Security can mean many things to many people. In the world of data communications, security is concerned primarily with the protection of in-flight data (as opposed to data-at-rest) and device access. Many services are required to provide a complete security solution. The major services related to in-flight data include the following:
In many computing environments, multiple administrators are granted access to production systems for the purpose of management. Additionally, management responsibilities are sometimes divided among different teams or departments in large organizations. To facilitate shared management responsibilities in a scalable manner with minimal complexity, the concept of Role Based Access Control (RBAC) was introduced in 1992. RBAC simplifies multi-access security administration in large-scale environments. Consequently, RBAC has emerged as the preferred solution for multi-access security control. The RBAC model was standardized by ANSI INCITS in 2004 via the 359-2004 standard. The 359-2004 standard defines the RBAC reference model and provides the RBAC functional specification. The RBAC reference model is composed of five basic elements: users, roles, permissions, operations, and objects. The RBAC functional specification defines the requisite features of an RBAC implementation. In 2005, ANSI INCITS formed the Cyber Security (CS1) subcommittee to continue work on RBAC and other security initiatives. Although the reference model and functional specification defined in the 359-2004 standard are broadly applicable to many environments, various organizations outside of ANSI are working on RBAC standards for specific environments that have specialized requirements. Today, most information technology vendors support RBAC in their products. RBAC is complemented by a set of technologies called authentication, authorization, and accounting (AAA). AAA implemented as a client/server model in which all security information is centrally stored and managed on an AAA server. The devices under management act as clients to the AAA server by relaying user credentials and access requests to the AAA server. The AAA server replies authoritatively to the managed devices. The user is granted or denied access based on the AAA server's reply. The traditional alternate is to create, store, and manage user identification and password information on each managed device (a distributed model). The AAA model requires significantly less administration than the distributed model. AAA is also inherently more secure because the central database can be protected by physical security measures that are not practical to implement in most distributed environments. Consequently, AAA is currently deployed in most large organizations. Many AAA products are available as software-only solutions that run on every major operating system. As its name suggests, AAA provides three services. The authentication service verifies the identification of each user or device. The authorization service dynamically grants access to network and compute resources based on a preconfigured access list associated with the user's credentials. This enables granular control of who can do what rather than granting each authenticated user full access to all resources. Authorization is handled transparently, so the user experience is not tedious. The accounting service logs actions taken by users and devices. Some AAA servers also support the syslog protocol and integrate syslog messages into the accounting log for consolidated logging. The accounting service can log various data including the user's ID, the source IP address, protocol numbers, TCP and UDP port numbers, time and date of access, the commands executed and services accessed, the result of each attempt (permitted or denied), and the location of access. The accounting service enables many applications such as customer billing, suspicious activity tracing, utilization trending, and root cause analysis. |