List (ACL) for each resource or resource group, describing which user can use which resource and how to use it.
③ Access Rules. Access rules define several conditions under which access to a resource is permitted. Generally, rules pair users with resources and specify which operations the user can perform on that resource, such as read-only, no execution, or no access. These rules are determined by system administrators responsible for implementing security policies based on the principle of least privilege, which means that when granting a user access to a resource, only the minimum privileges granted to that resource are permitted. For example, if a user needs read access, read-write access should not be granted.
1.3 File Protection
File protection refers to the additional protection provided to files, which prevents unauthorized users from reading them. This is typically achieved through file encryption.
1.4 Audit
Auditing is the process of recording all activities performed on a user's system, including the time, date, and activity of users violating security regulations. Because the amount of data that can be collected is potentially enormous, a good auditing system should have tools to filter data and report audit logs. Furthermore, these tools should allow for further analysis and processing of the audit logs.
2. Key Elements of Access Control
Access control refers to the process by which a subject grants different levels of access to an object or other resources based on certain control policies. Access control comprises three elements: subject, object, and control policy.
2.1 Main Body
A subject is an entity that can flow between information objects. A subject typically refers to a user, but a job or device can also be a subject. Therefore, a user operating on a file is a subject, a job scheduled and run by a user is a subject, and a device detecting power failures is also a subject. In most interactive systems, the process works as follows: a user first registers in the system, then starts a process to complete a task; this process inherits the access permissions of the user who started it. In this case, the process is also a subject.
2.2, Object
An object is an information entity in itself, or a carrier that receives information from other subjects or objects. An object is not limited by the system it depends on; it can be a record, data block, storage page, storage segment, file, directory, directory tree, mailbox, message, program, etc., or it can be a bit, byte, word, domain, processor, communication line, clock, network node, etc.
In some systems, logically all objects are treated as files. Each hardware device is treated as an object, and therefore, each hardware device has corresponding access control information. If a subject intends to access a device, that subject must have appropriate access rights, and the device's security verification mechanism will verify those access rights.
2.3 Control Strategy
A control strategy is a set of operational behaviors and constraints imposed by a subject on an object; it is also a set of control rules imposed by the subject on the object. This set of rules directly defines the actions that the subject can take on the object and the conditional constraints that the object imposes on the subject. A control strategy embodies a kind of authorization behavior, that is, the object's permissions on the subject are permitted, and this permission cannot exceed the set of rules.
The three elements of an access control system can be represented by a triple (S, O, P), where S represents the subject, O represents the object, and P represents permission. A subject can only access an object after authentication, but this does not guarantee that it has the authority to perform operations on the object. A user identifier is a string used to identify a user; each user has one and only one unique user identifier to distinguish them from other users. When a user registers with the system, they must provide their user identifier, and then the system will perform a reliable verification to confirm that the current user is the one corresponding to the user identifier.
Current access control implementation models generally use the definitions of subject, object, and authorization, and the relationships between these three definitions to describe the system. Access control models can abstractly represent storage elements in a computer system. A fundamental problem that access control aims to solve is how an active object (such as a process) accesses a passive protected object (such as a file being accessed), and how this access is controlled according to security policies. The active object is called the subject, and the passive object is called the object.
For a secure system, or a system on which access control will be implemented, an access can have the following effects on the accessed object: first, the extraction of information; second, the insertion of information. For the accessed object, there are four access methods: "read-only", "read-only with modification", "modification only without reading", and "both read and modification".
3. Implementation of access control policies
Access control policies are one of the core strategies for IoT information security. Their task is to ensure that IoT information is not used or accessed illegally, to provide a framework for ensuring the security of information infrastructure, to provide secure methods for managing and accessing IoT resources, to stipulate the norms that each element must comply with and the responsibilities it should bear, and to provide a reliable basis for the security of IoT systems.
3.1 Basic Principles of Access Control Policies
The formulation and implementation of access control policies must revolve around the relationship between the subject, the object, and the set of control rules. Specific principles are as follows.
① The principle of least privilege. The principle of least privilege means that when a subject performs an operation, rights are allocated to the subject according to the principle of minimizing the rights required by the subject. The advantage of the principle of least privilege is that it limits the subject's authorized actions to the greatest extent, and can avoid the dangers from unexpected events, errors, and unauthorized users. That is, in order to achieve a certain purpose, the subject must perform certain operations, but the subject can only perform operations within the permitted scope.
② The principle of least disclosure. The principle of least disclosure means that when an entity performs a task, rights are allocated to the entity in accordance with the principle of minimizing the amount of information the entity needs to know.
③ Multi-level security principle. The multi-level security principle refers to dividing data flow and access control between subjects and objects according to security levels, including five levels: Top Secret, Secret, Confidential, Restricted, and No Level. The advantage of the multi-level security principle is that it can prevent the spread of sensitive information. For information resources with a security level, only subjects with a higher security level can access them.
3.2 Implementation methods of access control policies
Access control security policies include identity-based security policies and rule-based security policies. Currently, both of these security policies are based on authorization actions.
① Identity-based security policy
Identity-based security policies, consistent with authentication practices, aim to filter access to data or resources, ensuring that only authenticated entities can properly use the resources. Identity-based security policies include individual-based and group-based security policies.
Personalized security policies are policies built around the user. These policies consist of lists that define which users can perform which policy actions for specific purposes.
Group-based security policies are an extension of individual security policies, meaning that some users are allowed to access the same objects using the same access control rules.
Identity-based security policies have two basic implementation methods: access capability tables and access control lists. Access capability tables provide access control structures for subjects, while access control lists provide access control structures for objects.
② Rule-based security policy
Authorization in rule-based security policies typically relies on sensitivity. In a security system, data or resources should be labeled with security tags. Processes acting on behalf of users can receive security tags corresponding to those of their originators.
When implementing rule-based security policies, the system determines whether to allow users to access resources by comparing the user's security level with the security level of the object resources.
