AAA

The AAA framework is the logic behind Identity Management systems. AAA stands for Authentication, Authorization, and Accounting.

Overview

The AAA model is defined as follows:

  • Authentication — Who are you? - ( username and password )

Verifying the identity of a user or process.

  • Authorization — What resources are you permitted to use?

Authorization is the process of giving someone the ability to access a resource.

  • Accounting — What resources were accessed, at what time, by whom, and what commands were issued?

The three phases ensure that legitimate users are permitted access. A remote user must be authenticated before being permitted access to network resources.

Authentication allows the user to submit a username and password and permits challenges and responses. After the user is authenticated, authorization defines what services or resources in the network users are permitted access to. The operations permitted here can include IOS-privileged EXEC commands. For example, a user might type commands but be permitted to use only certain show and debug commands for which the user is authorized.

Accounting allows the network administrator to log and view what was actually performed (for example, if a Cisco router was reloaded or the configuration was changed). Accounting ensures that an audit will enable network administrators to view what was performed and at what time it was performed. Accounting keeps track of the information needed to audit and report network resource usage. This typically includes the username, the start and stop time of login, and the commands typed by the user.

Authentication

“Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. In contrast with identification, which refers to the act of stating or otherwise indicating a claim purportedly attesting to a person or thing’s identity, authentication is the process of actually confirming that identity”

There are four primary types of authentication. They use:

  1. Static passwords (These do not changed unless they expire or user changes them)

  2. One-time password (OTP) such as personal Identification Numbers (PINs) delivered through SMS texts or otherwise

  3. Digital certificates (x.509 and such)

  4. Biometric credential

Additionally there are three categories:

  1. Something you know (such as a password)

  2. Something you have (such as a key fob or cell phone)

  3. Something you are (such as your fingerprints, voice, or hand geometry)

When one needs more reliable Authentication, we employ Multi-Factor Authentication (MFA) which makes it difficult for someone to authenticate as another person. For example, if a thief steals a mobile phone, he would also have to obtain the user’s password to access the code sent by an SMS text or possess the key fob that displays the code. Using two passwords is not considered MFA because both passwords are considered “something you know”. Many companies are moving toward Multi-Factor Authentication or Two-Factor Authentication (2FA) which leverages a static password and OTP or challenge question to strengthen security. Biometric authentication is being adopted as well. We will see more biometrics as technology becomes more cost effective.

Authorization

“Authorization is the function of specifying access rights/privileges to resources related to information security and computer security in general and to access control in particular.”

After a user identifies himself and is authenticated to prove his identity, he must pass the authorization rule to access system services, programs and data. Authorization determines what the user can access and what he cannot access. An important concept to understand is the following: a user may authenticate but the resultant authorization could still be DENY ACCESS.

The Principle of Least Privilege requires that users and devices must only be granted sufficient access necessary to perform their required functions. Any frivolous authorization can result in accidental or malicious violations of security policy.

Accounting

This is the process that keeps track of a user’s activity while attached to a system; the trail included the amount of time attached, the resources accessed, and how much data transferred. Accounting data is used for trending, detecting breaches, and forensic investigating. Keeping track of users and their activities serves many purposes. For example, tracing back to events leading up to a cybersecurity incident can prove very valuable to a forensics analysis and investigation case.

Using AAA for Identity Management

Identity Management Systems such as Aruba’s ClearPass and Cisco’s Identity Services Engine (ISE) utilize the AAA framework via RADIUS, TACACS, and other mechanisms. Identity Management and Network Access Control are two important tenants of a sound security policy. Proper understanding of AAA will help you implement Identity Management. Good luck implementing Identity Management and stay secure!

Glance

PreviousSOC Analyst Work CultureNextCIA Traid

Last updated