On-premises Firewalls or SASE Cloud Security – what Customers need to consider

SASE

On-premises Firewalls or SASE Cloud Security – what Customers need to consider

On-premises Firewalls or SASE Cloud Security – what Customers need to consider

Customers, in the midst of planning to upgrade their security infrastructure, will be drawn to competing architectures from MSPs and other providers – do I stay with on-premises security or do I start my SASE journey and move to a Cloud Security architecture.

There are a number of factors to consider, and a lot of those considerations are driven by how much of their apps and IT workloads are in, or moving to, the cloud. Here are 3 key considerations:

  • Where do your Apps/IT Workloads live? – On-premises firewalls are ideal for a world where everyone comes to an office and all apps/workloads are sitting in either a DC, Head Office or a branch site. Remote workers can access via VPN. However, that world is rapidly fading, and many companies now have most, if not, all their apps/IT clouds as a SaaS or sitting Azure/AWS. As apps/workloads move to a cloud in an on-premises architecture additional “bolt on” point solutions (e.g. Cloud Access Security Broker), often from a 3rd party provider. Cloud Security is designed and built for the cloud – there is no need for 3rd party products to provide security. The best SASE vendors also have a Cloud Security architecture that does away with the need for on-premises security in most situations if there are some apps/IT workloads left on-premises. For example, if a customer chooses to keep hosting a public facing, internet-based payments system for B2C and B2B, then on-premises firewalls will be required at that site to inspect traffic. This would best be described as a hybrid solution for a hybrid world.
  • Scalability – Cloud Security is easily scalable by purchasing additional capacity as it is by license subscription whereas an on-premises firewall architecture requires a hardware purchase, some network (re) design and a deployment plan including change management. Cloud Security is thus the lower cost option.
  • Operations – the Cloud technology vendor manages and implements updates to virus threats, etc. As part of the Cloud Security subscription. The customer, or its MSP, needs to continually do virus threat updating, along with software & firmware updating, where on-premises firewalls are concerned. Cloud Security is thus the lower cost option. It is also the better option from a security perspective as, where customers are required to do this updating, it gets neglected, over time, as customers often have a loss of their skill base and are also often cut preventative maintenance under cost pressure

On these 3 considerations, Cloud Security offers a superior outcome to on-premises firewalls, however there are some caveats:

  • As discussed, even if Cloud Security is chosen, on-premises firewalls may still be required at a site hosting a public facing platform like a payments system.
  • Whilst Cloud Security does offer superior scalability at a lower cost and lower cost operations but with an improved security posture it does generally come with a higher, up-front price tag than on-premises firewall architecture. Customers should carefully assess the on-going savings (and improved security posture) versus high up-front cost of Cloud Security and attempt to quantify the amount of on-going savings to be realised.

Ultimately, nearly all customers will move to incorporate Cloud Security in their architecture as more and more of their apps/IT workloads move to the cloud.

Learn more about Superloop’s SASE solution with Palo Alto Networks.