With the proliferation of Internet of Things (IoT) devices that collect sensitive data, access control is more crucial than ever to safeguard IoT data from unauthorized use. To enforce access control policies without trusted online entity, one promising approach is to maintain a group key shared between a device and its current subscribers, such that the device can encrypt its data and only the subscribers can decrypt it. However, prior group key management (GKM) schemes fail to efficiently address new challenges introduced by the massive scale of IoT devices, dynamic memberships of users, and changes in the number of devices. This paper explores efficient GKM to accommodate multiple devices (in addition to multiple users) and to handle frequent membership and device number changes. Inspired by the observation that devices with similar functionalities often have similar access permissions, we propose a two-tier GKM architecture called GroupIt, in which each device is assigned to one of many predefined groups, and key management is performed within each group as well as between groups to improve efficiency. Despite being conceptually simple, GroupIt addresses technical challenges including: 1) preventing a malicious device from obtaining extra information about other devices in the same group and 2) ensuring forward/backward secrecy and preventing collusion attacks when gluing two existing GKMs together. The probability of a successful collusion attack quickly drops to 0.3% after five membership changes even in a small device group (e.g., 8). This paper provides both theoretical analysis and a proof-of-concept implementation based on Alljoyn, an opensource IoT communication framework to demonstrate the feasibility of GroupIt.