The AAA Framework for Identity Access Security

The AAA Framework is a simple way to understand security issues surrounding the access ability of individuals within an organization. The Internet Engineering Task Force researched and coined the acronym in the early 2000s. The 3 As stand for Authenticate, Authorize and Account. Understanding and crafting policies around this framework can help make systems more secure. 

Using the AAA Framework and drilling down into the components helps people understand the basic nuances of identity security. 

AAA Framework Infographic

1. Authentication

Authenticating users is the first step in a secure identification system. The system needs to make sure the person accessing a system is who they say they are. The method of authenticating a person can fall into three main categories:
  • What They Know: Someone's password can authenticate what they know. Security questions also accomplish the same function.
  • Who They Are: A fingerprint or other bio metric tests can authenticate people.
  • What They Have: Access cards to enter a building can be used to authenticate a person. Mobile devices providing 2-factor authentication also use what a person has to verify identity.
Often the methods of authentication can be combined to ensure people are accurately authenticated.

2. Authorization

Determining the type of authorization employees have within a network is next step.  The right people should the right access level to areas of a network. There are different frameworks to handle this within a company.

  • Mandatory Access Control (MAC) - The level of security a person is granted is related to the security of the content being accessed. This is common in military use-cases.
  • Discretionary Access Control (DAC) - Access to a file or area is given by the owner of that area. An example of this framework is a Google doc where access can shared by the creator with whoever they desire.
  • Role-Based Access Control (RBAC) - Access is determined by the role within an organization. For example, the shipping department might have access to inventory but not marketing collateral.

In general, giving users the least amount of privileges needed to accomplish their job is the goal. Limiting access to sensitive areas makes these more secure.

3. Accounting

After a person begins logging into a network and working, their usage should be monitored. This can be accomplished with a Security Information and Event Management (SIEM) or other auditing and monitoring tool. Knowing what files a person is accessing or attempting to access can inform whether more or less authorization is needed. Suspicious activity can prompt questions as to whether the person accessing the network was authenticated correctly.

Real-World Identity Security

Several popular protocols put these elements together into a package to help manage the elements of identity security for organizations. RADIUS, which stands for Remote Authentication Dial-In User Service is one example. RADIUS is an open protocol that provides access for users trying to connect to a network, authorization for records and accounting of the usage. Microsoft Active Directory and TACACS (Terminal Access Controller Access Control System) are other authentication and access schemas.

Not sure where to begin? CIPHER provides award-winning security consulting services to secure your business.

Did you enjoy this blog article? Share it with your friends or comment below.



Founded in 2000, CIPHER is a global cybersecurity company that delivers a wide range of Managed Security Services and Security Consulting Services. These offers are supported by the best in class security intelligence lab: CIPHER Intelligence. With offices located in North America, Europe, and Latin America, 24×7×365 Security Operations Centers and R&D laboratories, the services are complemented by strategic partners around the globe. CIPHER is a highly accredited company holding ISO 20000 and ISO 27001, SOC I and SOC II, PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past six years.

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions.

Recent Security Posts


Twitter Feed