Author: Gökhan BAHÇE, Group Manager – Corporate Applications
The usage of the internet is increasing among the users and thus, millions of different applications are under development. Usage of the applications are not limited with their own but using them with an interaction. As the needs of users are increasing, more and more interactions are generated between the applications. That includes using one application’s resources as an input to another one. In a typical scenario, a user has more than one application on the internet and wants to make an interaction between her applications and get benefit from passing data to each other. In the future, the needs for such interaction will be growing even faster, precisely together with the devices connected to the internet, which is a concept called IoT. According to the projection of Cisco, the number of devices connected to the internet is foreseen as 50 billion by 2020 . Although the concept is promising and sounds like leading to millions of possible scenarios, it brings some problems specific to the concept.
Identity and Access Management is a well known and old concept as much as the internet itself. By definition, digital identity is the representation of a real person in order to proof himself to the applications in digital world. And access management is to make a digital resource is accessible to a digital identity at the right time and for the right reasons. To overcome the problem of identity and access management, several standards and concepts are proposed which are aiming mostly the web applications. However, within the IoT notion new requirements and new problems has been defined. It can be anticipated that a serious number of internet connected device will make lives easier in many aspects. However, administration of the devices will be frustrating issue for the regular users. Especially when it comes to manage the identity and access management scenarios, a simple and usable way should be proposed to the users. This problem seems to be the most important issue and causes the IoT devices not being used widely in daily life.
The main idea behind the solutions proposed for identity and access management issue is to handle the trade-off between the security and usability. By making a simple, secure and usable solution for the access management problem becomes the main purpose, because there is no possibility of a complex solution to be used by the wide range of internet users. Consequently, some standards have been proposed and we will cover only three:
OAuth is an open standard for authorization, commonly used as a way for Internet users to log in to third party websites using their Google, Facebook, Microsoft, Twitter, One Network, etc. accounts without exposing their password.  It mainly focuses on delegated access and provides a secure access to server resources on behalf of the resource owner. OAUTH is much more like a framework than a defined protocol. It mainly focuses on an application is getting authorized for another application’s resources of the same user.
XACML stands for “eXtensible Access Control Markup Language”. The standard defines a declarative fine-grained, attribute-based access control policy language,  an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies. XACML does not handle user approval or delegated access or password management. XACML simply provides:
An access control architecture with the notion of a Policy Decision Point (PDP) and a Policy Enforcement Point (PEP).
A policy language with which to express a wide range of access control policies including policies that can use consents handled / defined via OAuth.
User-Managed Access (UMA) is a profile of OAuth 2.0. UMA defines how resource owners can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policies. The purpose of the protocol specifications is to “enable a resource owner to control the authorization of data sharing and other protected-resource access made between online services on the owner’s behalf or with the owner’s authorization by an autonomous requesting party”. This purpose has privacy and consent implications for web applications and the Internet of Things (IoT), as explored by the collection of case studies contributed by participants in the standards group. 
We tried to evaluate the authorization control problem over IoT devices and try to explore three main standards that has been proposed in the literature. IoT has a great potential and will be playing a significant role in our daily lives. Regular users will need a simple and usable method to manage the access control on these devices, IoT will cover a main part in our lives much more than we can imagine.