Insight by Cloudflare

End user empowerment: Shifting the cybersecurity responsibility

After 21 years of Cybersecurity Awareness Months, maybe it’s time to reconsider the burden we place on end users.

This content was written by Steve Caimi at Cloudflare.

Love it or loathe it, Cybersecurity Awareness Month is our annual reminder that end users play a key role in cybersecurity. Often labeled “the weakest link,” users need regular training on proper cyber hygiene. The government’s own security control catalog, NIST SP 800-53, devotes the entire Awareness & Training (AT) control family to it. “Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users,” it says. But this October, I find myself asking: Why are we still doing this?

It’s no mystery how we got here. Designed for openness, the internet is full of security flaws. It didn’t require strong passwords, so people created weak ones. It didn’t mandate multi-factor authentication, so people didn’t use it. It allowed phishing attacks to reach people, so they became victims. Software didn’t update automatically, so people used vulnerable technology. And on and on.

End user training evolved to help compensate for all kinds of security weaknesses. Then we tested people’s knowledge with unpopular campaigns like phishing simulations. After all, we warned them that cyber vigilance is their duty too. But how well has that worked out? Countless studies still point to human error as the top reason for data breaches.

After 21 years of Cybersecurity Awareness Months, maybe it’s time to reconsider the burden we place on end users. Forcing cyber responsibility on them isn’t fair, it’s ineffective, and it can even be counter productive. But there’s good news: the end of end user training might be closer than you think.

Human beings aren’t security controls

People, policy, process, and technology – cybersecurity programs depend on all of them. But the people are security architects, analysis, responders – roles with the knowledge, skills, and abilities to put the right policies, processes, and technologies in place. Not end users.

The threats we face now demand near-perfect, round-the-clock vigilance, especially as AI helps attack campaigns appear legitimate to the human eye. In the past, phishing awareness campaigns taught users about telltale signs like word misspellings, distorted images, or unexpected domains. Today’s adversaries are far more capable than that. It’s getting harder – if not impossible – for people to identify phishing attacks or fraudulent websites today. Practically everything looks both legitimate and suspicious at the same time.

Training end users and expecting action is a bit like strengthening legacy security perimeters and expecting secure internal networks. It sounds good on paper, but the real world exposes the raw truth. Fortunately, Zero Trust principles emerged to change our mindset about network security, forcing us to accept the fact that internal networks can never be trusted. We’re now protecting resources, not building bigger cyber walls.

In a similar way, Zero Trust can change our mindset about user training, forcing us to accept people as human and imperfect. We can’t expect users to be a line of defense, no matter how much we educate them. Modern security architectures aren’t perfect either, but they’re  far more effective against today’s threats – and can help reduce or eliminate the need for end user vigilance.

VPNs contribute to the cyber vigilance problem

The legacy Virtual Private Network (VPN) is a great example of an outdated security technology that puts users in a tough spot, fueling the need to compensate with more security training. Here’s why.

First, let’s be clear that VPNs are fundamentally at odds with NIST’s definition of Zero Trust:

Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.

(Zero Trust Architecture, NIST SP 800-207)

Three key phrases stand out:

  • Network viewed as compromised. The “assume breach” concept we discussed earlier means that your organization must act as though attackers are always on your internal networks. You can’t trust something simply because it found its way there. But that’s precisely what legacy VPNs do. After a one-time authentication, they simply drop users onto your internal network and assume they’re trusted.
  • Per-request access decisions. In a Zero Trust architecture, trust is never earned, so each and every access request must be continually re-evaluated with the latest evidence of risk. Some legacy VPNs technologies can make point-in-time device posture checks, but they typically keep sessions open until users log themselves off (or a timeout threshold is reached). So if a user clicks a link that downloads malware during their session, the VPN is none the wiser.
  • Least-privilege access. Legacy VPNs let users go wherever the network will take them, blind to actions they’re taking. Some VPNs might combine with network segmentation capabilities to limit how far they can go, but they are incapable of enforcing least-privilege access to applications and data.

There are many other reasons why VPNs are ineffective security controls, but the bottom line is clear. They’re blind to attacks that result from end user mistakes, so we train users not to make them. And hope.

ZTNA saves people from cyber mistakes

Hope is not a strategy, but Zero Trust is. And Zero Trust Network Access (ZTNA) is the modern approach to remote access, protecting people from the mistakes we know they’ll make.

With ZTNA, users never access internal networks directly. Instead, they authenticate to a cloud-based ZTNA service that, in turn, makes secure application connections on their behalf. Inside the ZTNA service are policy decision and enforcement points that constantly evaluate and re-evaluate access requests and risk posture when granting access. ZTNA simultaneously controls access to internal applications, SaaS apps, and internet sites – all from a central control plane. It’s the beginning of a modern Zero Trust architecture.

Even if threats reach end users, they’re still protected. The cloud-based ZTNA service includes a secure web gateway to allow faster connections to legitimate websites that are within policy, while stopping traffic to and from malicious sites. So even if your remote user receives a phishing email, fails to recognize the threat and clicks the link, the gateway prevents any traffic from reaching the malicious site. That means users can’t accidentally leak their credentials or any other information to a legitimate looking but fake website, because they never see it. And the website can’t deliver malware to a device it can’t reach.

Finally, the device agent on the remote user’s device plays a key role too. If your remote user receives a suspicious attachment and opens it, cyber training notwithstanding, the device can become compromised. When combined with Endpoint Detection and Response (EDR) solutions, the agent alerts the ZTNA service to the device’s elevated risk. Then the ZTNA service automatically adjusts access policy to prevent internal resources from being compromised; while allowing just enough access for the user to get the help they need to resolve the security issue.

In both of these situations, the user failed to follow their cybersecurity training. When the phishing email arrived, they failed to recognize the threat, and clicked links or opened attachments. Yet the ZTNA service saved them from their mistakes, and it protected your sensitive information too.

Cloudflare helps you modernize cybersecurity

Can we finally put an end to end user training? Okay, that may never be wise. But we should act as though our end users are human, and no human is perfect. That means modernizing security controls to protect them when human vigilance can’t.

Start this journey now by replacing outdated VPNs with ZTNA. You’ll be able to:

  • Take the critical first steps toward a Zero Trust architecture;
  • Improve and simplify experiences for remote users; and
  • Reduce your dependence on the vigilance of end users.

At Cloudflare, we help organizations of all sizes succeed with Zero Trust. Learn how Cloudflare One modernizes your network and protects your workforce with our unified cloud-native platform. And for a technical deep-dive on VPN replacement, we published a reference architecture for network and security experts responsible for planning and implementing Zero Trust architectures.

And finally, we at Cloudflare do believe in cybersecurity training for everyone. Check out our Learning Center and get the knowledge you need to Secure our World during Security Awareness Month and beyond.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Getty Images/iStockphoto/TraitovCybersecurity and secure nerwork concept. Data protection, gdrp. Glowing futuristic backround with lock on digital integrated circuit.

    NDAA to give DoD components more flexibility to procure cyber products

    Read more