Even a Next Generation Firewall(NGFW) will not save your network if the fundamental architecture is designed to prevent the firewall from working properly.
Asaf Cidon Posted the following at informationweekDARKReading:
Obviously a firewall protects machines and users that are behind the firewall.
So as Asaf rightly points out when the user data is on the cloud(which is not behind the firewall) and being accessed outside of the firewall then of course there is no way to protect the user since they are not behind the firewall.
For example: Salesforce app is a cloud app, and gets accessed via remote methods by sales personnel at the client site. If the mobile device is not on the internal network it does not get internal firewall protection. So in this case the firewall was useless. If a user obtains malware somehow the NGFW technologies cannot help defend the mobile device.
Here is the Qualys view of the Perimeter
Image from Qualys and an older post – http://oversitesentry.com/set-up-proper-internet-security/
There are ways to protect data on cloud applications. How about using Cloud Security applications? Such as BlueCoat, Websense, or ZScaler.
The BlueCoat can be a machine on the network or can be set up as an Internet system that will give some protection abilities for the mobile user https://www.bluecoat.com/products/web-security-service
Cloud Web Security Gateway http://www.websense.com/content/cloud-web-security-gateway-features.aspx for Websense
Zscaler Security as a Service platform https://www.zscaler.com/product-cloud-security/advanced-security-analytics.php
Here you can see all the web gateway companies:
So it does depend on your users and the applications that your network has. The other solution is to have everyone access the office network with vpn access first before accessing the Internet. To set this up correctly one has to set up the VPN network architecture correctly.
Although as ACKlost tweeted in response to my Tweet for this blog post:
True VPN traffic through the company proxy could cause problems. So the Web gateway may be the better solution. (updated June 22)