Authentication, Authorization, and Accounting (AAA) (39.2.4)
Let’s look into administrative access controls in more detail.
The concept of administrative access controls involves three security services: authentication, authorization, and accounting (AAA).
These services provide the primary framework to control access, preventing unauthorized access to a computer, network, database, or other data resource.
Authentication
The first A in AAA represents authentication. Authentication is the verification of the identity of each user, to prevent unauthorized access. Users prove their identity with a username or ID. In addition, users need to verify their identity by providing one of the following:
- Something they know (such as a password)
- Something they have (such as a token or card)
- Something they are (such as a fingerprint)
In the case of two-factor authentication, which is increasingly becoming the norm, authentication requires a combination of two of the above rather than just one.
Authorization services determine which resources users can access, along with the operations that users can perform.
Some systems accomplish this by using an access control list, or an ACL. An ACL determines whether a user has certain access privileges once the user authenticates. Just because you can log onto the corporate network does not mean that you have permission to use the high-speed color printer, for example.
Authorization can also control when a user has access to a specific resource. For example, employees may have access to a sales database during work hours, but the system locks them out after hours.
Not related to financial accounting, accounting in AAA keeps track of what users do—including what they access, the amount of time they access it, and any changes they make.
For example, a bank keeps track of each customer account. An audit of that system can reveal the time and amount of all transactions and the employee or system that executed the transactions. Cybersecurity accounting services work the same way. The system tracks each data transaction and provides auditing results. System administrators can set up computer policies to enable system auditing.
The concept of AAA is like using a credit card. The credit card identifies who can use it, how much that user can spend, and accounts for items or services the user purchased.
Cybersecurity accounting tracks and monitors user activities in real time.
What Is Identification? (39.2.5)
Identification enforces the rules established by the authorization policy. Every time access to a resource is requested, the access controls determine whether to grant or deny access.
A unique identifier ensures the proper association between allowed activities and subjects. A username is the most common method used to identify a user. A username can be an alphanumeric combination, a personal identification number (PIN), a smart card, or biometric—such as a fingerprint, retina scan, or voice recognition.
A unique identifier ensures that a system can identify each user individually, therefore allowing an authorized user to perform the appropriate actions on a particular resource.