It's time to kill your firewall

Zero trust architecture (or alternatively Secure Access Service Edge (SASE)) is the future of enterprise security.  It meets all the demands of modern organisations by providing secure, authenticated access to business applications, hosted anywhere, accessed from any device and any location. It’s the much-needed departure of the border security model that we’ve continued to kick along, in a half-broken state, for the last 15+ years.

If we’re willing to move on from the border security paradigm (and as security professionals, we must), then we also need to question and challenge some fundamental assumptions of enterprise architecture.  Most notably, firewall hardware. 

With a cloud-orchestrated and managed security policy, what value does having specific firewall hardware add?  It’s potentially an uncomfortable proposition but I argue that branch, head-office and even data centre firewalls are a vestige of border security.  In SASE they offer connectivity only.

“What about SD-WAN?”, I hear you say, and I agree that availability (and performance) is a valid security concern.  But ultimately, in terms of what border firewall hardware controls, this is a question of link selection only. Outside of this, it can’t influence end-to-end availability and performance. 

In zero-trust architecture, firewall hardware becomes an expensive router.  But that won’t stop firewall hardware vendors from continuing to sell them to you.  If we’re going to be serious about SASE, then it’s time to abandon firewall hardware and embrace security and performance within the cloud.