DAD...AAA

In addition to the CIA Triad, you need to consider a plethora（过多的） of other security-related concepts and principles when designing a security policy and deploying a security solution. These include the DAD Triad, the risks of overprotection, authenticity, nonrepudiation, and AAA services. 

除了CIA三元组外，在设计安全策略和部署安全解决方案时，你还需要考虑大量其他与安全有关的概念和原则。这些包括DAD三要素、过度保护的风险、真实性、不可抵赖性和AAA服务。

披露、篡改和破坏

One interesting security concept is the opposite of the CIA Triad, which is the DAD Triad. Disclosure,alteration, and destruction make up the DAD Triad. The DAD Triad represents the failures of security protections in the CIA Triad. It may be useful to recognize what to look for when a security mechanism fails. 

Disclosure occurs when sensitive or confidential material is accessed by unauthorized entities, it is a violation of confidentiality.

Alternation occurs when data is either maliciously or accidentally changed, it is a violation of integrity. 

Destruction occurs when a resource is damaged or made inaccessible to authorized users (technically we usually call the laterdenial of service (DoS)), it is a violation of availability. 

一个有趣的安全概念是与CIA Triad相反的，也就是DAD Triad。披露、篡改和破坏构成了DAD三元组。DAD三元组代表了CIA三元组中安全保护的失败。认识到当一个安全机制失败时应该注意什么可能是有用的。当敏感或机密材料被未经授权的实体访问时，就会发生泄露，这是对保密性的侵犯。当数据被恶意或意外地改变时，就会发生交替现象，这是对完整性的侵犯。当一个资源被破坏或被授权用户无法访问时，就会发生破坏行为（技术上我们通常称之为拒绝服务（DoS）），这是对可用性的一种侵犯。

过度保护

It may also be worthwhile to know that too much security can be its own problem. Overprotecting confidentiality can result in a restriction of availability.Overprotecting integrity can result in a restriction of availability. Overproviding availability can result in a loss of confidentiality and integrity.

还值得知道的是，过多的安全性可能是它自己的问题。过度保护机密性会导致对可用性的限制。过度保护完整性会导致对可用性的限制。过度提供可用性会导致保密性和完整性的丧失。

真实性

Authenticity is the security concept that data is authentic or genuine and originates from its alleged source. This is related to integrity, but it’s more closely related to verifying that it is from a claimed origin. When data has authenticity, the recipient can have a high level of confidence that the data is from whom it claims to be from and that it did not change in transit (or storage). 

真实性是一个安全概念，即数据是真实的或真正的，来自于它的所谓来源。这与完整性有关，但它与验证它是否来自声称的来源关系更密切。当数据具有真实性时，接收者可以有很高的信心，相信数据是来自它声称的来源，并且在运输（或存储）过程中没有改变。

不可否认性

Nonrepudiation ensures that the subject of an activity or who caused an event cannot deny that the event occurred. Nonrepudiation prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event. It is made possible through identification, authentication, authorization,accountability, and auditing. Nonrepudiation can be established using digital certificates, session identifiers, transaction logs, and numerous other transactional and access control mechanisms. A system built without proper enforcement of nonrepudiation does not provide verification that a specificentity performed a certain action. Nonrepudiation is an essential part of accountability. A suspect cannot be held accountable if they can repudiate the claim against them. 

不可否认性确保一个活动的主体或造成一个事件的 人不能否认该事件的发生。不可否认性防止一个主体声称没有发送过信息，没有执行过行动，或没有成为一个事件的原因。它是通过识别、认证、授权、问责和审计实现的。不可否认性可以通过数字证书、会话标识符、交易日志和许多其他交易和访问控制机制来建立。一个没有适当执行不可抵赖性的系统不能提供特定实体执行某种行动的验证。不可否认性是问责制的一个重要组成部分。如果犯罪嫌疑人能够否认对他们的指控，就不能被追究责任。

AAA（认证、授权、核算/审计）服务

AAA services is a core security mechanism of all security environments. The three As in this abbreviation refer to authentication, authorization, and accounting (or sometimes auditing).However, what is not as clear is that although there are three letters in the acronym, it actually refers to five elements:identification, authentication,authorization, auditing, and accounting. These five elements represent the following processes of security: 

AAA服务是所有安全环境的一个核心安全机制。这个缩写中的三个A指的是认证、授权和核算（或有时是审计）。然而，不那么清楚的是，虽然这个缩写中有三个字母，但它实际上是指五个元素：识别、认证、授权、审计和会计。这五个要素代表了安全的以下过程。

Identification：Identification is claiming to be an identity when attempting to access a secured area or system. 

Authentication:Authentication is proving that you are that claimed identity.

Authorization:Authorization is defining the permissions (i.e., allow/grant and/or deny) of aresource and object access for a specific identity or subject. 

Auditing：Auditing is recording alog of the events and activities related to the system and subjects. 

Accounting： Accounting (aka accountability) isreviewing log files to check for compliance and violations in order to holdsubjects accountable for their actions, especially violations of organizationalsecurity policy. 

 

识别是指在试图进入一个安全区域或系统时声称自己是一个身份。

认证是证明你是那个声称的身份。

授权 是为特定身份或主体定义资源和对象访问的权限（即允许/授予和/或拒绝）。

审计是记录与系统和主体有关的事件和活动的日志。

核算（又称问责）是指审查日志文件，检查合规性和违规情况，以使主体对其行为负责，特别是对违反组织安全政策的行为负责。

Although AAA is typically referenced in relation to authentication systems, it is actually a foundational concept for security. Missing any of these five elements can result in an incomplete security mechanism. The following sections discuss identification, authentication, authorization, auditing, and accountability.

虽然AAA通常是指与认证系统有关的，但它实际上是一个安全的基础概念。缺少这五个要素中的任何一个都会导致安全机制的不完整。下面几节将讨论识别、认证、授权、审计和问责。

A subject must perform identification tostart the process of authentication, authorization, and accountability (AAA).Providing an identity can involve typing in a username; swiping a smartcard;waving a proximity device; speaking a phrase; or positioning your face, hand,or finger for a camera or scanning device. Without an identity, a system has noway to correlate an authentication factor with the subject. 

一个主体必须进行身份识别，以启动认证、授权和问责（AAA）过程。提供一个身份可以包括输入一个用户名；刷智能卡；挥动一个接近设备；说一个短语；或者把你的脸、手或手指放在一个摄像头或扫描设备上。没有身份，系统就没有办法将认证因素与主体联系起来。

Once a subject has been identified (that is, once the subject’s identity has been recognized andverified), the identity is accountable for any further actions by that subject.IT systems track activity by identities, not by the subjects themselves. A computer doesn’t know one individual from another, but it does know that your user account is different from all other user accounts. Simply claiming an identity does not imply access or authority. The identity must be proven before use.That process is authentication. 

一旦一个主体被识别（也就是说，一旦主体的身份被识别和验证），该身份就要对该主体的任何进一步行动负责。IT系统按身份追踪活动，而不是按主体本身。计算机不知道一个人和另一个人，但它知道你的用户账户与所有其他用户账户不同。简单地声称一个身份并不意味着访问或授权。身份在使用前必须被证明。这个过程就是认证。

The process of verifying whether a claimedidentity is valid is authentication. Authentication requires the subject to provide additional information that corresponds to the identity they are claiming. The most common form of authentication is using a password.Authentication verifies the identity of the subject by comparing one or morefactors against the database of valid identities (that is, user accounts). The capability of the subject and system to maintain the secrecy of the authentication factors for identities directly reflects the level of securityof that system. 

验证所声称的身份是否有效的过程就是认证。认证要求主体提供与他们所声称的身份相对应的额外信息。最常见的认证形式是使用密码。认证通过将一个或多个因素与有效身份的数据库（即用户账户）进行比较来验证主体的身份。主体和系统对身份认证因素进行保密的能力直接反映了该系统的安全水平。

Identification and authentication are often used together as a single two-step process. Providing an identity is the first step, and providing the authentication factors is the second step. Without both, a subject cannot gain access to a system—neither element alone is useful in terms of security. In some systems, it may seem as if you are providing only one element but gaining access, such as when keying in an ID code or a PIN. However, in these cases either the identification is handled by another means, such as physical location, or authentication is assumed by your ability to access the system physically. Both identification and authentication take place, but you might not be as aware of them as when you manually type in both a name and a password. 

识别和认证经常被作为一个单一的两步过程一起使用。提供身份是第一步，而提供认证因素是第二步。没有这两个步骤，一个主体就不能进入一个系统--就安全而言，单独一个因素是没有用的。在某些系统中，似乎你只提供了一个要素就获得了访问权，例如在输入ID码或PIN码时。然而，在这些情况下，要么识别是由另一种方式处理的，如物理位置，要么认证是由你的物理访问系统的能力承担的。识别和认证都会发生，但你可能不会像手动输入姓名和密码时那样意识到它们。

Each authentication technique or factor has its unique benefits and drawbacks. Thus, it is important to evaluate each mechanism in light of the environment in which it will be deployed to determine viability. We discuss authentication at lengthin Chapter 13, “Managing Identity and Authentication.” 

每种认证技术或因素都有其独特的优点和缺点。因此，重要的是要根据其部署的环境来评估每种机制，以确定其可行性。我们在第13章 "管理身份和认证 "中详细讨论了认证问题。

Once a subject is authenticated, access must be authorized. The process of authorization ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. In most cases, the system evaluates the subject, the object, and the assigned permissions related to the intended activity. If the specific action is allowed, the subject is authorized. If the specific action is not allowed, the subject is not authorized.

一旦一个主体被认证，访问必须被授权。授权的过程确保所要求的活动或对某一对象的访问在分配给认证身份的权利和权限下是可能的。在大多数情况下，系统会评估主体、对象以及与预期活动相关的分配权限。如果特定的行动被允许，主体就被授权。如果特定的行动不被允许，那么该主体就没有被授权。

Keep in mind that just because a subject has been identified and authenticated does not mean they have been authorized to perform any function or access all resources within the controlled environment. Identification and authentication are all-or-nothing aspects of access control. Authorization has a wide range of variations between all or nothing for each object within the environment. A user may be able to read a file but not delete it, print a document but not alter the print queue,or log on to a system but not access any resources. Authorization is discussed in Chapter 13.

请记住，仅仅因为一个主体已经被识别和认证，并不意味着他们已经被授权执行任何功能或访问控制环境中的所有资源。识别和认证是访问控制的全部或部分内容。授权对于环境中的每个对象来说，在全有或全无之间有着广泛的变化。一个用户可能可以阅读一个文件，但不能删除它，打印一个文件，但不能改变打印队列，或者登录一个系统，但不能访问任何资源。第13章将讨论授权问题。

Auditing审计

Auditing is the programmatic means by which a subject’s actions are tracked and recorded for the purpose of holding the subject accountable for their actions while authenticated on a system through the documentation or recording of subject activities. It is also the process by which unauthorized or abnormal activities are detected on a system. Auditing is recording activities of a subject and its objects as well as recording the activities of application and system functions. Log files provide an audit trail for re-creating the history of an event, intrusion, or system failure.Auditing is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution, and produce problem reports and analysis. Auditing is usually an ative feature of operating systems and most applications and services. Thus,configuring the system to record information about specific types of events is fairly straightforward. 

审计是跟踪和记录主体行为的程序性手段，目的是通过记录主体活动，使主体对其在系统中被认证的行为负责。它也是检测系统中未经授权或异常活动的过程。审计是记录一个主体及其对象的活动，以及记录应用程序和系统功能的活动。日志文件提供了一个审计线索，用于重新创建一个事件、入侵或系统故障的历史。需要审计来检测主体的恶意行为、企图入侵和系统故障，并重建事件，为起诉提供证据，并产生问题报告和分析。审计通常是操作系统和大多数应用程序和服务的一个原生功能。因此，配置系统以记录特定类型事件的信息是相当直接的。

Notice: Monitoring is part of what is needed for audits, and audit logs are part of a monitoring system, but the two terms have different meanings. Monitoring is a type of watching or oversight, whereas auditing is a recording of the information into a record or file. It is possible to monitor without auditing, but you can’t audit without some form of monitoring.

注意：监控是审计所需的一部分，而审计日志是监控系统的一部分，但这两个术语的含义不同。监控是一种观察或监督，而审计是将信息记录到记录或文件中。没有审计亦有可能进行监控，但没有某种形式的监控就无法审计。

Accountability问责制

An organization’s security policy can be properly enforced only if accountability is maintained. In other words, you can maintain security only if subjects are held accountable for their actions. Effective accountability relies on the capability to prove a subject’s identity and track their activities. Accountability is established by linking an individual to the activities of an online identity through the security services and mechanisms of auditing, authorization, authentication, and identification. Thus,individual accountability is ultimately dependent on the strength of these processes. Without a strong authentication process, there is doubt that the person associated with a specific user account was the actual entity controlling that user account when the undesired action took place.

一个组织的安全政策只有在问责制得到维持的情况下才能得到适当的执行。换句话说，只有当主体对其行为负责时，你才能维护安全。有效的问责制依赖于证明一个主体的身份和跟踪他们的活动的能力。问责制是通过审计、授权、认证和识别等安全服务和机制将个人与在线身份的活动联系起来而建立的。因此，个人问责制最终取决于这些程序的强度。如果没有强大的认证过程，就会怀疑与特定用户账户相关的人在发生不希望发生的行为时是否是控制该用户账户的实际实体。

To have viable accountability, you must be able to support your security decisions and their implementation in a court of law. If you are unable to legally support your security efforts, then you will be unlikely to be able to hold an individual accountable for actions linked to a user account. With only a password as authentication, there is  significant room for doubt. Passwords are the least secure form of authentication, with dozens of different methods available to compromise them. However, with the use of multifactor authentication, such as a password, smartcard, and fingerprint scan in combination, there is very little possibility that any other individual could have compromised the authentication process in order to impersonate the person responsible for the user account. 

要有可行的问责制，你必须能够在法庭上支持你的安全决定和它们的实施。如果你不能在法律上支持你的安全努力，那么你将不太可能让个人对与用户账户有关的行为负责。只用密码作为认证，有很大的怀疑空间。密码是最不安全的认证形式，有几十种不同的方法可以破坏它们。然而，随着多因素认证的使用，如密码、智能卡和指纹扫描的结合，任何其他个人为了冒充用户账户的负责人而破坏认证过程的可能性非常小。

Protection Mechanisms保护机制

Another aspect of understanding and applying security controls is the concept of protection mechanisms or protection controls. Not all security controls must have them, but many controls offer their protection through the use of these mechanisms. Some common examples of these mechanisms are defense in depth, abstraction, data hiding,and using encryption. 

了解和应用安全控制的另一个方面是保护机制或保护控制的概念。不是所有的安全控制都必须有这些机制，但许多控制通过使用这些机制来提供保护。这些机制的一些常见例子是深度防御、抽象化、数据隐藏和使用加密。

• Defense in Depth 纵深防御

Defensein depth, also known as layering, is the use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solutionallows for numerous different controls to guard against whatever threats cometo pass. When security solutions are designed in layers, a single failed control should not result in exposure of systems or data. 

深度防御，也被称为分层，是在一个系列中使用多种控制。没有一个控制可以防止所有可能的威胁。使用多层次的解决方案可以使许多不同的控制措施来防范任何威胁的发生。当安全解决方案被分层设计时，一个失败的控制不应该导致系统或数据的暴露。

Using layers in a series rather than in parallel is important. Performing security restrictions in a series means to perform one after the other in a linear fashion. Only through a series configuration will each attack be scanned, evaluated, or mitigated by every security control. In a series configuration, failure of a single security control does not render the entire solution ineffective. If security controls were implemented in parallel, a threat could pass through a single checkpoint that did not address its particular malicious activity. 

以串联而非平行的方式使用各层是很重要的。以串联方式执行安全限制意味着以线性方式一个接一个地执行。只有通过一系列配置，才能对每一次攻击进行扫描、评估，或通过每一个安全控制进行缓解。在一个系列配置中，单一安全控制的失败并不会使整个解决方案失效。如果安全控制是平行实施的，一个威胁可以通过一个没有解决其特定恶意活动的单一检查点。

Serial configurations are very narrow but very deep, whereas parallel configurations are very wide but very shallow. Parallel systems are useful in distributed computing applications,but parallelism is not often a useful concept in the realm of security. 

串行配置非常狭窄但非常深入，而并行配置则非常宽泛但非常浅。并行系统在分布式计算应用中很有用，但在安全领域，并行性往往不是一个有用的概念。

Within the context of defense in depth, in addition to the terms levels, multilevel, and layers, other terms that are often used in relation to this concept are classifications, zones,realms,compartments, silos, segmentations, lattice structure, and protection rings.You will see these terms used often throughout this book. When you see them,think about the concept of defense in depth in relation to the context of where the term is used.

在深度防御的背景下，除了级别、多级和层这些术语外，其他经常与这个概念有关的术语是分类、区域、领域、隔间、筒仓、分段、晶格结构和保护环。在本书中，你会看到这些术语经常被使用。当你看到这些术语时，请思考深度防御的概念与该术语使用的背景有关。

• Abstraction抽象
  

Abstraction is used for efficiency. Similar elements are put into groups,classes, or roles that are assigned security controls, restrictions, or permissions as a collective. Abstraction simplifies security by enabling you to assign security controls to a group of objects collected by type or function.Thus, the concept of abstraction is used when classifying objects or assigning roles to subjects. 

抽象是用来提高效率的。类似的元素被放入组、类或角色，作为一个集体被分配安全控制、限制或权限。抽象化简化了安全，使你能够将安全控制分配给按类型或功能收集的一组对象。因此，在对对象进行分类或为主体分配角色时，要使用抽象的概念。

Abstraction is one ofthe fundamental principles behind the field known as object-oriented programming. It is the unknown environment doctrine that says that users of an object (or operating system component) don’t necessarily need to know the details of how the object works; they need to know just the proper syntax forusing the object and the type of data that will be returned as a result (that is, how to send input and receive output). This is very much what’s involved inmediated access to data or services, such as when user mode applications use system calls to request administrator mode services or data (and where such requests may be granted or denied depending on the requester’s credentials and permissions) rather than obtaining direct, unmediated access. 

抽象是被称为面向对象编程领域的基本原则之一。它是一种未知的环境学说，即一个对象（或操作系统组件）的用户不一定需要知道该对象如何工作的细节；他们只需要知道使用该对象的适当语法以及作为结果返回的数据类型（即如何发送输入和接收输出）。这在很大程度上是对数据或服务的中介访问，例如当用户模式的应用程序使用系统调用来请求管理员模式的服务或数据时（这种请求可能被批准或拒绝，取决于请求者的证书和权限），而不是获得直接的、非中介的访问。

Another way in which abstraction applies to security is the introduction of object groups, sometimes called classes, where access controls and operation rights are assigned to groups of objects rather than on a per-object basis. This approach allows security administrators to define and name groups easily (the names are often related to job roles or responsibilities) and helps make the administration of rights and privileges easier (when you add an object to a class, you confer rights and privileges rather than having to manage rights and privileges for each object separately). 

抽象应用于安全的另一种方式是引入对象组，有时称为类，其中访问控制和操作权限被分配给对象组，而不是基于每个对象。这种方法允许安全管理员轻松地定义和命名组（名称通常与工作角色或职责有关），并有助于使权利和特权的管理更容易（当你把一个对象添加到一个类中时，你就赋予了权利和特权，而不是为每个对象单独管理权利和特权）。

• Data Hiding数据隐藏

Datahiding is exactly what it sounds like: preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.This means the subject cannot see or access the data, not just that it is unseen. Forms of data hiding include keeping a database from being accessed by unauthorized visitors and restricting a subject at a lower classification level from accessing data at a higher classification level. Preventing an application from accessing hardware directly is also a form of data hiding. Data hiding is often a key element in security controls as well as in programming.Steganography is an example of data hiding (see Chapter 7).

数据隐藏正是它听起来的样子：通过将数据放置在一个主体无法访问或看到的逻辑存储隔间中，防止数据被主体发现或访问。这意味着主体无法看到或访问这些数据，而不仅仅是看不到这些数据。数据隐藏的形式包括防止数据库被未经授权的访问者访问，以及限制一个较低分类级别的主体访问一个较高分类级别的数据。防止一个应用程序直接访问硬件也是数据隐藏的一种形式。数据隐藏通常是安全控制以及编程中的一个关键因素。隐写术是数据隐藏的一个例子（见第七章）。

Data hiding is an important characteristic in multilevel secure systems. It ensures that data existing at one level of security is not visible to processes running at different security levels. From a security perspective, data hiding relies on placing objects in security containers that are different from those that subjects occupy to hide object details from those with no need to know about them or means to access them. 

数据隐藏是多级安全系统的一个重要特征。它可以确保在一个安全级别上存在的数据对在不同安全级别上运行的进程不可见。从安全的角度来看，数据隐藏依赖于将对象放在不同于主体所占据的安全容器中，以隐藏对象的细节，使其不被那些没有必要知道这些细节或没有办法访问它们的人知道。

The term security through obscurity may seem relevant here. However, that concept is different. Data hiding is the act of intentionally positioning data so that it is not viewable or accessible to an unauthorized subject, whereas security through obscurity is the idea of notinforming a subject about an object being present and thus hoping that thesubject will not discover the object. In other words, in security throughobscurity the subject could access the data if they find it. It is digital hideand seek. Security through obscurity does not actually implement any form of protection. It is in stead an attempt to hope something important is not discovered by keeping knowledge of it a secret. An example of security though obscurity is when a programmer isaware of a flaw in their software code, but they release the product anyway hoping that no one discovers the issue and exploits it. 

通过隐蔽性实现安全这一术语在这里似乎是相关的。然而，这个概念是不同的。数据隐藏是指故意将数据定位，使其不能被未经授权的主体查看或访问的行为，而通过隐蔽性实现安全是指不告知主体某个对象的存在，从而希望主体不会发现该对象。换句话说，在隐蔽性安全中，如果主体发现了数据，他们就可以访问该数据。这就是数字捉迷藏。隐蔽的安全实际上并不是实施任何形式的保护。相反，它是一种尝试，希望重要的东西不被发现，把它的知识作为一个秘密。一个隐蔽性安全的例子是，一个程序员知道他们的软件代码中有一个缺陷，但他们还是发布了产品，希望没有人发现这个问题并利用它。

• Encryption加密

Encryption is the science of hiding the meaning or intent of a communication from unintended recipients. Encryption can take many forms and should be applied to every type of electronic communication and storage. Encryption is discussed at length in Chapters 6 and 7.

加密是一门将通信的含义或意图隐藏起来的科学，使其不被非预期的接收者发现。加密可以采取多种形式，并应适用于每种类型的电子通信和存储。第6章和第7章将详细讨论加密问题。

原文始发于微信公众号（网络安全等保测评）：DAD...AAA