The AAA of security

AAA, which stands for Authentication, Authorization and Accounting defines a framework of computer network security. It provides for intelligent control of computer resource access, policy enforcement, and auditing.

Authentication is the first process in the framework. It provides for means of identifying the correct identity of a user, entity or device trying to access a computing resource. For a user to gain access to a network resource, they are identified using unique credentials. Once the user provided credentials are matched to those stored within the systems databases, then access is granted. Otherwise, authentication fails and access is denied.

There are different methods of user authentication and vary in terms of accuracy and difficulty of forgery of the user credentials. While the simplest, common method and most vulnerable methods is password authentication, providing a username and password, some complex authentication methods such as biometrics authentication (fingerprints, palms, and iris), smart card authentication and multifactor authentication do exist.

In password authentication, the user provides an account name and a password associated with that account. The credentials are matched against a database that contains all authorized user accounts. If the user credentials, are authorized, then access is granted. Since password authentication is vulnerable to cracking, it’s recommended to use complex password with combinations of alpha numeric & symbols. User credentials transmitted over a network are also susceptible to sniffing and therefore encryption of the credentials across the network is recommended.

Smart card authentication uses cryptographic authentication offering a superior authentication method to password authentication. The card has public and private keys and user details encrypted within the microchip in the access card. To access a network or computing resource, the user inserts the access card into a reader, similar to an ATM scenario, provides a personal PIN and is authenticated. The user must have possession of the card and PIN to gain access, making it more secure.

Biometric authentication is more secure to password and smart card authentication. It uses biological traits that a unique to each person, e.g. fingerprints, voice, retinal, and iris patterns. Due to its authentication strength, biometrics are becoming more prevalent. The best example is the use of biometric voice authentication on the Safaricom Jitambulishe service.

Different authentication protocols and methods are used depending on the type system, application or security required. These include but not limited to Kerberos, SSL, RADIUS, PAP, CHAP, AD and certificate services. I will discuss in details the workings and implementations of this protocols in a future article.

Once a user, device or an entity has been authenticated, the next step is authorization. Authorization defined the level of access of a user, rights and permissions to computing resources i.e. what resources can they access, what usage rights they have over those resources, what actions they are allowed to undertake in the systems and over the resources they gain access to. Authorization enforces computing resources usage policies.

Authorization proves to be the most complex to manage. Recommendation it to keep it as simple but effective as possible. Implementing a successful authorization service, requires a simple and clear strategy. The approach should to categorized users into groups based on their work responsibilities. This ensures that permissions and rights are managed at a group level and the attention is moved to ensuring a user belongs to a group with sufficient rights but not excessive rights to carry out their work.

Accounting is the final component in AAA framework. It measures a user resource utilization i.e. the amount of time the user spends in the systems, or amount of data transfers. This is done by logging session statistics and usage information for purposes of billing, analysis, capacity planning and resource utilization planning.

To implement AAA in your computing environment, there are many solution offerings from different vendors. While some come at a price, you can start by exploring a freeRADIUS solution. This will provide insights on what needs to be done within your environment to enhance information security.