In the ever-evolving landscape of cybersecurity, safeguarding sensitive information and systems is of paramount importance. A robust security framework must be in place to protect against unauthorised access and potential threats. The foundation of such a framework is built upon the three pillars known as the 3 A’s of security: Authentication, Authorisation, and Audit.
Authentication
Authentication (sometimes referred to as AuthN) is essentially the process of validating identity, or more to the point asking the question “Who am I”, this is the first step in accessing any resource. When you login to a system, you are authenticating, there are various methods of authentication, here are the most common with their strengths and weaknesses:
- Passwords: The most common method of authentication, passwords require users to enter a secret combination of characters. However, passwords are susceptible to brute-force attacks and can be easily forgotten or compromised.
- Biometrics: This method leverages unique physical or behavioral characteristics of individuals, such as fingerprints, facial recognition, or voice patterns. Biometrics offer a higher level of security as they are more difficult to forge.
- Multi-factor authentication (MFA): MFA adds an extra layer of security by requiring users to provide two or more forms of authentication, such as a password and a one-time code sent to their mobile device. This significantly reduces the risk of unauthorised access.
When Dealing with most Web Servers if you are not authenticated the server will return a HTTP Status Code of 401 (Unauthorised), this usually indicates that the server does not know who you are.
Authorisation
Authorisation (sometimes referred to as AuthZ) is essentially the process of ascertaining permissions, or more to the point asking “What are you allowed to do”, once you have authenticated this is the next step. Authorisation can be implemented through various mechanisms, such as:
- Role-based access control (RBAC) RBAC assigns permissions based on pre-defined roles within the system, This simplifies the management of permissions and ensures consistency across different users with similar roles. For more information on RBAC please read my Roles and Permissions
- Attribute-based access control (ABAC): ABAC grants permissions based on attributes of the user, such as their department, job title, or location. This allows for more granular control over permissions and can adapt to changes in the user’s attributes.
- Rule-based access control: This mechanism defines a set of rules that determine the permissions granted to users. The rules can be based on various factors, such as the time of day, the user’s IP address, or the sensitivity of the resource being accessed.
When Dealing with most Web Servers if you are not authorised to perform an action the server will return a HTTP Status Code of 403 (Forbidden), this usually indicates that the server does know who you are, but you are not allowed to perform the requested action.
Audit
The final, and often forgotten, A in the security triad is audit. Audit involves tracking and logging user activity within the system. This information can be used for various purposes, such as:
- Auditing: data can be used to audit user activity and ensure compliance with security policies.
- Intrusion detection: Unusual or suspicious activity patterns can be detected by analysing audit data.
- Troubleshooting: data can be helpful in troubleshooting system issues and identifying the root cause of problems.
Audit data is usually transparent to the user, but in a properly secured system, every action performed is stored in audit data so that analysis can be performed when necessary.
Real World Consequences
The 2017 Equifax data breach is a prime example of a security incident caused by failures in multiple areas of the 3 A’s:
- Authentication: The initial entry point for attackers was a vulnerability in Apache Struts, a web application framework used by Equifax. This vulnerability allowed attackers to bypass authentication mechanisms and gain unauthorised access to the system.
- Authorisation: Once inside the system, the attackers were able to exploit weak authorisation controls to access sensitive data that they should not have been authorised to view. This allowed them to move laterally within the network and escalate their privileges.
- Audit: Equifax’s auditing and monitoring systems failed to detect the intrusion in a timely manner. This allowed the attackers to remain undetected for an extended period, exfiltrating vast amounts of personal data including names, Social Security numbers, birth dates, addresses, and driver’s license numbers.
This breach highlights the importance of all three A’s working in concert to protect sensitive data. A failure in any one of these areas can have devastating consequences.
- Authentication failure: Allowed attackers to gain initial access to the system.
- Authorisation failure: Enabled attackers to access sensitive data beyond their authorised scope.
- Audit failure: Prevented timely detection and response to the breach.
This case serves as a real world reminder that addressing all of the 3 A’s as a multi-layered approach is very important and can significantly reduce risk of data breach. More information on the breach can be found here.
Conclusion
The 3 A’s of security - authentication, authorisation, and audit - form the backbone of a comprehensive security framework. By implementing these principles, organisations can significantly reduce the risk of unauthorised access, data breaches, and other security incidents. It is crucial to regularly review and update security measures to ensure that they remain effective against evolving threats. Remember, a strong security posture is not a one-time effort, but a continuous process that requires ongoing vigilance and adaptation.