The AAA Framework is a simple way to understand security issues surrounding the access ability of individuals within an organization. The Internet Engineering Task Force researched and coined the acronym in the early 2000s. The 3 As stand for Authenticate, Authorize and Account. Understanding and crafting policies around this framework can help make systems more secure.
Using the AAA Framework and drilling down into the components helps people understand the basic nuances of identity security.
- What They Know: Someone's password can authenticate what they know. Security questions also accomplish the same function.
- Who They Are: A fingerprint or other bio metric tests can authenticate people.
- What They Have: Access cards to enter a building can be used to authenticate a person. Mobile devices providing 2-factor authentication also use what a person has to verify identity.
Determining the type of authorization employees have within a network is next step. The right people should the right access level to areas of a network. There are different frameworks to handle this within a company.
- Mandatory Access Control (MAC) - The level of security a person is granted is related to the security of the content being accessed. This is common in military use-cases.
- Discretionary Access Control (DAC) - Access to a file or area is given by the owner of that area. An example of this framework is a Google doc where access can shared by the creator with whoever they desire.
- Role-Based Access Control (RBAC) - Access is determined by the role within an organization. For example, the shipping department might have access to inventory but not marketing collateral.
In general, giving users the least amount of privileges needed to accomplish their job is the goal. Limiting access to sensitive areas makes these more secure.
After a person begins logging into a network and working, their usage should be monitored. This can be accomplished with a Security Information and Event Management (SIEM) or other auditing and monitoring tool. Knowing what files a person is accessing or attempting to access can inform whether more or less authorization is needed. Suspicious activity can prompt questions as to whether the person accessing the network was authenticated correctly.
Real-World Identity Security
Several popular protocols put these elements together into a package to help manage the elements of identity security for organizations. RADIUS, which stands for Remote Authentication Dial-In User Service is one example. RADIUS is an open protocol that provides access for users trying to connect to a network, authorization for records and accounting of the usage. Microsoft Active Directory and TACACS (Terminal Access Controller Access Control System) are other authentication and access schemas.
Not sure where to begin? CIPHER provides award-winning security consulting services to secure your business.