Multilayer access control for connected devices

What is claimed is: 1. At least one non-transitory machine-readable storage medium, comprising computer-executable instructions carried on the machine readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to: detect, at a hub in wireless communication with a network-enabled device, a request representing an attempt by an application executing on a remote host device to access the network-enabled device; characterize the request according to a user of the remote host device, the application making the attempt, and the network-enabled device using an access control layer on the hub, the access control layer to include a plurality of sublayers; filter the request, using a user access control sublayer of the access control layer, dependent on the user of the remote host device; associate a user tag with the request, the user tag indicating whether or not the user is registered with the access control layer on the hub; filter the request, using an application access control sublayer of the access control layer, dependent on the application making the attempt; associate an application tag with the request, the application tag indicating whether or not the application is recognized by the access control layer on the hub; filter the request, using a device access control sublayer of the access control layer, dependent on the remote host device; associate a device tag with the request, the device tag indicating whether or not the remote host device is registered with the access control layer on the hub; and block the request based upon the characterization and a plurality of rules, the rules to include definitions of access rights for one or more users with respect to the network-enabled device and definitions of access rights for one or more applications with respect to the network-enabled device, wherein one of the user tag, the application tag, and the device tag includes other of the user tag, the application tag, and the device tag. 2. The medium of claim 1 , wherein: the request represents an attempt by an application executing on a remote host device to issue a particular command or query to the network-enabled device; to filter the request, using the application access control sublayer of the access control layer, the medium further comprises instructions for causing the processor to: filter the request, using the application access control sublayer of the access control layer, dependent on the particular command or query; the application tag further indicates whether or not the particular command or query is recognized by the access control layer on the hub as a command or query that is safe to issue to the network-enabled device or that is approved for issuance to the network-enabled device by the user. 3. The medium of claim 1 , further comprising instructions for causing the processor to: filter the request, using a network access control sublayer of the access control layer, dependent on a network domain of a service through which the application is making the attempt; block the request to be passed to the network-enabled device, responsive to a determination that the network domain is known to be unsafe; log the request without passing it to the network-enabled device, responsive to a determination that the network domain is known to be unsafe or is unknown. 4. The medium of claim 3 , further comprising instructions for causing the processor to: determine, using the network access control sublayer of the access control layer, whether the request was received from a remote host device on a local area network through which the network-enabled device and the hub are communicatively coupled; block the request to be passed to the network-enabled device responsive to a determination that the request was not received from a remote host device on the local area network through which the network-enabled device and the hub are communicatively coupled. 5. The medium of claim 1 , wherein the request represents an attempt by an application executing on a remote host device to issue a command to the network-enabled device. 6. The medium of claim 1 , wherein the request represents an attempt by an application executing on a remote host device to issue a query to the network-enabled device. 7. The medium of claim 1 , further comprising instructions for causing the processor to: obtain the plurality of rules from multiple access maps stored in a memory on the hub, each access map to store access information for multiple pairings of entities of two of a plurality of entity types, the plurality of entity types including users, remote host devices, applications, network domains, and network-enabled devices. 8. The medium of claim 1 , wherein to determine whether to allow or deny the request, the medium further comprises instructions for causing the processor to: generate, from the plurality of rules obtained from multiple access maps, an access policy that is specific to the request; evaluate the request and one or more tags associated with the request with respect to the generated access policy. 9. The medium of claim 8 , further comprising instructions for causing the processor to: store the generated access policy in a cache on the hub; evaluate a second request representing an attempt by the application executing on the remote host device to access the network-enabled device and one or more tags associated with the second request with respect to the generated access policy without regenerating it. 10. A system, comprising: a network interface over which a hub is to communicate wirelessly with one or more network-enabled devices; a processor; at least one non-transitory machine-readable storage medium communicatively coupled to the processor, the medium comprising computer-executable instructions carried on the machine readable medium, the instructions readable by the processor, the instructions, when read and executed, for causing the processor to: detect, at the hub, a request representing an attempt by an application executing on a remote host device to access a network-enabled device of the one or more network-enabled devices in wireless communication with the hub over the network interface; characterize the request according to a user of the remote host device, the application making the attempt, and the network-enabled device using an access control layer on the hub, the access control layer to include a plurality of sublayers; filter the request, using a user access control sublayer of the access control layer, dependent on the user of the remote host device; associate a user tag with the request, the user tag indicating whether or not the user is registered with the access control layer on the hub; filter the request, using an application access control sublayer of the access control layer, dependent on the application making the attempt; associate an application tag with the request, the application tag indicating whether or not the application is recognized by the access control layer on the hub; filter the request, using a device access control sublayer of the access control layer, dependent on the remote host device; associate a device tag with the request, the device tag indicating whether or not the remote host device is registered with the access control layer on the hub; and block the request based upon the characterization and a plurality of rules, the rules to include definitions of access rights for one or more users with respect to the network-enabled device and definitions of access rights for one or more applications with respect to the network-enabled device, wherein one of the user tag, t