The cloud is threatening firewalls. Is it time to let them go?

Security professionals don't like what they don't know. It's what makes them good at their jobs, and to a certain extent, loathe the cloud.

"I think there's some basic facts, right? They're not technical facts, actually, they're more people facts," said Atlassian CISO Adrian Ludwig. Security professionals' experience is usually shaped by a risk-averse appetite and "the idea that if you don't understand something, that's probably bad."

The cloud has agitated the steadfast on-premise security environment for two decades. And while the cloud simplifies some areas of protection, it still pains some security professionals to relinquish control. There is no more on-premise perimeter to control access, and everything is software-based.

The cloud is "about making things less in control of the person who is using the services and more in control of the people who built the services," said Ludwig.

Firewalls are caught in the middle of control and shared responsibility. Increased use of web-based applications and APIs floating between layers of on- and off-premise solutions drove the need for web application firewalls (WAF). WAFs can be network- or cloud-based, extending the limited reach of on-premise firewalls.

But the cloud cannibalized the humble — and familiar — firewall.

"We've really gone from simplicity to complexity," said Zane Lackey, co-founder at Fastly's Signal Sciences, and senior principal product technologist at Fastly. In the "simplicity world," firewalls walled off data. Now companies are built entirely cloud-native, or somewhere in between. Cloud-native companies don't require a network firewall; they don't have any data centers to wall off.

The cloud is "about making things less in control of the person who is using the services and more in control of the people who built the services."

Adrian Ludwig

CISO at Atlassian

Traditional firewalls — network, WAF, next-generation — haven't changed enough for IT organizations undergoing digital transformation. Setting up a firewall entailed some "difficulty and pain," said Lackey. "But that pain was accepted, because the environments really didn't change that much."

With the cloud, applications or network infrastructures change daily. It's not the perennial update developers and security professionals put up with. "Historically WAF broke the app every time it changed," said Lackey.

While the next-generation firewall market is projected to reach $5.5 billion by 2025, the cloud is threatening its market position. If the firewall moves to the cloud, companies might stop buying expensive next-generation firewalls.

Clash of security solutions

Depending on the business, security organizations have two main responsibilities: protect the business and what it sells.

Whether a company is developing a product for internal or external purposes, security has to allow developers to work quickly. While moving fast is the M.O. of DevOps, speed is also a security practitioner's nightmare. Because the cloud facilitates DevOps' speed, if "you don't like things to move quickly, that's scary in a primal way," said Ludwig.

Moving fast almost makes products a moving target, said Ludwig. "And that's true for software too. If it changes, then any exploitation of that software is super fragile."

Now a WAF could be standing between data or manipulating it because it was originally designed for siloed security teams, said Lackey. Modern security is meant to empower DevOps, not hinder it.

If a company has a wider physical footprint, such as multiple offices or retail locations, it will require additional solutions to its firewalls. A company with large headquarters and a few lingering on-premise servers, will likely have a subset of the overall security stack, said David Holmes, senior analyst at Forrester, while speaking at a virtual Forrester event this month. Or an SD-WAN controller might protect a company with scattered field officers or retail locations.

SD-WAN is challenging how industry treats the traditional firewall. The SD-WAN controller may not have a firewall partly because "there's convergence between the firewall market and the SD-WAN controllers," said Holmes. Firewall vendors are watching SD-WAN controllers take over security for those field offices or remote locations.

As another rival to the traditional firewall reveals itself, industry will wait for its peers to test its replacement, said Holmes. "Think about how long cloud took to get going, with all the people saying, 'Clouds [are] just somebody else's computer.'"

Companies are facing a similar wait-and-see approach to firewalls because the environment firewalls were originally designed for are vastly different today.

Pointing fingers

The cloud provides a level of segmentation firewalls need. On-premise applications are more susceptible to lateral movement in cyberattacks because segmentation is difficult.

Atlassian is almost entirely cloud-based. The company has a separate vendor for email, network, CRM, and so forth. "If one of them is compromised, lateral movement into the other is actually pretty difficult, because it requires you to make that compromise of a second service," said Ludwig.

"Even if each one of those providers is a little bit less secure, in aggregate, they're more secure because of that isolation and that separation of powers," said Ludwig.

As more breaches unravel and are traced back to misconfigured WAFs, security organizations and vendors are finding themselves in an unfamiliar standoff. Prior to the cloud, seldom would a vendor face questions if misconfigurations in software or hardware resulted in a security incident.

"That pain was accepted, because the environments really didn't change that much."

Zane Lackey

co-founder at Fastly's Signal Sciences, and senior principal product technologist at Fastly

In the midst of last year's Capital One's breach, AWS clarified the WAF misconfiguration was not the provider's responsibility. At the time of the incident, AWS CISO Stephen Schmidt said only customers know "what they intended with resources under their control.

Shared responsibility models between CSPs and customers are "one of the least understood but most impactful" components of cloud risk management, according to a Cloud Security Alliance report. It's a new factor built into the customer-vendor relationship.

CSPs have ongoing customer relationships and near-infinite scale, so "there's actually a really interesting transition that's taking place" where companies like AWS can make a larger impact in configurations, default settings, and security behaviors, said Ludwig.

"The underlying pattern that we're seeing actually is more security is being exposed in platforms because the platform providers take responsibility for that," said Ludwig. Apple, for example, has a longstanding history of platform-based security standards and "I think the cloud is doing exactly the same thing."

For Atlassian, prior to developing cloud-based products, the company offered server or data center products. "People who were experts in securing our products were our customers, not us," said Ludwig. Since then, Atlassian folded security more tightly into its cloud-based apps.

The security history prior to the cloud may have made some organizations more secure than CSPs. It's only now, "that distance is getting smaller and smaller and smaller," said Ludwig.