Analysis of identification and access management models in the context of fog computing ⋆ Anton Zahynei1,†, Yurii Shcheblanin2,†, Oleg Kurchenko2,†, Iryna Melnyk3,*,† and Serhii Smirnov4,† 1 State University of Information and Communication Technologies, 7 Solomyanska str., 03110 Kyiv, Ukraine 2 Taras Shevchenko National University of Kyiv, 60 Volodymyrska str., 01033 Kyiv, Ukraine 3 Borys Grinchenko Kyiv Metropolitan University, 18/2 Bulvarno-Kudriavska str., 04053 Kyiv, Ukraine 4 Central Ukrainian National Technical University, 8 University ave., 25006 Kropyvnytskyi, Ukraine Abstract The paper analyzes the methods of obtaining access to resources in the case of fog computing. An analysis of the advantages and disadvantages of the Single Sign-On model, Federated Identity Management model, Role-Based Access Control model, Attribute-Based Access Control model, and Zero Trust Model was carried out. A comparison of models of obtaining access in the context of fog computing is carried out. Keywords fog computing, IAM, FIM, SSO, RBAC, ZTM, ABAC 1 1. Introduction performance of information processing in distributed information systems [1]. Fog computing is becoming more and more popular due to Fog computing can be viewed as a hierarchical structure the large number of Internet of Things (IoT) applications where data is processed at different levels as shown in Fig. 1. and the increasing amount of information that needs to be The cloud layer (Cloud) consists of centralized data processed and stored, resulting in increased information centers that provide appropriate services and ensure a high processing speed and resource requirements where it is level of computational power, data storage, and processed and stored. It is fog computing that provides data management of large volumes of data. processing closer to the sources of their generation, which The fog layer (Fog) involves intermediate devices allows to reduce delays and increase the productivity of between centralized databases and the edge layer, meaning such a process. However, given the spatial distribution of these are devices located at the periphery of the controlled technical means on which fog computing is implemented, area. Typically, these include intermediate routers or certain problems arise related to the management of identification low-power data processing centers [2]. and authentication of users and processes in such systems. The edge layer (Edge) consists of devices that generate Therefore, the study of the effectiveness of certain types of data and facilitate its transmission and exchange, often authentication models is extremely relevant. including IoT devices, sensors, smartphones, routers, etc. [3, 4]. 2. Fog computing From the point of view of the efficiency of application and protection of information, fog computing has several With the development of the Internet of Things, computing, advantages [5]. and network technologies, a new approach to the implementation of distributed information systems 1. Distribution of sources of data generation and appears—fuzzy computing. Fog computing is an offshoot of processing. The distribution of fog computing the concept of cloud computing, which does not consist of makes it possible to reduce dependence on transferring data to specialized processing centers, but in centralized cloud resources, which at the same implementing the data processing process closer to the time reduces dependence both on the information sources of their generation, or in the sources themselves. systems themselves and on external connections This approach allows you to distribute the load between to cloud computing, which increases the level of various devices, reducing data transmission delays, and availability of the information to be processed and optimizing the use of resources, thus increasing the the survivability of the system as a whole. CPITS-II 2024: Workshop on Cybersecurity Providing in Information 0000-0002-0303-8501 (A. Zahynei); and Telecommunication Systems II, October 26, 2024, Kyiv, Ukraine 0000-0002-3231-6750 (Y. Shcheblanin); ∗ Corresponding author. 0000-0002-3507-2392 (O. Kurchenko); † These authors contributed equally. 0000-0001-6041-6145 (I. Melnyk); antonio.com237@gmail.com (A. Zahynei); 0000-0002-7649-7442 (S. Smirnov) sheblanin@ukr.net (Y. Shcheblanin); © 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). kurol@ukr.net (O. Kurchenko); iy.melnyk@kubg.edu.ua (I. Melnyk); smirnov.ser.81@gmail.com (S. Smirnov) CEUR Workshop ceur-ws.org ISSN 1613-0073 288 Proceedings Figure 1: The concept of fog computing 2. Proximity to the data source. Proximity to the data password, etc.), which makes the entire information system source primarily ensures a reduction in delay time, vulnerable to attacks such as brute force and social correspondingly increasing the speed of data engineering [11]. At the same time, the use of multi-factor processing, and also allows controlling the authentication can significantly complicate the processes of perimeter where the fog nodes are located, thereby identity and access management and create an additional ensuring the protection of devices and the load on fog computing nodes, which will lead to a decrease confidentiality of information, because it does not in device performance. From this, it can be concluded that leave the controlled area. in information systems that are built using fog computing, 3. Scalability and heterogeneity. Fog computing especially those that are deployed on critical infrastructure makes it easy to add a variety of new nodes and facilities, where unauthorized access can lead to devices, thereby increasing the performance of catastrophic consequences, creating a reliable identity and distributed information systems. Nodes and access management system is an important task [5]. devices can be IoT devices, network elements, servers, and even mobile devices, etc. [6–10]. 4. Description of authentication models and IAM 3. Security issues in fog computing Identity and Access Management (IAM) [12] models can be However, when operating information systems built using used to solve this task. These models make it possible to fog computing, information security specialists face implement processes of identification and access numerous security challenges, especially when it comes to management of users and devices in different domains, using ensuring the identity and access management process. The a single identification (Single Sign-On) or other management distributed nature of fog computing and the use of a large methods, reducing the need for duplicating accounts and number of diverse devices create risks related to saving passwords in different elements of the system. unauthorized access and data compromise. The main types of IAM models include Single Sign-On Fog computing, using numerous nodes, which by their (SSO), Federated Identity Management (FIM), Role-Based characteristics are located on the border of the controlled Access Control (RBAC), Attribute-Based Access Control zone, creates difficulties in the centralized management of (ABAC), Context-Based Access Control (CBAC), Zero Trust identification and access. It is the lack of a single point of Model (ZTM) [13]. control that makes it difficult to implement uniform access Let’s consider the basic principles of the functioning of policies. In addition, the dynamic nature of the fog IAM models. environment (connecting and disconnecting devices and their migration) makes the identification and access 4.1. Single sign-on model management procedure more complex, and therefore the detection of new devices and their reliability verification are The Single Sign-On (SSO) model is based on one-time key tasks [3]. authentication within a session, after which the user gains Many fog nodes and devices operating in the fog access to many systems and applications without the need environment use only one-factor authentication (PIN code, to re-enter credentials [14]. The principle of implementation 289 of the SSO model is shown in Fig. 2. This model significantly increases convenience for users, because there is no need to generate and store credentials for each system in integrity. Figure 3: FIM model The figure shows how clients authenticate through their identity provider (step 1). After the client is successfully authenticated, the identity provider issues a token. The client terminal forwards this token to Enterprise B’s Figure 2: SSO model federation provider, which trusts the tokens issued by the identity provider to issue a token that is valid for Enterprise According to Fig. 1, in the first stage user accesses the B’s federation provider (step 2). If necessary, before service provider, then the service provider identifies the returning the new token to the client terminal, the user and sends the request to get authentication info for this federation provider converts the assertions in the token to user to the identity provider. In the third stage user logs into those recognized by certain resources (step 3). Enterprise the identity provider and after all identity provider gives a B’s resources trust the tokens issued by Enterprise B’s response with user authentication info. federation provider and use the assertions in the token to In addition, using the SSO model provides centralized apply authorization rules (step 4). management of identity and access to multiple resources of the organization. A number of these advantages create a 4.3. Role-based access control model rather high risk that in case of compromise of one account, The Role-Based Access Control (RBAC) model is based on an attacker will be able to gain access to all connected the concept that access to resources in an organization is systems, and therefore the reliability of the security system, determined by roles that are assigned to users according to which should provide stable protection against attacks on their job duties, and these roles grant certain access rights authentication data, is a direct dependency of the to systems or data, which allows to simplify the process effectiveness of this model as a whole. Most often, this access management by standardizing rights for entire model is used in corporate networks, and cloud services, in groups of users instead of setting individual rights for each particular, on SaaS platforms, where users, after logging in employee [16]. While this approach allows for efficient once, get appropriate access to several interconnected management of large groups of users and reduces the risk applications. of errors when setting up access, it has limited flexibility as roles must be manually updated for each new role or change 4.2. Federated identity management model in responsibilities, which can be challenging in large-scale The Federated Identity Management (FIM) model envisages systems with frequent changes in structure companies This the implementation of a single user identification system model is most often used in corporate management systems that will allow access to resources of many different such as ERP (Enterprise Resource Planning) and CRM organizations or domains using a single account based on (Customer Relationship Management), where users’ access trust relationships between organizations that ensure to information resources is strictly controlled depending on effective interaction between them so that users do not need their role in the organization. to create different accounts for each system [15]. This model effectively centralizes the inter-organizational level of access management, therefore increasing the level of security through unified identification. This requires high- level coordination and complex management of access policies and security, so it can be a major challenge to configure and maintain such a model. FIM finds its main application among enterprises, government structures, or organizations that often interact with each other and therefore need to share resources or data using a single identity and access management mechanism. Figure 4: RBAC model 290 4.4. Attribute-based access control model is easier to implement, but less flexible than ABAC or CBAC, which provide more opportunities to manage access The Attribute-Based Access Control (ABAC) model is more in a changing environment, but require significant complex and flexible than RBAC because it allows access to resources to implement. Finally, the Zero Trust Model be granted based not only on roles, but also on other provides the highest level of security but is complex to attributes of the user, objects, or environment, such as the configure and integrate, making it relevant for highly secure user’s location, time of day, type of requested data or even environments. the state of the device being accessed from, allowing fine- In the case of using these models in a fog environment tuning of access rights based on multiple conditions and to manage the identity and access of devices, certain context [17]. The main advantage of this approach is that it difficulties arise regarding their application, and as a result, allows dynamic and precise access control, especially in security risks that cannot be accepted are increased, namely: complex and changing environments, but its implementation requires complex settings and significant  Single Sign-On provides a single sign-on to access resources to support a large number of rules and attributes, various fog nodes, which provides convenience for which can be a challenge for organizations with limited users, but if this single account is compromised, an technical opportunities ABAC is an ideal model for use in attacker can gain access to many fog nodes and government systems or organizations with high-security resources, which increases security risks. requirements, where multiple factors must be considered  Federated Identity Management is appropriate to when making access decisions. use in the case of a shared cloud environment between different organizations or domains, which provides flexibility and scalability of such an environment. However, this creates difficulties in terms of coordination between organizations, as well as in maintaining agreed access policies.  Role-Based Access Control defines access to fog nodes based on user roles, which provides ease of configuration and access control, as well as flexibility for typical roles, but this flexibility is limited because it can only be applied to well- defined users, to manage new, a constant upgrade of the entire identity and access management system is required to meet the dynamic nature of fog computing.  Attribute-Based Access Control is a flexible Figure 5: ABAC model approach that can be effectively applied to build an identity and access control system in fog 4.5. Zero trust model computing because it uses attributes of the user, environment, and resources to determine access to The Zero Trust Model (ZTM) is fundamentally different fog nodes, which can ensure the reliability of from traditional approaches to security, as it is built on the access control and adaptation to dynamic changes principle that no user or device can be trusted by default, in the environment. However, the effective use of even if it is inside the corporate network, and every access this method is possible only in the case of applying request must be thoroughly vetted and authorized complex policies for the management of regardless of the user’s location or the status of his device, identification and access processes, which require which allows you to effectively protect systems from constant control. unauthorized access and internal threats [18–26]. This  Zero Trust Model ensures the maximum level of approach provides the maximum level of security, as all security by checking every access request actions are verified in real-time, however, the regardless of other factors and circumstances. implementation of the Zero Trust Model is technically Suitable for distributed and heterogeneous fog complex and requires integration with many existing environments with a high level of threat systems, which can increase the cost of its implementation probability and the need to perform full access and reduce productivity due to constant checks [27]. The verification. At the same time, the complexity of main applications of this model are organizations with high- implementing and administering such a system security requirements, such as financial institutions or forces one to compare the risks and feasibility of government agencies, as well as companies operating in using ZTM. cloud or hybrid environments where multiple access points need to be protected. Each of the considered models of identity and access 5. Conclusions management has its advantages and disadvantages, which Fog computing is a distributed architecture where data determine the feasibility of their use on different occasions. processing and storage take place closer to end devices, The SSO and FIM models provide convenience and unlike traditional cloud computing. Identity and Access centralized management but require robust security. RBAC Management (IAM) in such an environment faces unique 291 challenges due to the dynamism, distribution, and limited Telecommunication Systems, CPITS, vol. 3654 (2024) resources of fog nodes. Choosing the right IAM models is 449–457. important to ensure the security and efficiency of fog [7] Y. Sadykov, et al., Technology of Location Hiding by systems. Spoofing the Mobile Operator IP Address, in: IEEE One of the more effective IAM models in the framework International Conference on Information and of fog computing is Attribute-Based Access Control. The Telecommunication Technologies and Radio ABAC model allows the use of user, device, and context Electronics (2021) 22–25. doi: attributes (such as location, time, or device specifications) to 10.1109/UkrMiCo52950.2021.9716700. control access to resources. In fog computing, this is [8] Y. Shcheblanin, et al., Research of Authentication important to ensure accurate access control, taking into Methods in Mobile Applications, in: Cybersecurity account a variety of conditions and dynamic contexts. The Providing in Information and Telecommunication use of attributes such as device state, geolocation, and fog Systems, vol. 3421 (2023) 266–271. node load level provides flexible access control that adapts [9] O. Mykhaylova, et al., Mobile Application as a Critical to environmental conditions. This is especially relevant for Infrastructure Cyberattack Surface, in: Workshop on IoT networks, where end devices are dynamic and change Cybersecurity Providing in Information and their status. Telecommunication Systems II, CPITS-II, vol. 3550 In fog computing, there is often a need to integrate (2023) 29–43. different systems and services that may be managed by [10] O. Mykhaylova, et al., Person-of-Interest Detection on organizations or companies. The FIM model allows different Mobile Forensics Data—AI-Driven Roadmap, in: systems to trust a user’s identification data without having Workshop on Cybersecurity Providing in Information to store this data in each system separately. and Telecommunication Systems, CPITS, vol. 3654 The ABAC and FIM models appear to be more effective (2024) 239–251. for providing IAM in fog computing, but it is the [11] H. Noura, et al., Preserving Data Security in combination of FIM and ABAC that allows for simultaneous Distributed Fog Computing, Ad Hoc Networks, 94 centralized authentication (via federation) and flexible (2019) 101937. doi: 10.1016/j.adhoc.2019.101937. access control based on contextual attributes. [12] C. Singh, J. Warraich, R. Thakkar, IAM Identity Thus, in general, the most effective principle of identity Access Management—Importance in Maintaining and access management will be the combination of ABAC Security Systems within Organizations, European J. and FIM models. However, depending on the context of use, Eng. Technol. Res. 8(4) (2023) 30–38. the combination options may differ, which is the subject of [13] B. Cremonezi, et al., Identity Management for Internet further research. of Things: Concepts, Challenges and Opportunities, Comput. Commun. 224 (2024) 72–94. doi: References 10.1016/j.comcom.2024.05.014. [14] S. Mookherji, et al., Fog-Based Single Sign-On [1] M. Iorda, et al., Fog Computing Conceptual Model, Authentication Protocol for Electronic Healthcare Natl. Inst. Stand. Technol., NIST Special Publication Applications, IEEE Internet of Things Journal, 1 500–325 (2018). doi: 10.6028/NIST.SP.500-325. (2023). doi: 10.1109/jiot.2023.3242903. [2] A. S. M. Kayes, et al., A Survey of Context-Aware [15] Y. Imine, A. Gallais, Y. Challal, An Efficient Federated Access Control Mechanisms for Cloud and Fog Identity Management Protocol for Heterogeneous Fog Networks: Taxonomy and Open Research Issues, Computing Architecture. 2022 International Sensors, 20(9) (2020) 2464. doi: 10.3390/s20092464. Conference on Software, Telecommunications and [3] W. Shafik, S. A. Mostafavi, Fog Computing Computer Networks (SoftCOM) (2022). doi: Architectures, Privacy and Security Solutions, Journal 10.23919/SoftCOM55329.2022.9911414. of Communications Technology, Electronics and [16] M. A. Aleisa, A. Abuhussein, F. T. Sheldon, Access Computer Science, 24 (2019). Control in Fog Computing: Challenges and Research [4] O. Shevchenko, et al., Methods of the Objects Agenda, IEEE Access, 8 (2020) 83986–83999. doi: Identification and Recognition Research in the 10.1109/access.2020.2992460. Networks with the IoT Concept Support, in: [17] Q. Xu, et al., Secure Data Access Control for Fog Cybersecurity Providing in Information and Computing based on Multi-Authority Attribute-Based Telecommunication Systems, vol. 2923 (2021) 277– Signcryption with Computation Outsourcing and 282. Attribute Revocation, Sensors, 18(5) (2018) 1609. doi: [5] A. Zahynei, et al., (2024). Method for Calculating the 10.3390/s18051609. Residual Resource of Fog Node Elements of [18] M. Ahmed, K. Petrova, A Zero-Trust Federated Distributed Information Systems of Critical Identity and Access Management Framework for Infrastructure Facilities, in: Cybersecurity Providing Cloud and Cloud-based Computing Environments. in Information and Telecommunication Systems, vol. WISP 2020 Proceedings, 4 (2020). 3654 (2024) 432–439. [19] S. O. Ogundoyin, I.A. Kamil, Secure and privacy- [6] V. Dudykevych, et al., Platform for the Security of Preserving D2D Communication in Fog Computing Cyber-Physical Systems and the IoT in the Services, Comput. Netw. 210 (2022) 108942. doi: Intellectualization of Society, in: Workshop on 10.1016/j.comnet.2022.108942 Cybersecurity Providing in Information and 292 [20] S. Balamurugan, et al., New Advanced Society: Artificial Intelligence and Industrial Internet of Things Paradigm, Wiley & Sons, Limited, John (2022). [21] R. Bensaid, Security and Privacy Issues in Fog Computing for the Internet of Things: An unpublished PhD thesis, Abu Bekr Belkaid University (2023). [22] M. Whaiduzzaman, et al., HIBAF: A Data Security Scheme for Fog Computing, Journal of High Speed Networks, 27(4) (2021) 381–402. doi: 10.3233/jhs- 210673. [23] B. A. Mohammed, et al., FC-PA: Fog Computing- Based Pseudonym Authentication Scheme in 5G- Enabled Vehicular Networks, IEEE Access, 11 (2023) 18571–18581. doi: 10.1109/access.2023.3247222. [24] A. Murugesan, et al., Analysis on Homomorphic Technique for Data Security in Fog Computing, Transactions on Emerging Telecommunications Technologies (2020). doi: 10.1002/ett.3990. [25] R. El Sibai, et al., A Survey on Access Control Mechanisms for Cloud Computing, Transactions Emerging Telecommun. Technol. 31(2) (2019). doi: 10.1002/ett.3720. [26] M. Al-khafajiy, et al., COMITMENT: A Fog Computing Trust Management Approach, Journal of Parallel and Distributed Computing, 137 (2020) 1–16. doi: 10.1016/j.jpdc.2019.10.006. [27] P. Skladannyi, et al., Improving the Security Policy of the Distance Learning System based on the Zero Trust Concept, in: Cybersecurity Providing in Information and Telecommunication Systems, vol. 3421 (2023) 97– 106. 293