AAA is an abbreviation for Authentication, Authorization, and Accounting, a concept frequently used in the world of cybersecurity that is vital to be familiar with when working in the industry. These three pillars represent a vital part of the cybersecurity industry and the services it provides:
- Authentication: Used to verify the identity of a person.
- Authorization: The process of verifying that somebody has the appropriate permission to access something.
- Accounting: The process of recording a user’s access by means of logging their activity.
In conjunction, the combination of Authentication, Authorization, and Accounting services provides a strong mechanism for the functioning of effective and efficient cybersecurity measures. They create a security framework that monitors and controls access to computer networks, enforces policy, and audits usage. Essentially, the process of AAA provides the overall network management essential for ensuring superior cybersecurity and data protection.
While you may be looking at doing a security assessment or something similar to begin the process of ensuring your company is secure, it’s essential to first understand AAA in cybersecurity in order to know exactly how everything works.
Being able to understand how these three processes are able to function cohesively within the process of network management is essential. However, first, you must know exactly how they differ and what each process entails individually.
The Difference Between Authentication, Authorization, and Accounting
Closely and vitally related, yet still entirely distinct, Authentication, Authorization, and Accounting are three processes that need to be able to function individually to be effective together.
Authentication
Authentication is all about the verification of identity – confirming that the identity put forward is legitimate and belongs to the individual who claims it. The identification and authentication process may require a specific username and a pre-decided password to properly verify the identity of the user.
However, it can be a little more complicated than that because authentication comes in different forms and each of these forms can influence how the authentication process is carried out:
Authentication comes in terms of:
- Something a person knows
- Something a person has
- Something a person is
When considering AAA cybersecurity protocol and network security systems need to differentiate between these different types of authentications to grant proper verification.
Something a Person Knows
Authentication by knowledge is using the information a person has as the key aspect of authentication. This is often considered the easiest form of authentication - however, it is not necessarily the most secure form. Some examples of authentication by knowledge include:
- Pins
- Passwords
- Combination number passwords
- Security questions (e.g. The name of your first pet)
As suggested, gaining authentication by means of something a person knows can be a quick process that doesn’t require a large amount of work, complex systems, or expertise. Indeed, anybody could provide information that could be used as verification of their identification – often, it’s just a case of selecting information that is unique yet memorable. When it comes to Authentication, Authorization, and Accounting, this is one of the easiest methods to adopt.
However, for obvious reasons, this isn’t the most secure form of authentication. Since it’s centered on the knowledge of an individual, you have to take into account that knowledge is shared. Whether you are intentionally sharing a password or simply divulging personal information that may coincide with security keys – such as your mother’s maiden name – it’s possible for this kind of form of authentication to be compromised. Thus, within the realm of Authentication, Authorization, and Accounting, the authentication process may be compromised.
While authentication by knowledge is the least secure method of AAA cybersecurity, it is often still the most commonly used form of authentication to protect sensitive information due to its simplification.
Something a Person Has
In contrast to knowledge, authentication by means of something a person has is often referred to as authentication by ownership. The most obvious examples of this are things like access cards, keys, or unique tokens. That is, only an individual in possession of a specific object may be granted access to the network or whatever it is in question.
Access cards, or swipe cards, allow individuals to prove their identity by means of swiping rather than having to go through a rigorous process. A key, of course, is a means of authentication by ownership that proves that whoever has it is allowed access to whatever it is that the key opens – whether it’s a door, a safe, or a car. A unique token, on the other hand, is generated by a device to specify a particular time and some other kind of identifying reference point so that you can gain access based on a specific time.
Much like the idea of authentication by knowledge, the concept of ownership involves the risk of losing the object in question – or having it stolen. Indeed, authentication is granted to whoever is in possession of the object, meaning that it can be reasonably easy for somebody to fake your identity if they happen to have your card, token, key, or whatever else is being used. This is an aspect of Authentication, Authorization, and Accounting that is a bit more fallible than others.
Something a Person is
Authentication by characteristic, or biometrics, as it’s known today, is far more secure than either of the previous versions of authentication. Using aspects and characteristics of you that are completely unique, you can be granted access to the network in question. Most commonly, this would require something like a fingerprint, facial recognition, or even a retinal scan.
Biometric authentication is far more difficult to cheat than authentication by knowledge or ownership. The characteristics that are used are completely unique and make use of complex technology to ensure security. However, when it comes to the authentication component of Authentication, Authorization, and Accounting, biometrics still isn’t a foolproof method of ensuring a secure network.
While technology is constantly progressing and advancements are always being made in terms of biometric security, there have been cases of the authentication process being foiled – most commonly in the case of fingerprint scanning. Of course, while a biometric compromise might be possible, it’s not something particularly easy to achieve or that can be done by just anyone as it requires specialized skills and tools. Therefore, the means of authentication by characteristic is still very effective overall.
Unfortunately, another downside of using biometric security software, especially in large businesses, is that it can be a very expensive installment. The process requires advanced equipment and expertise - making it an inaccessible security measure for most enterprises.This financial burden makes deploying biometrics as a process of Authentication, Authorization, and Accounting a lot less viable.
Achieving Strong Authentication
While all three of the above methods can be successful in their own way, it’s also clear that none of them are foolproof. Even authentication by characteristic, arguably the most secure form of authentication has its pitfalls. By only using one method – whether it’s authentication by something a person knows, has, or is – it becomes far easier for you to be impersonated.
However, that does not mean that all hope is lost. In order to fully achieve stronger authentication, you should try to make use of more than one method at a time. Using two of the above mentioned options will increase your AAA cybersecurity drastically, and making use of all three will do so even better.
Strong authentication of this nature is referred to as Multi-Factor Authentication (MFA) – this simply means that there are multiple factors and layers of authentication required before access may be granted. On the other hand, there is also Two-Factor Authentication (2FA) which is also a form of MFA that only requires two of the above methods.
For instance, you can create a system that requires both a password and a token. Therefore, if, perhaps, the password is revealed to a third party or a system is hacked, you’ll still need to have the physical token to gain access. Conversely, if the token is lost or stolen, you’ll still need the password to get in. While it is still possible for both of the above scenarios to occur, at least there’s a measured backup plan in place when using the Two-Factor Authentication (2FA) security system.
For more advanced and critical security, you could even add the third layer of authorization – in addition to having a token and a password, a fingerprint would be required too. The chances of having all three levels of security breached are fairly low, especially at an amateur level. This is an example of MFA(Multi-Factor Authorization). When it comes to Authentication, Authorization, and Accounting, having three forms of authentication layers is the best way to maximize the security of your network.
Authorization
This part of the Authentication, Authorization, and Accounting process comes after authentication. Authentication confirms your identity, and authorization involves checking what your specific identity has permission to be granted access to.
For instance, if you work for a business in a large office building, when you enter, your identity will be authenticated, after which you will be granted access to certain sections based on permissions that have been predetermined. If you happen to be a junior employee, this may mean that you’ll have access to the first few floors only. Meanwhile, if you’re a senior executive, you may be granted higher security clearance, allowing you access to all floors and offices within the building.
It is possible to be in possession of two different identifications in this kind of scenario - each providing access to different things. For instance, if you work as a junior employee, your identity probably won’t allow you access to the company’s financial records. However, if you happen to be working on an assignment that requires you to look back at previous deals, you may be given an additional password or key to grant you access to the relevant data.
Of course, the crux of the matter is verifying that the person in question has adequate permissions for what they are trying to do or access once they’ve been identified. Therefore, the authorization part of the Authentication, Authorization, and Accounting process is all about making sure that the individual in question is allowed to access that which they’re attempting to access.
Accounting
Accounting, rather than referring to numbers, is all about monitoring and recording activity. These days every move you make while operating within a system can be recorded and tracked - from when you logged into the system, when you logged out and how long you were logged in, and so on. Your individual network activity can also be recorded and anything that happens within the system can be traced back and linked to any specific user of origin.
Accounting is an essential part of the AAA cybersecurity process as it provides companies and individuals with records to return to – this may be for general business reasons as well as for security and accountability.
For instance, if a disgruntled employee with access to important files were to log into the system and delete the files, this would all be on record due to cybersecurity’s accounting component. Therefore, the business would be able to trace exactly when the files were deleted, the time that they were deleted, and the user that carried out the malicious plan. Although most of the harm would already have been done, accounting still provides incredibly valuable information that can hold people accountable and prevent such things from happening again. Accounting within the perimeters of Authentication, Authorization, and Accounting, provides a means by which everything can be recorded and monitored for future purposes and preventative planning.
Final Thoughts on AAA in Cybersecurity
The process of Authentication, Authorization, and Accounting exists as a broad security framework. By verifying users’ identities by means of knowledge, possession, or biometrics; granting them access dependent on their identities’ predetermined clearance level then recording all activity within a system or network by the user, the AAA model is a foundational aspect of cybersecurity.
Contact Sangfor today to talk about your cybersecurity needs, and rest assured that with a range of security options available, you’re sure to find something that suits your every need.
