Categories
General IT Information Security

What is IAAA?

Padlock gate
Photo by Jason Blackeye on Unsplash

How does security in systems actually work? Well, security generally works on a principle called IAAA; Identification, Authentication, Authorisation, Accountability. Read on to find out what this principle looks like in the real world.

First of all, what are some examples of IAAA?

  • Identification (who are you?):
    • Your name, username, ID number etc
  • Authentication (prove who you are):
    • Something you know, such as a password
    • Something you have, such as a token
    • Something you are, such as a fingerprint
    • Somewhere you are, such as your IP address
    • Something you can do, such as a signature
  • Authorisation (what are you allowed to access?):
    • Different access models can be used, such as DAC, MAC, and RBAC.
  • Accountability (otherwise known as auditing):
    • Being able to trace an action back to an individual.
    • Prove what someone did, and when they did it. Known as non-repudiation.

 

Now think of an example which includes each element of IAAA. Thinking of a standard login page, which is how most of us access systems, we usually see two fields; username and password. The username is your identity, without it the system doesn’t know who we are and cannot grant us access. By providing a username, we tell the system who we are.

Once we’ve identified ourselves we need to authenticate and prove our identity. This is the password field. You need to authenticate your username in order to access the system, with other methods such as fingerprints, pins, and iris scans also being used for authentication.

Now you’ve successfully accessed the system, you can view, edit and delete information based on the rights you have been provided. This is where access control models, such as RBAC, come into play. By providing your identity and authenticating it, you are now an authorised user.

All systems should have some form of logging or auditing in place to ensure accountability is considered. Auditing will be able to prove that we have just logged on to the system and provide activity information on the actions we have carried out whilst logged in. This is useful for non-repudiation; making people accountable for their actions.

Leave a Reply

Your email address will not be published. Required fields are marked *