The Accounting, Authorization, and Authentication Framework is a straightforward method for comprehending security concerns related to people’s access capabilities within an organization. In the early 2000s, the Internet Engineering Task Force conducted research and came up with the acronym. The three As are for Account, Authorize, and Authenticate. Systems can be made more secure by comprehending this framework and developing policies around it.
Understanding the fundamental subtleties of identity security can be achieved by breaking down the components of the Authentication, Authorization, and Accounting Framework.
Authentication
A secure identification system’s initial step is user authentication. The system must verify that the user logging in is who they claim to be. Three basic categories exist for techniques used to authenticate individuals:
- What They Know: A person’s knowledge can be verified by their password. The same purpose is also served by security questions.
- Who They Are: Individuals can be verified through biometric tests or fingerprints.
- What They Have: One way to verify an individual’s identity is through access cards that allow entry into buildings. A person’s possessions are also used by mobile devices that offer two-factor authentication to confirm identity.
To guarantee that individuals are correctly authenticated, authentication techniques are frequently combined.
Authorization
The next step is to ascertain the kind of authorization that employees possess within a network. Certain areas of a network should only be accessible to the appropriate individuals. Within an organization, there are several frameworks for handling this.
- Mandatory Access Control (MAC): The degree of protection that an individual receives depends on the security of the material that they are able to access. This is typical of military applications.
- Discretionary Access Control (DAC): The person who owns a file or area grants access to it. A Google Doc serves as an illustration of this framework, allowing the creator to grant access to anyone they choose.
- Role-Based Access Control (RBAC) – Access is based on a person’s role in an organization. For instance, inventory may be accessible to the shipping department but not marketing materials.
Generally speaking, the objective is to grant users the fewest privileges necessary to complete their tasks. These are more secure when access to sensitive areas is restricted.
Accounting
Once an individual starts using a network and logging in, it is important to keep an eye on their usage. A Security Information and Event Management (SIEM) system or another type of auditing and monitoring tool can be used to achieve this. Depending on the files being accessed or attempted to be accessed, it is possible to determine the level of authorization required. One might question whether the person gaining access to the network was duly authenticated when there is suspicious activity.
Real-World Identity Security
These elements are put together in several well-known protocols to help businesses handle the various facets of identity security. RADIUS, or Remote Authentication Dial-In User Service, is one instance. RADIUS is an open protocol that provides access for users trying to connect to a network, accounting of usage, and authorization for records. TACACS (Terminal Access Controller Access Control System) and Microsoft Active Directory are two more access control and authentication schemas.
Not sure where to start? Nerdiv offers top-notch technology consulting services to protect your company.
