A Framework for Representing Internet of things security and privacy policies and detecting potential problems

The Internet of Things (IoT), together with cloud computing, is increasingly being utilized to deliver innovative use cases in diverse application domains, such as in its use in the vaccine cold-chain supply and healthcare delivery. Ensuring security and privacy in the IoT is complicated and requires a policy-based approach that captures and validates policies in the early stages of IoT application development. However, IoT security and privacy are often implemented as an afterthought or add-on, and policies are often stated in an informal and ad-hoc manner, leading to policy conflicts, incompleteness, ambiguity, and inconsistencies. This paper proposes a framework for representing IoT security and privacy policies and detecting potential problems in the policies. Our framework adopts an object-oriented and goal-oriented approach and offers (1) A domain-specific ontology for modeling IoT security and privacy policies, (2) a notation for representing cloud security and privacy policies, (3) a set of guidelines and rules for detecting IoT policy errors, and (4) a tool for visually modeling and discovering problems with policies. An application of our framework on a collection of policies shows that it indeed helps to discover policy errors, which otherwise would go undetected or, in many cases, would be detected at runtime, leading to a possible undesirable outcome.