5.8 Differentiate authentication, authorization, and accounting concepts

How does a secure system provide access to an individual?  Through IAAA – also known as AAA (Authentication, Authorization, and Accounting)

  • Identification is the process of identifying a person.  The person has presented credentials to the system (such as a smart card, an access card, an identification card, or a username).  It is possible that the credentials have been compromised, so the system has not verified the person’s identity at this stage.
  • Authentication is when the person has been positively identified.  Circumstances where authentication takes place
    • User presented a smart card and entered their PIN correctly
    • Presented an identification card to a security guard who positively compares the photograph on the card with the face of the individual
    • Entered the correct username and password into a computer
    • Scanned an access card at a card reader (the access card is a weak form of authentication because a lost/stolen access card can be used by an unauthorized individual)
  • Authorization is the process of providing the user with access to the resources that he requested.  Just because a user requested access and entered the correct username/password does not mean that the user is entitled to access.
    • For example, a user comes to work on a weekend but is not permitted.  The security guard recognizes the employee as a legitimate employee and verifies his identification but does not permit access.
    • A user logs in to an HR system with the correct username and password but is not authorized to access the system.
  • Accounting is the process of keeping track of who accessed what.  Accounting is important for audits, and to ensure that all access attempts are legitimate.  For example, patients have the right to know who accesses their personal health data.  A nurse at a hospital may have the ability (authorization) to access the electronic health records of any patient at the hospital but should only do so if she has a legitimate need (and not because she is curious).  The system should be able to track every time a patient record was accessed.
  • We should log the following
    • What credentials were used (username, password, etc.)?
    • What system did they log in to (computer, door, entrance, etc.)?
    • What resources did they access (shared folder, printer, etc.)?
    • When did the access take place?