Representing Internet of Things, Cloud and Edge Computing Security and Privacy Policies and Detecting Potential Problems
The Internet of Things (IoT), with its widespread applications is increasingly transform- ing society and becoming an integral part of our The Internet of Things (IoT), with its widespread applications, is increasingly transforming society and becoming an integral part of our daily lives, as seen in its use in vaccine shipment and healthcare delivery. Ensuring security and privacy in the IoT requires a comprehensive end-to-end strategy from manufac- turing to decommissioning and involves a collaborative ecosystem of stakeholders, including application developers, IoT device manufacturers, network providers, platform providers, and end-users. Cloud computing accelerates the growth and adoption of the IoT by providing a scalable and resilient infrastructure required to ingest, store, process, analyze, and visualize the increas- ing amount of data generated by billions of devices and sensors. Pairing the IoT with cloud computing opens up new possibilities in the world of IoT applications. However, this pairing adds complexities in managing security and privacy requirements, given that cloud com- puting involves multiple stakeholders, with each stakeholder having a unique requirement. Adding to the complexity is that cloud computing often involves multiple clouds (private cloud and public cloud). Edge computing complements the IoT and the cloud by providing computing power, net- working, and storage close to the data source. With edge computing, data can be stored and processed in the edge instead of the cloud, improving latency and responsiveness. Com- bining the three technologies delivers even more use cases, especially those relying on low latencies. We posit that to ensure security and privacy in the IoT and cloud and edge com- puting, a policy-based approach to capture and validate policies at the abstract level should be adopted. However, IoT security and privacy are often implemented as an afterthought or add-on. Policies are often stated in an informal and ad hoc manner, leading to policy conflicts, incompleteness, ambiguity, and inconsistencies. This dissertation presents iCerberus, a framework for representing IoT security and privacy policies and detecting potential problems in the policies. iCerberus adopts an object and goal-oriented approach and consists of 1) a domain-specific ontology for modeling IoT secu- rity and privacy policies, 2) a notation for representing cloud security and privacy policies, 3) a set of guidelines and rules for detecting IoT policy errors, and 4) a tool for capturing, describing and validating cloud, IoT and edge security and privacy policies To validate iCerberus, we applied the framework to three use cases in different application domains. We also tested our framework’s expressive power and error detection capacity by expressing ad hoc policies extracted from a real-world IoT application. Using this frame- work’s notation, we expressed over 90% of the ad-hoc policies and detected several errors in the policies. The results showed our framework’s ability to help discover policy errors, which would otherwise go undetected or, in many cases, be detected a posteriori at runtime.