🔒 Mastering the 3As: Authentication, Authorization, and Accounting

🤔 What are the 3As (AAA)?

The 3As, or AAA, is an acronym for three core components of information security: Authentication, Authorization, and Accounting. These three are essential for maintaining security throughout the entire process of a user accessing and performing tasks on a system.

Think of it like going through airport security:

1. Authentication: "Prove who you are." (Checking your ID and boarding pass)
2. Authorization: "Here's what you're allowed to do." (A business class ticket holder can use the business lounge)
3. Accounting: "We log everything you do." (Duty-free purchase history, immigration records)

Let's take a closer look at how these three components work together.

👤 1. Authentication - "Who are you?"

Authentication is the process of verifying that a user is who they claim to be. In simple terms, it's the "login" process itself.

• Core Question: "Are you really 'user123'?"
• Goal: To verify the identity of the entity (user, device, etc.) trying to access the system.
• Key Methods:
  • Something you know: Passwords, PINs
  • Something you have: OTPs, smart cards, security tokens
  • Something you are: Fingerprints, iris scans, facial recognition (biometrics)
  • Something you do: Signature, gait
  • Somewhere you are: Specific IP address, GPS location

Multi-Factor Authentication (MFA)

To enhance security, combining two or more of these five authentication factors is called 'Multi-Factor Authentication'. For example, entering a password (knowledge) and then confirming with an OTP (possession) is a classic case.

🔑 2. Authorization - "What can you do?"

Authorization is the process of determining and permitting what resources (files, databases, etc.) an authenticated user can access and what actions (read, write, delete, etc.) they can perform within the system.

• Core Question: "'user123', are you allowed to 'write' to this file?"
• Goal: To control the activities of an authenticated user within their permitted scope.
• Key Models:
  • Discretionary Access Control (DAC): The data owner manages permissions directly. (e.g., Linux chmod)
  • Mandatory Access Control (MAC): The system enforces access based on predefined security levels and rules. (e.g., military systems)
  • Role-Based Access Control (RBAC): Permissions are granted based on the 'role' assigned to the user. (Most corporate environments)

Authentication vs. Authorization: The Clear Difference

• Authentication is the process of opening the 'door'.
• Authorization is the process of determining, after entering the 'door', whether you can enter a specific 'room' or open a 'safe'.

In other words, authorization is only meaningful after authentication has been successfully completed.

🧾 3. Accounting/Auditing - "What did you do?"

Accounting is the process of recording and tracking all activities a user performs while logged into the system. It logs who accessed what resources, when, and what actions were taken, which is used to identify the cause of problems and track responsibility.

• Core Question: "'user123', what file did you delete yesterday at 3 PM?"
• Goal: To ensure accountability by recording all user activities and to support security audits.
• Key Logged Items:
  • Login and logout times
  • Accessed IP address
  • Commands and system calls used
  • File access and modification history
  • System resources used (CPU, memory, etc.)

📊 3A Comparison Summary