A security policy enforcement framework for controlling IoT tenant applications in the edge

In the context of edge computing, IoT-as-a-Service (IoTaaS) with IoT data hubs and execution services allow IoT tenant applications (apps) to be executed next to IoT devices, enabling edge analytics and controls. However, this brings up new security challenges on controlling tenant apps in IoTaaS, whilst the great potential of IoTaaS can only be realized by flexible security mechanisms to govern such applications. In this paper, we propose a Model-Driven Security policy enforcement framework, named MDSIoT, for IoT tenant apps deployed in edge servers. This framework allows execution policies specified at the model level and then transformed into the code that can be deployed for policy enforcement at runtime. Moreover, our approach supports for the interoperability of IoT tenant apps when deployed in the edge to access IoTaaS services. The interoperability is enabled by an intermediate proxy layer (gatekeeper) that abstracts underlying communication protocols to the different IoTaaS services from IoT tenant apps. Therefore, our approach supports different IoT tenant apps to be deployed and controlled automatically, independently from their technologies, e.g. programming languages. We have developed a proof-of-concept of the proposed gatekeepers based on ThingML, derived from execution policies. Thanks to the ThingML tool, we can generate platform-specific code of gatekeepers that can be deployed in the edge for controlling IoT tenant apps based on the execution policies.