In my day to day meetings working in Cyber Security, the terms AAA are quite frequently used. It’s the cornerstone of Cyber Security and it’s vitally important to understand this concept.
What is AAA in Cyber Security? AAA stands for Authentication, Authorization and Accounting in Cyber Security. Authentication is used to verify the identity of a person, Authorization is used to verify the persons has the correct permissions to access something and Accounting involves recording the persons access, by logging their activities.
AAA are important principles in Cyber Security as they allow control over access to assets like information, thereby protecting it. The right people (as well as other systems) will only be able to access this information is they have been given permission to do so.
What is the difference between authentication, authorization and accounting?
Authentication involves checking the identity being used is being used by the correct owner of the identity. Authorization checks what the identity has permissions (access rights) to and Accounting records what the identity does.
Working together, authentication, authorization and accounting provide stronger mechanism for the protection of information and other corporate assets.
Authentication is the process of taking an identity and using some form of verification, the identity can be verified as being legitimate. The identity could be an id, like a user name, with the verification being a corresponding password, which together support the verification.
What are the three types of authentication? There are three types of authentication, these include:
- something a person knows
- something a person has
- something a person is
Something a person knows
Something a person knows is commonly referred to as authentication by knowledge. Different types of examples for something a person knows include:
- a password
- a PIN
- combination numbers (e.g. for a lock)
- secret answers (e.g. mother’s maiden name)
To authenticate a person by something they know is easily achieved and its probably the least expensive method of authentication but used alone, it doesn’t really provide the securest methods of ensuring the identity involved is who they say they are.
As the information involved like passwords, for example, could easily be hacked and used by someone else to impersonate the legitimate user. In an age where hacks and data breaches are commonplace along with people using passwords which in themselves can be easily guessed, a better form of authentication is required.
Something a person has
Something a person has is commonly referred to as authentication by ownership. Different types of something a person has include:
- Swipe cards
- Unique tokens
The commonest example of something a person has, is a key, we all use keys in our lives to get into our homes, to open the doors to our cars, to start our car engines and so on. This piece of metal proves we have something at hand that we can use to verify we are allowed to access or use something.
Unique tokens are generated by little devices which cleverly use the current time and a reference (seed number from a central source), to work out a unique token for the person at that particular time.
Swipe) cards can be used to make it easier to prove the identity of the card holder, so the person holding the access card can use it to swipe at an entry point like a barrier to get access. They don’t need to prove to security every time they want access who they are, as the swipe card itself is sufficient to prove their identity.
Used alone, these methods of authentication won’t necessarily mean the person is legitimately allowed access, as they may not be the actual owner of these authentication items. They may have stolen a set of car keys or found them, if the legitimate owner had lost them. Armed with the keys, they can now open the car doors and get inside to start the engine using the key.
Likewise, with access cards, most of these will have some form of chip inside with a reference to the person whose card it is but if the card is in the wrong hands, the access card isn’t smart enough to know this. So, anyone who has the swipe card can use it to get access and so many people can be guilty of lending their swipe cards, especially when colleagues may have left theirs at home.
The same holds for the unique token devices, as by having the token generated for the time it’s valid, means access is granted.
Something a person is
Something a person is commonly referred to as authentication by characteristic. The characteristic is a physical characteristic which is unique to the person, that way. Different types of something a person is include:
- Retinal scans
- Face Identification (Face Id on smartphones)
Fingerprints, retinal scans to face identification can be unique to all individuals, so by using these, the identity of person could be verified. This type of physical characteristic verification is known as biometrics.
Many access systems these days use fingerprint access, from the simple fingerprint access on smartphones to Whilst fingerprints and retinal scans are undeniably difficult to impersonate, checking them can be expensive as the technology involved isn’t necessarily cheap, so many organization’s simply won’t use this form of authentication.
The downside is the technology itself used for verification may not be foolproof, a Japanese cryptographer Tsutomu Matsumoto was able to create a fake finger using gelatin (from sweets like gummy bears) to fool fingerprint detectors. He was able to fool them 4 out of every 5 attempts, achieving an 80% success rate.
The technology involved in checking biometrics is also expensive so many organization’s simply won’t use this form of authentication.
To be able to perform strong authentication, at least two or all three of the authentication methods of something a person knows, something a person has and something a person is must be used.
Each method of authentication alone, only proves the identity of the person as far as they have the correct authentication item, be it a password, a swipe card to a fingerprint (stolen imprint using deceptive techniques) but this may not actually belong to them and they may be trying to impersonate someone else.
So, any form of authentication to be strong, multiple factors must be used, so a person not only has to enter their password to prove their identity, but they also have to enter the unique token on the smart token device that’s assigned to them. Thereby using something they know, the password and something they have, the smart token, to provide a stronger case for authentication.
All by using all three methods, where the person uses a swipe card that’s assigned to them to enter an office building, they then use their password along with a fingerprint to log onto a computer system.
So even if the swipe card was used by someone else, this person wouldn’t be able to get access to the computer system because they were missing two additional forms of authentication, the password (known only to the correct person) and the fingerprint (a characteristic of the correct person).
Strong authentication is also known as Multi-Factor authentication (MFA) which means identity verification has taken place using two or more methods of authentication.
When two methods of authentication are used, the term Two-Factor Authentication (2FA) is commonly used instead of MFA even though it is still a form of MFA.
Authorization involves checking what the identity that’s been authenticated has access to, thereby determining what they can do.
My identity is authorized to enter my employers workplace, the main office building in the financial center but my identity is not authorized to enter any other building my employer uses.
When I do access my employers main office building, I work on the seventh floor and I am authorized to enter this floor, by swiping my card on the swipe barrier allowing the computer system controlling the barrier to check my identity as verified by my swipe card with its list of allowed identities that is people.
When I sit at my desk and log into my computer, using my user id, my password and my fingerprint to verify my identity, the computer systems will allow me to access information I have been authorized to access.
Any other information will not be available to me, unless I have another identity that I can use, which I do have. I also have a Systems Account, that gives me access to computer systems that a normal user won’t be able to access, as part of my job.
So, in my day to day working life, there’s a number of authorizations that take place based on my identity and as long as I can verify the identity belongs to me, by using several methods of authentication like passwords, fingerprints to swipe cards. I end up being authorized to access the systems in question.
Accounting is being accountable for the actions a person takes and the easiest way to do this, is to make sure their activities are being recorded.
If I log into a computer system at work, the time I logged in, is recorded on the computer. When I access files, the access time is recorded along with the name of the file and my identity. This recording of my activities usually involves computer systems writing information to files known as logs.
These logs can be used to determine what I have been doing if something out of the ordinary happens. Let’s say, I decide to do something malicious and delete important company files. The operation of deleting will be recorded with the time I made the file deletions along with my identity.
The company find out their important files have been deleted and they decide to investigate who was responsible. Their IT person looks at the logs and checks when the files were deleted and by whom. They see the file names listed in the logs, along with words ‘file deleted’ and they see my identity listed as the identity who completed the file deletion operation.
This alone would be enough to incriminate me and prove I was responsible, leading to a company disciplinary hearing and me being fired as the outcome if I couldn’t prove my action of deletion was accidental and not malicious. Irrespective of the files being easily restored from a backup, the intent of my actions as shown by the logs, would be enough to prove what I did, and I was accountable for my actions.
CCTV is another accounting example, as these cameras will record what is happening and this can be used later for investigation and even evidence.
Authentication, authorization, and accounting examples
The following authentication, authorization and accounting examples, show how each of these forms of identity and access management concepts work in real life. I’ve included answers along with the examples and also have these examples available as questions on my testing site.
Peter gets home from work and notices a delivery card posted through his mailbox from the post office. They have tried to deliver a package but there was no one home, as Peter was at work.
The post office worker decided to take the package back to the local depot and will try to deliver the package again the following day. On the delivery card, Peter notices there’s an option to collect the package in person from the post office depot.
So, with an hour still left before the sorting office closes, Peter decides to drive down to the depot. When he gets there, he goes to the counter and shows the assistant the delivery card he received.
The assistant asks Peter if he has any form of identification with him and Peter shows them his driving license. The assistant checks the license and can see Peter’s photo and corresponding address, which matches the computer system identity on the delivery card Peter brought in earlier.
The assistant goes into the depot warehouse and after a couple of minutes comes back with a package. Peter signs the form the assistant gives him to prove he has collected the package.
What category describes what the post office assistant did with Peter’s license?
Authentication, as Peter’s card has his identity written on it, that is his name and now he needs to provide something to prove the identity is actually him. Peter’s drivers license verifies his identity.
Emily starts a new job with the local Pharma company and as part of the on-boarding process, she spends her first day having her photo taken, her user accounts for the computer systems being set up and meeting her co-workers. At the end of the first day, she receives her photographic identity card and can now use this to swipe and enter the buildings.
On her way out of the building, she accidentally takes the wrong turn, as the corridors all look the same (they will take time for her to get used to). At the end of this particular corridor, she sees a door with an exit sign above. Next to the door is a swipe point and she swipes her card but the light on the swipe point instead of going green and opening the door, goes red and makes a dull sound.
After several failed attempts, she decides to head back in the direction she came and ask someone on the way there for directions to reception. Once she finally gets to reception after being told by one of the cleaners how to get there, she asks the receptionist, why she couldn’t exit from the door earlier? The receptionist describes the reason as being one of?
Authorization, as Emily wasn’t allowed to exit the office from the exit door she tried. She could exit from the doors at reception because she was authorized to do so.
Mega Forensics of Birmingham were contacted by a customer who wanted help in finding out which one of their staff was stealing money from their company. Over time, several thousand dollars had disappeared, and the company was at a loss as to who could be stealing this money amongst their staff.
Mega Forensics asked for the following information from the company:
- CCTV recordings
- Office access records (Swipe cards)
- Computer access records
Armed with this information, Mega Forensics started to analyse the CCTV recordings and access records to see if they could work out who the culprit was. What security category could this type of information be categorised as?
Accounting, as the information requested my Mega Forensics is a record of activities from CCTV recordings of people’s movement, office access records (logged in files) to computer access records (known as auditing information).
AAA, that is Authentication, Authorization and Accounting are important facets of security, allowing information and other assets to remain secure and only be accessed by those with permission to access. With all access being recorded through logging to make sure there’s a trail of evidence available if needed later on for investigation.
As I stated earlier in my day to day life as a Cyber Security Architect, AAA are fundamental principles I use. When a new cloud system is being put in place, I need to establish how the users of the new system will be authenticated, that is which identity service (e.g. Microsoft Active Directory) will they use? What authorization will take place (e.g. Role Based Access Controls RBAC)? How will the accounting aspects of authentication and authorization be implemented (e.g. Microsoft Active Directory auditing)?