"'Then they think, hmmm, maybe the Cloud isn't quite as bad as I thought it was.' It's that kind of logic, and I've had the same conversation with lawyers and accountants. I'm not saying security in the Cloud's perfect, but just go and have a look at what you've got today on premise."
Butler said public Cloud has already made firewalls obsolete, meaning its NGFW or nothing.
"It's an imperative to the Cloud. Amazon's not going to tell you what port and protocols it uses. I mean they might to some extent, but you're not going to go down to a low level of detail providing your policy, and how that's going to go into your old style firewall. What you need for the Cloud is a firewall that has applications and users. So if you move into the Cloud it's actually almost imperative that you should be looking into some sort of next generation firewall to help you," he said.
Too many alarms
Five years ago, when NGFWs first started appearing, many of the pioneers in this field pretty much assumed that we had 'the magic wand', and everyone would immediately throw out everything they had and buy the new toy. It didn't happen. Butler believes it's because NGFW has a perception that it's difficult to manage.
"It's more that it's difficult to transition from this really complex old way of thinking around ports and protocols, how does that map in? Because it doesn't, it doesn't map in at all. You've got to actually go and talk to the business and say 'well, let's work out what applications we want, what users to access'," he said.
"A lot of the people were scared of that conversation so they just said; 'No, I'm not going to go next gen, I'm going to stick with my port and protocol because I can migrate the policy across quite easily."
Ettridge agreed; NGFW take up has been stifled by timidity in the industry, but also by the extra expertise and time monitoring it takes.
"Traditionally firewalls were managed as network infrastructure. As it was switched on and things were passing through the firewall it was working and doing its job. If you could see that and you could see that you were blocking things that shouldn't go through it, then that was good enough," he said.
"But as you start to throw more advanced technologies that do require a bit more complexity in terms of your skill sets and expertise - intrusion management, for example - you need to update that all the time. You need to tune that, and you need to monitor it, and you need to make sure that you can respond to a threat once you've actually apply to those policies.
Sign up for Computerworld eNewsletters.