I-A-A-A
Another important concept in the cybersecurity field is identification, authentication, authorization, and auditing/accounting (IAAA). These words have a lot of significance because if security is weak on a network, anyone can log into the system and hack the data from the files. Identifying a person who has a “need to know” and letting that identified person confirm who they are before giving them access to the files or data are important processes. Earlier technologies allowed anonymous logins and file transfer protocols (FTP), and they were misused greatly to hack important data files, passwords, and such. Then came IAAA, which is described in detail in the following sections.
Identification
Identification refers to finding out who is the person trying to log in to a server or system. Does the person physically exist or is it an anonymous user or an automated program trying to log in with a stolen username and password?
Identification in an organization can usually be done with a corporate ID card or some other credential issued to users after verifying proper government-issued documentation, such as a driver’s license, passport, or SSN, and establishing an NDA policy between the issuer and the user. Several other types of physical identification can be issued, such as an access card with a chip or simple picture ID. In the past, identification cards used to have the user’s PII, such as SSN, printed on them, but with the increase in cyberattacks based on PII, SSNs are now replaced by random-number employee IDs.
This kind of physical identification falls into the class of what an employee/user has.
Authentication
If an employee/user is able to demonstrate with proper identification who they are, next is the step of verifying or validating that user to make sure the user indeed exists and the presented identity belongs to that user. This can be done by a human guard stationed at the entrance to the facility or asking the user to supply a personal identification number (PIN) or some other form of proof. Access cards usually require a code of at least four digits to be entered. The code is matched with the issued card to confirm the user’s identify and allow the user to log in. In some cases, a second form of authentication is used or required for better protection. A system with this additional step is known as multifactor authentication (MFA). One example is sending a text message with a one-time password/PIN (OTP) to the user’s registered phone number. The OTP is valid only for a few minutes and cannot be reused. Any mismatch between the number sent and the number entered results in a refusal to confirm the identity of the user. To prevent damage to the system, the user is disallowed or the account is locked after a few unsuccessful attempts.
This kind of authentication falls into the class of what the user knows—a PIN or another number that confirms the user’s identity.
Authorization
Once the user has provided proper identity and it has been confirmed and authenticated, a user is allowed to successfully go into a facility physically or log in to a system or network. Now it’s a question of what the authenticated user should be allowed to view, read, or write. Or what access should a logged-in user be allowed?
The access allowed to a logged-in user with proper identity and authentication is known as authorization. Authorization depends on what the user really needs to know for their day-to-day work. Simply because a user has a proper identity and has provided proof for authentication, they are not necessarily permitted full access to everything. In other words, users are given access according to the rules of least privilege, which means a user has the access required for their work—nothing less and nothing more. It also means a user may not have administrative privileges to enter a server room physically or go to a system registry to modify settings or install a new program.
Authorization can be given uniformly to all users or at branch/department level as required. Any special authorizations need paperwork completed, background checks done, and signatures taken.
After access is granted, users who log in or enter an area can do what they like—though we expect the users to do what they are only authorized to do per organizational policies. For example, a user who is allowed access to a facility can go to the printer area and collect printed material that does not belong to them or log in to any computer that is not allotted to them in their workspace. Thus, there remains another step to find out what the properly identified, authenticated, and authorized person is actually doing—which is discussed in the following section.
Auditing or Accounting
Tracking what a user does with their given permissions is known as auditing or accounting. Accounting and auditing are done by examining the log files or recorded actions of the user. In a physical building, the recording can be done by a video surveillance camera or the software that records entry and exit times.
Note that the auditing by a third-party person who is not affiliated with the organization is preferred to auditing by a user who works for the organization. By hiring a third-party auditor, any favoritism or partiality can be easily avoided.
Regular reviewing of logs and physical access records demonstrates how a user is correctly using their authorizations and not “moving” vertically or horizontally crossing their given boundaries. When auditing or accounting raises any red flags, the authorizations of users need to be readjusted, and employees are warned of their encroachments into security. Likewise, the organizational permissions or conditions that allowed the user to cross their boundaries—for example, drive or file permissions that allow anyone to read or write—are adjusted not to allow the users to access the files or data.