Our work and home lives increasingly revolve around computer systems. Computer systems are commonly joined together to form networks in the workplace and an increasing number of homes also have some form of computer network (even though in many cases the home owner does not know it) and this trend is set continue with the introduction of intelligent appliances, networked home entertainment systems and the like. However, it is well known from traditional computer networks in the workplace that unless the introduction of computer systems onto a network is extremely well controlled, the security of the resulting computer network is adversely affected.
Given the level of reliance placed on computer systems and computer networks and the sensitivity of data stored, security is an ever increasing concern. Computer systems and the data stored on them are increasingly becoming the most important assets of a business or person.
Various mechanisms and technologies have been developed to address these concerns and protect such assets. However, current mechanisms are either directed to protection at the computer system (such as password protection, biometric access systems, encryption of data etc.) or to centralised authentication within a managed network.
One framework for intelligently controlling access to computer based resources, enforcing policies, auditing usage, and providing information necessary to bill for services is called Authentication, Authorization, and Accounting (AAA). These combined processes are considered important in many enterprises for effective system management and security. The framework is typically implemented using a dedicated AAA server that acts as the gateway to network resources.
Authentication provides a way of identifying a user, typically by having the user enter a valid user name and valid password before access is granted. The process of authentication is based on each user having a unique set of credentials for gaining access. The AAA server compares a user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the network, otherwise network access is denied.
Following authentication, a user may gain authorization for doing certain tasks. After logging into a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands. Authorization normally occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity.
Accounting measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.
Combinations of such measures may be employed depending on the needs of an individual or business. However, whilst a combination of measures may increase the security protecting the assets, management and maintenance of the measures also increases.
In an enterprise, current solutions for asset management rely on good behaviour from users. For instance, it is assumed that a user would not disclose their access credentials to another individual. It is also assumed that administrator privileges will not be easily obtainable and will only be granted to highly trusted individuals and/or the consequences of granting such privileges would be minimal in the protection of the asset.
These assumptions are regularly proven to be incorrect, especially where users have physical access to resources and the resources may be located and/or moved to remote locations where management staff cannot monitor them and the policies and restrictions of the AAA server do not locally apply. This is particularly the case where an enterprise has a mobile workforce. Whilst it is extremely convenient to have a laptop that can store data and possibly remotely access data stored centrally by the enterprise, the user is normally trusted to: ensure the security of the physical asset (eg. not leaving the laptop on view in a car or losing it); ensure the wellbeing of the physical asset (eg. updating antivirus software, not disabling or circumventing security functionality such as firewalls); and, ensure the security of the data (password protecting or encrypting data stored on the laptop itself and not revealing access details for remote access to the enterprise).
Very few organisations or enterprises achieve such levels of security with their assets, especially where a mobile workforce is involved and their primary role is not IT specific.