Risk-Aware Lightweight Data Access Control for Cloud-Assisted IIoT: A Zero-Trust Approach

Abstract

With the rapid advancement and applications of digital technologies in industries, a large number of IoT devices are connected to internet-assisted cloud services. In such settings, the system may suffer from various security threats where attackers can exploit devices with inadequate security capabilities, transforming them into compromised entry points. Traditional data security models rely on static access control mechanisms that fail to consider the dynamic requirements of the Industrial IoT (IIoT) environment. In addition, they assume internal devices are secure which may allow compromised devices to access sensitive information. Therefore, a robust, zero-trust security model is needed to prevent unauthorized access and data breaches in IIoT. In this poster, we propose a risk-aware access control framework utilizing zero-trust security principles to create and enforce dynamic and adaptive policies, thereby allowing access control mechanism to continuously evolve in response to emerging threats and changing contexts. Our framework employs ciphertext-policy attribute-based encryption (CP-ABE) to dynamically authorize access requests, ensuring fine-grained access control and eliminating the requirement for a trusted intermediary. Furthermore, region-specific fog servers are utilized to continuously monitor the dynamic behavioural and contextual attributes of users to detect security violations and provide feedback to update access policies based on current network conditions. Our framework obfuscates access policy attributes during data sharing to protect confidentiality and offloads computationally intensive decryption tasks from resource-constrained devices, enhancing its practicability for secure and efficient data access management in IIoT. � 2024 ACM.