Skip to content
DocBase
Blog

Authentication, Authorization and Accounting

Description

  • An information security principle that deals with the management of access with relevant data, system resources, policies, and taking action.

1. Authentication

  • Just like how most web apps/social media platforms deal with their users, most of them have an authentication process like login/registration pages to verify users and give them access to specific data.

    • Example:
      In a startup using Microsoft 365 (OneDrive, SharePoint, etc.), Authentication ensures that only verified users can access company resources. When employees log into the company portal, they go through a login process (authentication). This might include entering their username and password, followed by a second verification step (such as a code sent via SMS or an authenticator app) as part of Multi-Factor Authentication (MFA).

    • Web App Example:
      Similar to logging into platforms like Facebook or Gmail, an employee accessing the company’s SharePoint documents must enter their credentials. Authentication ensures that the system can verify the identity of the user trying to gain access.

2. Authorization

  • Which brings us to Authorization Principle, in order to make use of Authentication we need to apply users the amount of authority they have and how many they can access at a time within the company.
  • Example:
    • After authentication, Authorization dictates what the user can access. For instance, a project manager may have full edit and share permissions for all documents related to the company’s current projects in SharePoint. In contrast, an intern may only have read-only access to specific project documentation, limiting their ability to make changes or download sensitive files.
  • Within the Company:
    • Authorization allows the system to enforce role-based access controls (RBAC). For instance, a developer might have full access to code repositories, but they might be restricted from accessing financial records in OneDrive.

3. Accounting

  • Tracks and records access controls using system logs.

  • Example:

  • In the company, Accounting tracks and records user activity via audit logs. Whenever an employee accesses, modifies, or shares a document in SharePoint, these actions are logged. If an employee downloads or edits sensitive financial data, the system records:

  • Who accessed the document.

  • When the action occurred.

  • What changes were made.

These logs are crucial for compliance, troubleshooting, and investigating potential security incidents.

  • Tracking Example:
    Imagine an incident where sensitive client data was shared externally. By reviewing the audit logs, the IT team can trace who accessed the document, when it was shared, and whether it was done intentionally or accidentally.

Example Scenario:

A tech company using Microsoft 365 for managing employee access to sensitive data like OneDrive, SharePoint, and Teams.

1. Authentication (Who are you?)

Authentication verifies the identity of users before granting them access to systems or resources. In a tech company using Microsoft 365, employees must authenticate before accessing resources like email, OneDrive, SharePoint, or Teams.

Example:
In Microsoft 365, Azure Active Directory (AAD) or Microsoft Entra ID is used for identity management and authentication. Employees log in using their company-provided email address and password, and multi-factor authentication (MFA) is often required for an added layer of security.

  • Step 1: An employee tries to log into their Microsoft 365 account (e.g., to access OneDrive or SharePoint).
  • Step 2: The system verifies their credentials through Azure AD, which checks their username and password.
  • Step 3: If enabled, the employee must pass MFA, such as receiving a code on their mobile device.

Why it matters: Only authorized employees can access company resources, reducing the risk of unauthorized access.

2. Authorization (What are you allowed to do?)

Authorization controls what users can do once they have authenticated. It determines what resources (files, applications) an employee can access and what actions (read, write, share) they can perform.

Example:
In Microsoft SharePoint, access permissions are set based on the employee’s role or group membership within the organization. For example:

  • Step 1: After authentication, an employee tries to access a specific folder in SharePoint that contains sensitive project data.
  • Step 2: Microsoft 365 checks their authorization level, which is determined by role-based access control (RBAC) policies.
  • Step 3: If the employee is part of the “Project Leads” group, they may have read-write access. If they are part of the “General Staff” group, they may only have read access, or they may be denied access entirely.

Why it matters: Even if an employee can log in, they shouldn’t have access to resources they don’t need. Authorization helps ensure the principle of least privilege by granting access only to what is necessary for the employee’s job.

3. Accounting (What did you do?)

Accounting tracks the actions that users perform while they are accessing resources. This is critical for auditing and ensuring compliance with security policies.

Example:
In Microsoft 365, activity logs and audit trails record user actions. For example:

  • Step 1: An employee downloads sensitive documents from a SharePoint site.
  • Step 2: Microsoft 365 logs this action, capturing details such as who accessed the file, when, and from which device or location.
  • Step 3: Admins can later review these logs using Microsoft 365 Compliance Center or Azure Sentinel for audit purposes or to detect suspicious behavior (e.g., large downloads from unusual locations).

Why it matters: Accounting helps track user activity, detect suspicious behavior, and maintain records for audits and regulatory compliance. For example, if a data breach occurs, logs can help determine what data was accessed and by whom.

Putting It All Together:

In this Microsoft 365 environment, AAA works together as follows:

  • Authentication ensures that only valid employees (like using Azure AD) can log in to the company’s systems (OneDrive, SharePoint, etc.).
  • Authorization ensures that employees only access the data they are permitted to, based on their roles (e.g., only the HR department can view payroll files in SharePoint).
  • Accounting tracks what employees do while logged in, ensuring that admins can audit these actions and detect security breaches (e.g., logs show which employee downloaded or shared sensitive files).

Industry Example

Let’s say Company X, a software development firm, uses Microsoft 365 for collaboration and storing sensitive intellectual property (IP) like source code and design documents.

  • Authentication: When a developer logs into Microsoft Teams to collaborate with their team, they authenticate using Azure AD credentials and MFA to confirm their identity.

  • Authorization: The developer can only access project-specific Teams channels or OneDrive folders where they are part of the team. They can view the design documents but do not have permission to access the finance department’s folder in SharePoint, which is restricted to the finance team.

  • Accounting: All activity—such as viewing, downloading, or sharing files—is logged in the Microsoft 365 audit logs. The security team can track who accessed certain files and from where, ensuring full traceability of any sensitive data.

This AAA framework ensures that Company X protects sensitive IP while enabling employees to access only the resources they need to perform their work.