AAA Model
Overview of the AAA Model¶
The AAA Model (Authentication, Authorization, and Accounting) is a framework for managing access control, ensuring security, and monitoring user activities in cybersecurity.
1. Authentication (Who You Are?)¶
Authentication is the process of verifying a user's identity before allowing access.
Authentication Methods:¶
✅ Something You Know – Passwords, PINs, Security Questions
✅ Something You Have – Smartcards, OTP Tokens, Authentication Apps
✅ Something You Are – Biometrics (Fingerprint, Face Recognition)
✅ Somewhere You Are – Geolocation-based authentication
✅ Something You Do – Behavioral authentication (Keystroke dynamics)
LDAP vs. SAML vs. Kerberos – Comparison Table¶
| Feature | LDAP (Lightweight Directory Access Protocol) | SAML (Security Assertion Markup Language) | Kerberos |
|---|---|---|---|
| Purpose | Directory-based authentication | Web-based authentication & SSO | Secure authentication via ticketing system |
| Best For | Internal authentication (VPN, servers, internal apps) | Cloud/web applications (Google, AWS, Salesforce) | Secure authentication in enterprise networks |
| Authentication Type | Username & password stored in a directory | Token-based (SAML assertions) | Ticket-based authentication (TGT & Service Tickets) |
| Security | Password-based | Encrypted SAML assertions | Uses secret-key cryptography (no passwords sent over the network) |
| Single Sign-On (SSO) | ❌ No | ✅ Yes | ✅ Yes (within local domain) |
| Protocol Type | Open standard directory protocol | XML-based authentication & authorization | Symmetric key cryptography with tickets |
| How It Works | Queries a directory (Active Directory, OpenLDAP) to verify credentials | IdP (Identity Provider) verifies the user and issues a SAML token for authentication | Uses a Ticket Granting Ticket (TGT) to provide secure authentication without sending passwords |
| Common Use Cases | Logging into corporate networks, internal databases, VPN | Cloud-based authentication & federated SSO (Google Workspace, AWS, Salesforce) | Windows domain authentication, enterprise SSO |
| Used In | Internal IT systems, Active Directory | Cloud applications, federated identity management | Windows domains, enterprise networks |
| Example | Logging into a company's intranet via Active Directory | Logging into AWS using Okta SSO | Logging into a Windows system without re-entering credentials |
Common Authentication Protocols:¶
- LDAP (Lightweight Directory Access Protocol)
- Kerberos
- OAuth/OpenID Connect
- SAML (Security Assertion Markup Language)
- RADIUS (Remote Authentication Dial-In User Service)
Example Use Cases:¶
✔ Logging into a corporate VPN with a password and OTP.
✔ Scanning a fingerprint to unlock a phone.
2. Authorization (What You Can Do?)¶
Authorization determines the actions and resources a user can access after authentication.
Authorization Models:¶
✅ Role-Based Access Control (RBAC) – Permissions are based on assigned roles.
✅ Attribute-Based Access Control (ABAC) – Access is granted based on attributes (e.g., location, device, time).
✅ Policy-Based Access Control (PBAC) – Policies define access rules (e.g., firewall rules, security policies).
| Feature | RBAC (Role-Based Access Control) | ABAC (Attribute-Based Access Control) | PBAC (Policy-Based Access Control) |
|---|---|---|---|
| How Access is Granted | Based on user roles (Admin, Manager, Employee) | Based on attributes (user, location, time, device) | Based on security policies (rules set by admins) |
| Example Rule | "Managers can edit employee records." | "Managers can edit records only from the office network." | "Managers can edit records only if using a secure laptop and during work hours." |
| Flexibility | Low (Fixed roles) | High (Multiple conditions) | Very High (Custom rules) |
| Best For | Internal IT systems, file servers | Cloud security, remote work, healthcare | Banking, government, Zero Trust security |
| Security Level | Moderate | High | Very High |
| ### 🛠️ Real-World Examples |
1️⃣ RBAC (Role-Based Access) – Who You Are¶
📌 Use Case: Corporate IT System (Company Intranet)
✅ Example:
- Admin → Can create, edit, and delete user accounts.
- Manager → Can view and edit employee details.
- Employee → Can only view their own details.
🔹 Linux Implementation:
# Create roles
sudo groupadd managers
sudo usermod -aG managers bob
# Set permissions
sudo chown :managers /etc/hr-data
sudo chmod 770 /etc/hr-data # Only managers can access
2️⃣ ABAC (Attribute-Based Access) – Who You Are + Extra Conditions¶
📌 Use Case: Cloud Security (AWS IAM)
✅ Example:
- A Manager can access files only from the office and during work hours.
- A Remote Worker must use a company-issued laptop.
🔹 AWS IAM Policy Implementation:
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::company-docs/*",
"Condition": {
"IpAddress": { "aws:SourceIp": "192.168.1.0/24" },
"DateGreaterThan": { "aws:CurrentTime": "2025-04-01T08:00:00Z" },
"DateLessThan": { "aws:CurrentTime": "2025-04-01T18:00:00Z" }
}
}
3️⃣ PBAC (Policy-Based Access) – Rule-Based Control¶
📌 Use Case: Banking & Healthcare Security
✅ Example:
- A Bank Manager can approve transactions only if using a secure VPN and company laptop.
- A Teller can access customer details only from inside the bank.
🔹 Cisco Policy Server Implementation:
<Policy>
<Rule>
<Condition attribute="userRole" operator="equals" value="BankManager"/>
<Condition attribute="deviceType" operator="equals" value="CompanyLaptop"/>
<Condition attribute="vpnStatus" operator="equals" value="Connected"/>
<Effect>Allow</Effect>
</Rule>
</Policy>
📌 When to Use What?¶
| Use Case | RBAC | ABAC | PBAC |
|---|---|---|---|
| Internal IT Systems (Linux, Windows, AD) | ✅ Yes | ❌ No | ❌ No |
| Cloud Security (AWS, Google Cloud) | ❌ No | ✅ Yes | ✅ Yes |
| Banking & Finance (Strict Access Rules) | ❌ No | ✅ Yes | ✅ Yes |
| Healthcare (Patient Data Protection) | ❌ No | ✅ Yes | ✅ Yes |
| Corporate Applications | ✅ Yes | ✅ Yes | ❌ No |
| ### 🚀 Summary | |||
| - RBAC → Simple role-based access (e.g., Admin, Manager, Employee). | |||
| - ABAC → Role + extra conditions (e.g., location, time, device). | |||
| - PBAC → Strict policies for high-security environments. | |||
| ### Common Authorization Protocols: |
- OAuth 2.0 (for API access control)
- RBAC in Kubernetes, AWS IAM Policies
- Access Control Lists (ACLs)
- TACACS+ (Terminal Access Controller Access-Control System Plus)
Example Use Cases:¶
✔ A bank teller can view account details but cannot authorize transactions.
✔ A user can access internal documentation but not modify system settings.
3. Accounting (What You Did?)¶
Accounting logs and monitors user activities for auditing, security, and compliance.
Key Aspects of Accounting:¶
✅ Logging & Monitoring – Recording login attempts, resource access, and changes.
✅ Audit Trails – Keeping detailed logs of user actions for investigation.
✅ Billing & Usage Tracking – Monitoring resource usage (e.g., cloud billing).
✅ Compliance Reporting – Ensuring adherence to regulations (GDPR, HIPAA, SOC2).
Common Accounting Tools:¶
- Syslog & SIEM (Security Information and Event Management)
- Prometheus & Grafana (Cloud & System Monitoring)
- AWS CloudTrail (AWS logging & monitoring)
- Graylog, Splunk, ELK Stack (Log analysis)
Example Use Cases:¶
✔ Keeping logs of failed login attempts to detect brute-force attacks.
✔ Tracking resource usage for cloud billing.
AAA Model in Network Security¶
Example Flow:¶
1️⃣ Authentication: A user connects to a corporate VPN and enters credentials.
2️⃣ Authorization: The system checks access rights and grants appropriate permissions.
3️⃣ Accounting: The system logs login time, IP address, and activities performed.
Key Security Protocols for AAA:¶
| Protocol | Purpose |
|---|---|
| RADIUS | Centralized authentication & accounting |
| TACACS+ | Enhanced command-based authorization |
| LDAP | Directory-based authentication |
| OAuth | Secure web & API authorization |
| OpenID Connect | User authentication for web apps |
Final Thoughts¶
🔹 The AAA Model is essential for cloud security, network access control, identity management, and regulatory compliance.
🔹 It ensures only authorized users access resources, restricts actions, and keeps logs for security audits.
🔹 Implementing AAA helps organizations mitigate risks, enforce policies, and detect threats effectively.
✅ Recommended Next Steps: - Implement MFA (Multi-Factor Authentication) for stronger security. - Use RBAC or ABAC to restrict access based on roles & attributes. - Monitor logs with SIEM tools for anomaly detection & compliance.