Principles and Identity

AAA

Authentication, Authorization, Accounting — core access control triad.

Where you will see it: Used when designing and operating access control, authentication, authorization, and identity lifecycle.

What it is

AAA stands for Authentication, Authorization, and Accounting. It is a classic security model used to control access to systems and to record what actions were taken, by whom, and when.

Key points
  • AuthN proves who you are.
  • AuthZ governs what you can do.
  • Accounting logs actions for audit.

How it works in broad strokes

  1. Authenticate the subject, usually a user or device, using credentials and sometimes additional factors.
  2. Authorize the subject by applying policy to determine what they can access and what actions they may perform.
  3. Account for activity by logging sessions, commands, and key events so access can be reviewed and investigated.

Concrete example

Network access is controlled through a central AAA service. A user authenticates to the VPN, receives authorization for specific network segments based on their role, and all session start, stop, and privileged actions are recorded for review.

Why it matters

AAA turns access into a managed process instead of an ad hoc privilege. When done well, it reduces unauthorized access, supports least privilege, and provides audit trails that are essential for incident response and compliance.

Security angle

  • Centralize AAA where possible so policy and logging are consistent across network and application layers.
  • Protect AAA infrastructure because compromise of the AAA service often means compromise of everything relying on it.
  • Ensure accounting logs are time synchronized and tamper resistant so they remain credible evidence.

Common pitfalls

  • Treating authentication as enough and skipping authorization detail, leading to overly broad access.
  • Collecting accounting logs but not reviewing or alerting on them, which turns them into shelfware.
  • Using shared accounts, which breaks accountability even if logs exist.

DEEP DIVE

Why AAA still matters in modern environments

AAA is an older model, but the idea remains central: prove who or what is requesting access, decide what they are allowed to do, and record the outcome. Cloud IAM platforms implement the same concepts even if they do not call it AAA.

The value of AAA is that it makes access policy explicit and measurable. It also makes accountability possible, which is a prerequisite for both deterrence and investigation.

Authentication, authorization, and accounting as distinct problems

Authentication answers who you are. Authorization answers what you can do. Accounting answers what you actually did. Mixing these concepts leads to weak controls, for example granting broad authorization because authentication feels strong.

Accounting is often underestimated, but it is what turns access into evidence. In network and infrastructure contexts, accounting includes session metadata, command logging, and changes to privileged configuration, all tied to an identity.

AAA protocols and where you will see them

In networking, AAA is commonly implemented with protocols like RADIUS, which is designed for authentication, authorization, and accounting use cases. You will see it around VPNs, wireless networks, and device administration.

In practice, the protocol is only part of the story. The real security comes from the policy database, the role model, and how consistently devices and applications enforce the decisions they receive.

Failure patterns and how attackers take advantage

A common failure is weak separation between normal and privileged access. If a user account can both authenticate and obtain admin authorization by default, then one stolen credential is enough for full takeover.

Another failure is incomplete accounting. If logs are missing, not time synchronized, or not protected from tampering, you lose the ability to reconstruct actions. Attackers know this and often target logging pipelines early.

How to build AAA you can trust

Start by identifying where access is granted today, such as WiFi, VPN, admin consoles, and critical apps. Route them through a central policy decision point where you can apply consistent authorization rules.

Then improve accounting in parallel: make sure logs are complete, searchable, and reviewed. When accounting starts producing useful detections and audit evidence, it becomes much easier to justify tightening authorization over time.