top of page
Search

The Network Firewall’s Role in a Cloud-First Zero Trust World

  • May 18
  • 3 min read
An image visualising a blog post for "The Network Firewall’s Role in a Cloud-First Zero Trust World".

Today’s security landscape looks very different from the one traditional firewalls were originally built for.


Users are no longer always in the office. Devices move between networks. Applications are delivered through SaaS. Workloads run in public cloud platforms. Many business systems are now accessed directly over the internet rather than through a private corporate network.


In this world, the firewall is no longer the natural centre of gravity for security.


That does not mean firewalls are obsolete. It means their role needs to be considered more deliberately, especially as security risks continue to evolve and demand more resources.


Security Has Moved Beyond the Perimeter


For many organisations, security is no longer delivered by a single control (firewall) at the edge of the network. This shift has been driven partly by natural technology evolution, but also by the adoption of Zero Trust principles.


Zero Trust is a security approach based on the principle of “never trust, always verify.” It does not mean that nothing is trusted. It means trust is not assumed simply because a user, device, or workload is connected to a particular network.


Access should be explicitly verified, limited to what is required, and continuously evaluated based on signals such as identity, device health, location, behaviour, sensitivity of the resource, and risk.


For this reason, Zero Trust Architecture spans multiple domains, including identity, endpoints, data, applications, network, and infrastructure. In this model, the network remains important, but it is no longer the only or primary control point.


Instead, protection is spread across multiple layers. For example, access to a SaaS application may be better controlled through phishing-resistant authentication, conditional access, endpoint compliance, application permissions, and data protection policies than through an on-premises firewall.


This is the key shift: many outcomes once associated with firewalls can now be delivered closer to the user, device, application, or data.


For cloud-first organisations, this matters because many of these controls may already exist. If they do, a full firewall platform may add unnecessary cost and complexity without reducing enough additional risk.


The Cloud-First Network


The local network still has an important role, but in many cloud-first environments that role is more focused.


Instead of being the main access gate for everything, the on-premises network may only need to provide essential foundations such as:


  • Basic connectivity and traffic flows to the internet

  • Segmentation and access control between local devices

  • Connectivity to cloud-delivered security services


For such cloud-only or cloud-first organisations, many traditional firewall outcomes are available with cloud-based solutions across the technology domains. In that case, a simpler and cost-effective network gateway device with essential security features may be the best approach.


This does not remove security. It avoids duplicating controls that may be more effectively delivered closer to the point of access or risk. It can also reduce the cost associated with full firewall platforms, allowing budget to be invested in controls that may provide greater value against modern risks.


When a Firewall Still Makes Sense


Firewalls remain highly relevant where stronger boundary enforcement is needed.

They are still often the right choice for organisations with on-premises systems, complex networks, strict compliance requirements, or higher-risk environments.


Examples include environments with:


  • Internal servers

  • Hosted applications

  • Inbound services

  • Site-to-site connectivity

  • OT or industrial networks

  • Legacy devices that cannot be protected effectively at the host level

  • Strict logging, inspection, or compliance requirements


In these environments, a basic gateway is unlikely to be enough. A dedicated firewall platform can still provide important security value through capabilities such as traffic inspection, filtering, segmentation, threat prevention and logging.


Ask the Better Question


As with all security design, the process should start with the environment and the risk, not the assumption that a particular technology is always required.


Useful questions include:


  • What assets are we protecting?

  • What risks are most relevant to our environment?

  • What controls do we already have?

  • Where are our current gaps?

  • What resources and budget are available?

  • Which investment will reduce the most risk?

A simple starting point is to ask: how much of your business can operate outside of your private network?

In many modern environments, the answer may be more than expected. When most users, applications, and data are already operating outside the traditional network perimeter, the decision point for a firewall becomes clearer.


Key Takeaway


Modern cloud-first organisations do not always need to default to a traditional on-premises firewall.


Where there are more pressing risks in cloud applications, identities, endpoints, and data, the better investment may be to strengthen those areas rather than duplicate capability at the network edge.


However, for organisations with complex on-premises environments, compliance requirements, or higher security needs, the firewall remains an important and often necessary control.


In a cloud-first Zero Trust world, the firewall is not disappearing. It is becoming a more deliberate architectural choice based on need, risk, cost, and value.

bottom of page