The 3 A's of a Login
Authentication, Authorization, and Accounting have been around for decades as technology tenets for securing user access, and they are still relevant today. Auditing of the 3 “As” in your IT ecosystem will tighten security, add visibility, and potential reveal cracks in your organization prior to being exploited. Front doors are often locked tight, but what about the back door, or the window? As we’ve adopted a diverse suite of cloud technologies and a work from home standard, we’ve acquired lots of windows.
Who are you? This is authentication, the ability to verify a user is who they say they are. Combinations of username/passwords, pins, and biometrics are mechanisms to verify a user. This verification is occurring every time you log in to a computer, check email, or while scrolling through your social media feed, sometimes without you even noticing. What gaps exist with Authentication? Our email addresses have become our default usernames, which makes guessing of the username to be all too easy for bad actors. Simple internet searches, organizational listings, social media snooping, or other social engineering make producing a list of usernames and their positions in an organization easy work. Is an obvious username and a password of varying complexity enough?
What can you do? This is authorization, the access to data and applications based on your user. This is a granting or revoking of access, based on user or groups of users. Can you read the document versus editing or deleting a document? What applications and databases do you have access to? What gaps exist with Authorization? Our adoption of cloud technologies stretched, replicated, synchronized, or etc our users/groups/passwords. Did you stretch a little too far and have some tears? Some signs of over-stretching would be same username/different passwords, permissions are individually assigned, and/or everyone has access.
What did you do? How long? How often? This is accounting, AKA logging, which records logins, access, and changes. Why is this important? Because without accounting, we cannot follow the breadcrumbs to uncover the source of a breach or incident. Also, utilization of accounting can be leveraged to prevent the breach in the first place by correlating and comparing activity based upon the past. Logging in from a different computer, new location, or different manner can be used as a trigger of suspicion. This trigger can be armed to detonate or prompt for an additional method of verification.
How do we secure the gaps?
Having a second manner of verification is a key component. 2FA (two-factor authentication) or MFA (multi-factor authentication) are the utilization of a temporary key that can be verified to allow or deny access.
Base access on groups in lieu of individual users. This is easier management as the credentials are stretched to cover new applications and data.
Use conditional access or the ability to leverage historical events to identify erroneous authentication requests.
Have accounting enabled on all authentications and authorizations of access.
How are the 3 “As” stretched across different platforms? Do you have SSO (Single Sign On), multiple usernames/passwords, or something in-between? If you’re not full SSO, some extra care and emphasis needs to be applied to ensure a secure environment.