Published with permission of the author in Blog
Security begins with the letter “A”
Authentication and authorization are the two most fundamental and commonly employed attributes of security. They sound alike, and their definitions are often confused, so let me begin by offering mine:
- Authentication is the means by which a person proves he is who he claims to be in a non-refutable manner. Authentication is also a means whereby a computer system proves it is the originator of a packet, and how an application such as a web server proves it is the agent for an e-merchant’s online credit card transaction.
- Authorization is the process of determining whether an identity is entitled or allowed access to a resource or asset. Authorization typically assumes that an identity has been authenticated. An identity that is allowed access is trusted and granted access permissions, in accordance with defined policy.
Most organizations use one or more authentication methods, and extend these to branch office users. Fewer organizations devote as much attention to authorization. Commonly, authenticated users at branch offices have access to individual and group accounts on local servers as well as intranet servers hosted at HQ, but unrestricted access to the web and collaborative applications like IMs and VoIP.
Assuming yours is an organization whose branch offices have an authentication strategy in place, I recommend that you add a security A. Revisit your authorization policy for branch offices. Consider implementing egress traffic filtering. Rather than allowing access to ANY external service, begin with a DENY ALL rule, and allow access the set of applications you determine are business-appropriate.
So far, we’ve looked at two security attributes, and both begin with the letter A. Curiously, or perhaps intentionally, many other security attributes begin with the letter A: Accounting, Accuracy, Authenticity, Availability.
Three-legged Stool (Triple-A)
Not remarkably, security professionals took advantage of this happy circumstance and developed analog to explain the fundamentals of security. An early popular analog likened the essential attributes of security to a three-legged stool to illustrate why security, like a stool, needs more than two legs to stand on its own. Authentication server vendors, especially those who supported what is known as the RADIUS authentication protocol chose to add accounting for the third leg. They coined the term Triple A to kindle interest among Service Providers who were exploring alternatives to flat monthly rate Internet access.
Today, some security professionals feel that accounting was the best choice to complement authentication and authorization as a third leg and replace accounting with the more general (and in my opinion) practical choice of auditing, which is the process of monitoring and recording networking and security-related events for subsequent correlation and analysis.
Auditing is commonly implemented using event logging and most server, storage, networking and security systems you would consider using in a branch office can log events. I encourage you to add a third leg to your security stool. Assess the extent to which logging is enabled at your branch offices. Develop a strategy for monitoring branch office activities more aggressively and for securely transmitting logs to a central repository where they can be analyzed in the aggregate by the expert staff you are more likely to have at your main office NOC and data centers than branch offices.
Are three legs sufficient? Anyone who’s used a three-legged camper’s stool on uneven or soft ground will attest that three legged stools are not the steadiest seat one might design.