Next Generation Access Control as a support core system in the Arrowhead Framework

Abstract: In the fourth industrial revolution known as Industry 4.0, massive amounts of data is collected, processed and communicated by cyber-physical systems and Internet of Things (IoT). Although the nature of this data varies, industrial data is often proprietary and may cause harm to the data owner in the event of a resource leak. Nonetheless, Industrial Internet of Things (IIoT) and System of Systems (SoS) architectures frequently rely on data sharing in partner eco-systems to produce value, necessitating selective and granular access control to prevent sensitive data from being unintentionally shared. This thesis explores the possibilities of providing unified access control for services in the Arrowhead Framework (AF), a framework that provides an architecture for building IoT-based automation systems. Strong security mechanisms currently exist in AF for ensuring that access to services provided by constituent provider systems is only granted to authorized consumers. However, there is often a need for more dynamic and fine-granular access control than what is currently offered at an orchestration level. An Arrowhead system which employs a general policy language to express policy based access control can offer a broad and unified service solution, enabling frequent access queries from different application systems, dynamic policy change, and contextual policy variables. Such a system has the potential to be a highly versatile asset for policy enforcement in Arrowhead SoS, and may serve as a go-to support system in AF. Next Generation Access Control (NGAC) is an attribute-based access control (ABAC) standard based on relations between data elements to create, manage and enforce access control policies, and enables systematic access control with a high level of granularity. We examine how NGAC can be used to securely enforce access control policies for data sharing with AF, and present a SoS solution that demonstrates the use of NGAC as the access control model for a resource system. The solution includes an Arrowhead policy server that enables enforcement of ABAC for Arrowhead-compliant application systems. We further examine the possibilities of easing integration of Arrowhead systems, and present a Policy Enforcement Point (PEP) library for the policy server.