AAA Identity and Access Management Framework Model

The AAA identity and access management model is a framework which is embedded into the digital identity and access management world to manage access to assets and maintain system security. AAA stands for Authentication, Authorization, and Accounting which we will cover in depth below.

AAA identity and access management framework model to authenticate, authorize, and audit


Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users to provide proof of identity when they identify themselves. For example, you enter a guarded area and identify yourself as an employee or homeowner of the guarded area. Next, you must provide proof to authenticate the person that you claim to be. This concept along with the AAA identity and access management model will also apply to connected IoT devices.

There are primarily four types of authentication methods which use:

  1. Static passwords which remain active until they are changed or expired,
  2. One-time password (OTP) such as codes delivered thorough SMS texts or tokens used for each access session,
  3. Digital certificate, and
  4. Biometric credential.

Authentication types fall within one of the following forms:

  1. Something you know such as  a password;
  2. Something you have such as a key fob or cell phone; and
  3. Something you are such as your finger prints, voice, hand geometry, etc. also called “biometrics authentication”.

When we combine more than one of these categories, it’s called Multi-Factor Authentication (MFA) which makes it difficult for someone to authenticate as another person. For example, if a hacker steals a user’s password, he’d also have to steal the mobile phone to access the code sent by the SMS text or possess the key fob that displays the code which syncs with the rotating code inside the system being accessed. Using two passwords is not considered 2FA because both passwords fall under the category of “something you know”. It’s like placing two locks on a door at home that could be opened with the same key.

Most companies are moving toward Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) which leverages a static password and OTP or challenge question to strengthen cybersecurity. Biometric authentication is slowly being adopted as technology becomes more cost effective and errors associated with biometric authentication are reduced. However, biometric authentication presents a different set of privacy and security issues. For example, stolen finger print data can not be replaced such as in the case of passwords and can disclose personal data to unauthorized parties.

That’s why 2FA or MFA are considered the best near-future authentication mechanism which use a combination of password, OTP, and potentially biometric such as iris, retina, or hand geometry.

According to the National Institute of Standards and Technology (NIST), using two-factor authentication which includes text messages is not a good solution because NIST believes that text messages can be intercepted, however, companies have resisted the NIST argument and continue to use 2FA with a password and a code delivered by cell phone texts.

“The industry believes that using 2FA with two authentication methods is the best option for now to improve security and justify costs in case one method is compromised” says Henry Bagdasarian.


Authorization is represented by the second A in the AAA identity and access management model which is the process of granting or denying a user access to system resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access depend on the user’s authorization level.

After the user identifies himself and is authenticated to prove his ownership of the identity, he must pass the authorization rule to access system services, programs and data. Authorization determines what the user can access and what he can not access.

The Principle of Least Privilege requires that users, processes, programs, and devices must only be granted sufficient access necessary to perform their required functions, and nothing more. Any authorization beyond normal job functions opens the door for either accidental or malicious violations of security objectives; Confidentiality, Integrity, and Availability. This is one of the main reasons why employees must not have administrator or root access to their employer provided devices but rather have an account with limited privileges consistent with their job requirements. One of the risks of granting employees admin access to company provided devices is that when the device is infected with a virus, the malware will run with the privileges of the user.

The principle of least privilege must be applied at all times until it is time to temporarily escalate access when warranted by business requirements.


The third A in the AAA identity and access management model refers to Accounting which is the process of keeping track of a user’s activity while accessing the system resources, including the amount of time spent in the network, the services accessed while there, and the amount of data transferred during the session. Accounting data is used for trend analysis, discovering failed login attempts, data breach detection, forensics and investigations, capacity planning, billing, auditing and cost allocation.

Keeping track of users and their activities serves many purposes. For example, tracing back to events leading up to a cybersecurity incident can prove very valuable to a forensics analysis and investigation case.

Also, monitoring the activities of employees who might be somewhat disgruntled due to company events such as layoffs can help detect failed login attempts and predict what kind of malicious goal they might have.

In order to be effective in IAM accounting, generic and shared accounts must be avoided so that the actions of each individual can be accounted for.

To detect fraud and other malicious activities, companies may send employees on mandatory vacations letting the employee’s replacement to perform checks and balances on the employee who could have been hiding or covering up his actions such as log entries which could offer the company many clues about the malicious activities of their employees.

Identity and access management certifications