One of the triads that are important in information security is the Authentication, Authorization and Accounting (AAA). In this post I will explain in short terms what this is and my reflections on why it is important.

An important aspect of controlling access to computer information and systems is to control who is actually allowed into the system. And only way to do that is that there are some way of authenticating that the person who has access is actually the one trying to gain access. This can be in the simple form of username and password, or more modern technologies like biological data or physical devices unique by the authorized person. This is crucial because if there are no way of authenticating – anyone could really get access.

After the person has been correctly identified to be the correct one with allowed access, there must be a level of access. By adding a level of authorization you can control what each person with allowed access can do once inside the system. If there was no such authorization added, you end up with everyone being allowed to do anything to the system as they please. To take my blog as an example. I am the system administrator with access to anything. But if I have a guest blogger at one point – I would restrict this persons access to only include writing new articles. Otherwise this person could, either by accident or malicious intent, distort or delete content. Or worse, gain control of my whole system. To avoid this authorization is almost as important as authentication.

The last part of the triad is accounting, which lets you have an overview of what has been going on. Either if there is an attacker trying (or has succeeded) to gain illegitimate access or a human error has occurred, you as an administrator would want to see what has been going on in your system. Accounting is therefore mostly done via having logging activated on your system – preferably with off-site backups in case of severe system failure or compromise. Other measures could be to have Intrusion Detection System (IDS) set up, to detect any misuse of the system or out of the ordinary activity.