Authentication, Authorization, Accounting (AAA)

Computing privacy involves three distinct concepts: Authentication, Authorization and Accounting. The Authentication, Authorization, and Accounting functions are the key functions of a firewall, which restricts access to your computer resources.

Authentication: Authentication is how one person or computer verifies that the person or computer they are communicating with is really who he/she/it claims to be. For example, imagine you are trying to visit another country. To get in, you would need to present to the immigration officer a passport that authenticates your name and country of origin.

In the real world, we use certified documents like passports or driver's licenses to authenticate each other, but in cyberspace we need other methods. Some of these mechanisms include:

• Username and Password
• Digital Certificates
• Biometrics
• USB Tokens or Smartcards

Authorization: Once you authenticate the identity of the person or computer that wants to communicate with you, you need to decide whether to allow the communication. In the passport example, once the officer looks at your passport he must enter your information into the computer and then decide whether to let you into the country or not, based on your profile. Computer systems do something similar. Online applications usually authorize access to their computers and services according to some company security policy. Typical authorization policies are based on:

• Geographic location: Only machines on an internal network, or particular machines, may be authorized.
• Privileges and user profiles: Some companies allow different levels of access for different customers, based on a customer database. For example, a premium customer who pays a higher fee usually has access to more resources than standard customers who pay less.

Accounting: Accounting is used most frequently by system and security administrators. Continuing with the immigration example, the information that the officer enters into the computer is logged on the computer system. The authorities can then review these logs to see when you tried to enter the country, which officer handled your entry, and other data. Computer systems have similar, fully automated logging systems. For example, when you shop for something online at Amazon, your transaction gets registered in a log, and you are given an order number. When you request information on your order you use this order number, which is stored in the log.

Accounting is very important, because having records of the activity on your system allows you to respond to attacks quickly and identify previous attempted attacks.