AAA — back to the basics of authentication, authorization and accounting
Opinions expressed are solely my own and do not express the views or opinions of my employer.
My son goes back to school this week, and I’ve spent most of the weekend reminiscing about the fun and excitement that he’ll have this year learning new things, continuing to build on the building blocks of a great education and meeting new friends. It made me think a lot about how the security industry continues to try to figure out new and exciting ways to layer on security and complexity, without really getting the basics right.
So, basics…. I’m sure you have all heard numerous stories of security programs being reinvigorated with a back to basics stream. What you may not have heard much detail on is about what the basics actually are. Hopefully this small series of posts can help you explore this in more detail.
The basics still start with A… A… and A…
When I was just getting into security, one of the more often used and quoted frameworks was the relatively simple AAA framework, where the three A’s represented Authentication, Authorization and Accounting .
The framework was intended to help people consider the nuances of identity management and think specifically about how we restrict digital identities were permitted to use (through authentication e.g. passwords), what they are authorized to do (through authorization e.g. admin privileges) and capture the actions performed by the user (through accounting e.g. logs).
Although the threats facing organizations have increased in sophistication, I still believe this framework is still one of the best foundational approaches you can adopt.
So how would this work in a modern organization?
Authentication? Don’t you mean Zero Trust?
Yes … eventually. Authentication is an area where we have seen a much needed shift in thinking, as security practitioners have realized that historical perimeter based security models to authenticate users, devices and services at the perimeter are no longer adequate. Zero trust architecture is intended to remove the concept of trust from authentication processes, and as a result “Verify and Never Trust”.
In the end, this really just means more authentication, rather than less, but can require a fundamental re-architecture of existing networks for organizations. It’s the equivalent of having a security guard and a locked door with different keys for every room, instead of just a front door.
This can take time to implement, there is a lot more basics to get right in authentication. Firstly, multi-factor authentication is no longer negotiable — it needs to be implemented for all online services (if not all), so stop delaying and get it in implemented for all your users.
Authorization — too little is better than too late
Authorization is usually one of the most overlooked controls in a CISO’s armory, but imagine if every digital identity (human and machine) in an organization had the same privileges and access to the same information, systems, and data.
Authorization is absolutely essential to restricting the actions of digital identities to only what they absolutely need to perform and thereby reducing risk. It should form the basis for every security program, but can be daunting in complexity.
In my opinion, the key to getting the basics right is least privilege and focusing on what privileges an identity (be it human or machine) needs to do their job on a daily basis compared to identifying all the permissions they might possibly need to do their actual role. It may surprise you that you can always add permissions when you actually need them and only when you need them.
Auditing — Who did what?
It sounds simple to most people, but it is surprisingly complicated to be able to determine everything that an identity did after authenticating.
However difficult it may be, it should absolutely be one of the building blocks that you build a robust security program around. Knowing what is being accessed or attempted to be accessed is not enough. Knowing what every single unique identity is doing or attempting to do to every resource in your environment is not only mandatory requirement for detecting threats and for robust incident response, but also a necessity for a successful zero trust implementation and optimising user experience and rightsizing least privilege.
So let’s get back to Basics starting with A….
Hopefully this advice on its own is useful in planning some of your back to basics security activity. Check in again soon for more blog posts focused on access management — particularly in the cloud.