-by Eyal Estrin, Cloud Architect, Inter-University Computation Center (IUCC)

Our next installment in the alphabet soup of internet security is AAA, or Authentication, Authorization & Accounting. AAA is a framework for controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are important for network management and security.

Authentication is about Identifying users, usually by asking them to provide credentials. Examples of authentication vulnerabilities are anonymous logins instead of requiring students to supply username/password, using weak passwords (such as 123456789) and the lack of Cryptographic key rotation (for example researchers using AWS access keys and fail to replace them on a regular basis). Ways to mitigate these vulnerabilities include:

  • Multi-factor authentication
  • Biometric authentication
  • Smart card
  • One time passwords

Authorization deals with granting access rights to a resource or system. Examples of authorization incidents that pose security threats include privilege escalation (a student who manages to get Root access to a server he is not permitted to) and the ability to change database records without an approval mechanism (for example a hacker who is able to change research records in a database stored in a public cloud). Ways to mitigate these vulnerabilities include:

  • Access control lists
  • File permissions
  • Granting access according to a specific time frame

Accounting addresses the need to Audit a user or computer/process activity on a system. Examples of threats arising from accounting include using

Privileged commands without logging (for example a student who manages to erase a video lecture from a learning management system), accessing a University network outside business hours and performing brute force attack against a faculty public web site. Ways to mitigate these threats include:

  • Audit trails
  • Access logs
  • Resource monitoring

Reference:
https://searchsecurity.techtarget.com/definition/authentication-authorization-and-accounting