The AAA framework is the logic behind Identity Management systems. AAA stands for Authentication, Authorization, and Accounting that this blog will explain.
“Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. In contrast with identification, which refers to the act of stating or otherwise indicating a claim purportedly attesting to a person or thing’s identity, authentication is the process of actually confirming that identity”…Wikipoedia.com.
This is the first “A” of AAA.
There are four primary types of authentication. They use:
- Static passwords (These do not changed unless they expire or user changes them)
- One-time password (OTP) such as personal Identification Numbers (PINs) delivered through SMS texts or otherwise
- Digital certificates (x.509 and such)
- Biometric credential
Additionally there are three categories:
- Something you know (such as a password)
- Something you have (such as a key fob or cell phone)
- Something you are (such as your fingerprints, voice, or hand geometry)
When one needs more reliable Authentication, we employ Multi-Factor Authentication (MFA) which makes it difficult for someone to authenticate as another person. For example, if a thief steals a mobile phone, he would also have to obtain the user’s password to access the code sent by an SMS text or possess the key fob that displays the code. Using two passwords is not considered MFA because both passwords are considered “something you know”. Many companies are moving toward Multi-Factor Authentication or Two-Factor Authentication (2FA) which leverages a static password and OTP or challenge question to strengthen security. Biometric authentication is being adopted as well. We will see more biometrics as technology becomes more cost effective.
“Authorization is the function of specifying access rights/privileges to resources related to information security and computer security in general and to access control in particular.”…Wikipoedia.com.
This is the second “A” of AAA. After a user identifies himself and is authenticated to prove his identity, he must pass the authorization rule to access system services, programs and data. Authorization determines what the user can access and what he cannot access. An important concept to understand is the following: a user may authenticate but the resultant authorization could still be DENY ACCESS.
The Principle of Least Privilege requires that users and devices must only be granted sufficient access necessary to perform their required functions. Any frivolous authorization can result in accidental or malicious violations of security policy.
Accounting is the third and last “A” in AAA. This is the process that keeps track of a user’s activity while attached to a system; the trail included the amount of time attached, the resources accessed, and how much data transferred. Accounting data is used for trending, detecting breaches, and forensic investigating. Keeping track of users and their activities serves many purposes. For example, tracing back to events leading up to a cybersecurity incident can prove very valuable to a forensics analysis and investigation case.
Using AAA for Identity Management
Identity Management Systems such as Aruba’s ClearPass and Cisco’s Identity Services Engine (ISE) utilize the AAA framework via RADIUS, TACACS, and other mechanisms. Identity Management and Network Access Control are two important tenants of a sound security policy. Proper understanding of AAA will help you implement Identity Management. Good luck implementing Identity Management and stay secure!
Author Bio: John Busso is a Senior Network Engineer/Mobility Specialist at CCSI. He has almost 20 years experience providing secure voice and data solutions. John has been a Subject Matter Expert for Enterprise Mobile Solutions such as Guest WiFi and BYOD, providing vision for diverse clients.
John has been an Adjunct Professor and trainer. He holds numerous Industry certifications, including CISSP, CWNP, CCNP, ACMP and ITIL. His experience includes working with retail, TNL-Couriers, DC’s and Airports, Healthcare, Education, DOD, Local Government, Financial, Non-Profit-Public WiFi, Entertainment and Hospitality industries. His expertise is in mobility, security, WLAN, WAN, LAN, VoWiFi, RFID, RTLS, WIPS, WIDS, DAS, licensed/unlicensed PTP and PTMP networks. Connect with John on Twitter via @JohnBusso.