What is AAA Security? Authentication, Authorization, and Accounting
- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
In this article, we'll cover the Authentication, Authorization, and Accounting (AAA) framework for cybersecurity, the meaning of each AAA component, and the benefits of using it for granular access control. You'll learn about different AAA protocols and how they relate to Identity and Access Management (IAM). By the end of this article, you'll fully understand AAA networking and how the model assists with network security and monitoring.
What is Authentication, Authorization, and Accounting (AAA)?
Authentication, Authorization, and Accounting (AAA) is a three-process framework used to manage user access, enforce user policies and privileges, and measure the consumption of network resources.
The AAA system works in three chronological and dependent steps, where one must take place before the next can begin. These AAA protocols are typically run on a server that performs all three functions automatically. This enables IT management teams to easily maintain network security and ensure that users have the resource access they need to perform their jobs.
Authentication
Authentication is the process of identifying a user and granting them access to the network. Most of the time, this is done through traditional username and password credentials. However, users could also use passwordless authentication methods, including biometrics like eye scans or fingerprints, and hardware such as hardware tokens or smart cards.
The server evaluates the credential data submitted by the user compared to the ones stored in the network's database. Active Directory is used as the database for many enterprises to store and analyze those credentials.
Authorization
After authentication, the authorization process enforces the network policies, granular access control, and user privileges. The cybersecurity AAA protocol determines which specific network resources the user has permission to access, such as a particular application, database, or online service. It also establishes the tasks and activities that users can perform within those authorized resources.
For example, after the system grants access to the network, a user who works in sales may only be able to use the customer relationship management (CRM) software and not the human resources or enterprise resource planning systems. Additionally, within the CRM, they might only be allowed to view and edit data and not manage other users. It's the authorization process that would enforce all of these network rules.
Accounting
Accounting, the final process in the framework, is all about measuring what's happening within the network. As part of the protocol, it will collect and log data on user sessions, such as length of time, type of session, and resource usage. The value here is that it offers a clear audit trail for compliance and business purposes.
Accounting helps in both security and operational evaluations. For instance, network administrators can look at user access privileges to specific resources to see about any changes. They could also adjust capacity based on the resources most frequently used and common activity trends.
The AAA Framework
The AAA security model applies to numerous use cases, such as accessing a private corporate network remotely, using a wireless hotspot for the internet, and enforcing network segmentation for Zero Trust Network Access (ZTNA)—all for security purposes. Security teams can prevent unauthorized access by having control and visibility over network and resource access, privileges, and user activity.
The framework uses a client/server model to deploy and run the protocol. The client—the device seeking access—is first stopped by an enforcement point requiring authentication credentials. Next, the user submits the credentials such as a username, password, piece of hardware, or biometric. The device could also present its digital certificates through public-key infrastructure (PKI) procedures.
Upon submission, the AAA server reviews the credential data with information stored in the database and determines if it's a match. Once authenticated, the user has the right to perform certain actions and access specific data or resources per what's configured automatically or by a network administrator. During the user's session, all operations and activities get recorded.
AAA Benefits
Using the AAA in information technology and computer security operations provides numerous advantages to an enterprise:
- Improves Network Security: The framework requires all users and devices to undergo credential-based authentication before receiving network access and enforces the principle of least privilege, preventing malicious or negligent-based behavior that could cause data theft, deletion, or compromise.
- Centralizes Protocol Management: The security model gives system administrators a single source of truth and helps standardize protocols for AAA access control across the whole organization.
- Allows Granular Control and Flexibility: Deploying an AAA system lets network-security teams and administrators enforce detailed rules about network resources users can access along with their functional limitations.
- Provides Scalable Access Management: Standardizing network access protocols using AAA functionality gives IT teams the capacity to manage new devices, users, and resources added to a network—even as they quickly grow.
- Enables Information-Based Decision Making: Logging activity and session information allow administrators to make user-resource authorization, capacity planning, and resource adjustments based on collected data rather than gut feelings.
Authentication, Authorization, and Accounting with Zero Trust
As many organizations adopt a Zero Trust model for cybersecurity, they can use AAA cybersecurity protocols for network access. For instance, security teams can enforce network segmentation; a central Zero Trust principle that divides an enterprise network into subsections to provide security layers and isolate incidents. Security teams can apply AAA processing to various network segments that demand authentication and authorization at each point.
Zero Trust also assumes the organization practices the principle of least privilege, where users only have just enough data and application access to do their jobs. Deploying AAA methods gives administrators the granular control, enforcement, and monitoring needed to apply minimal network privileges to each respective user.
AAA Protocols
Software providers of network security and access control platforms use three main types of network protocols in their solutions—all of which are open standards and utilize the AAA framework:
- Remote Authentication Dial-In User Service (RADIUS): Performs AAA using a client/server model specifically for remote network access. For this protocol, authentication and authorization happen simultaneously once the Network Access Server (NAS) receives and accepts the request by the user.
- Terminal Access Controller Access-Control System Plus (TACACS+): Like RADIUS, it uses a client/server model for remote access but separates the authentication and authorization processes. TACACS+ gives admins more security by requiring a separate key from the client for authorization.
- Diameter: Evolved version of RADIUS, which considers modern-day networking needs. It supports the framework for mobile devices, Long-Term Evolution (LTE) networks, and multimedia networks such as streaming websites or Voice over Internet Protocol (VoIP) applications.
AAA and IAM
AAA and Identity and Access Management (IAM) solutions go hand-in-hand in their objectives—maintaining, enforcing, and tracking access control. IAM refers to the technology and organizational policies that verify a user's identity for network access, control which company resources and data they can access, and log their activity for auditing and compliance purposes.
By default, IAM technology uses the AAA as a baseline for constructing the right software features and modules that fit within the framework. For example, multi-factor authentication (MFA) is a type of IAM solution. It provides more secure authentication through another factor, such as a keycard in addition to a username and password—appeasing step one of the AAA process.
Similarly, Privileged Access Management (PAM) tools are examples of IAM that maintain AAA model security. PAM solutions, however, focus on the authorization component—establishing policies for securing sensitive data by adopting and enforcing the principle of least privilege.
How StrongDM Helps with AAA
StrongDM’s Zero Trust Privileged Access Management (PAM) platform lets IT and security teams easily apply the Authentication, Authorization, and Accounting (AAA) network service framework to their complex infrastructures. The system securely stores client credentials and allows central oversight of authentication activities by integrating it with your favorite identity management provider.
Enterprises can also streamline their provisioning workflows to instantly grant or revoke role-based and least-privileged access to their users. The just-in-time approval capabilities and granular resource control allow confident and efficient enforcement of authorization processes.
Lastly, StrongDM is equipped with a wide range of reporting and auditing features for robust accounting. Between session replays, weblogs, and activity tracking, teams can ensure they have all the data and insights needed to operate. They can manage privileges and allocate dedicated resources to the applications and data sources that need it most.
Adopt AAA with StrongDM
The AAA information security framework serves as the model for organizations to manage network access securely and for software developers to create technology that utilizes AAA protocols in their security products. StrongDM gives firms an all-in-one solution for secure authentication, granular authorization, and thorough accounting of all network resources.
Ready to employ this framework in your security program? Sign up for our 14-day StrongDM free trial to get started.
About the Author
John Martinez, Technical Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the Technical Evangelist at StrongDM, taking the message of Zero Trust Privileged Access Management (PAM) to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.