Hybrid cloud has fundamentally changed how systems are built—but how we secure them hasn’t evolved at the same pace. The illusion that a firewall can “secure the edge” is still baked into most architectures, even though there’s no meaningful edge anymore.
Workloads are scattered across cloud regions, on-prem nodes, containers, ephemeral environments, and shared services. Let’s stop pretending packet filtering is enough. When a developer pushes a change that exposes an internal API to the public internet, it’s not a firewall issue; it’s a code review failure.
When a CI job accidentally logs a plaintext secret, your VPC-level rules don’t stop credential abuse. Hybrid cloud traffic isn’t just ingress from the public web. The riskiest paths are the ones inside: service-to-service, region-to-region, pipeline-to-infra.
Infrastructure Is Code—Your Security Policy Should Be Too
If your firewalls aren’t defined in code, they’re not secure. Most breaches come from drift, not from complex exploits. A Terraform module opens a port; a developer hardcodes a CIDR block; an engineer hot-patches a firewall rule in the cloud console “just to test something…” and it never gets reverted.
Modern cloud environments require firewall policies to be written, versioned, and enforced like any other part of your system. That means policies live in Git. They’re peer-reviewed and tested, and changes are gated in the same CI/CD pipelines that deploy your infrastructure.
You need automation to detect and block unsafe changes before they hit production, not runtime alerts after the fact. After all, infrastructure-as-code without policy-as-code is just asking for silent failure.
Secrets Are the New Ingress
Here’s the unspoken truth: most attackers don’t care about open ports. Rather, they care about keys. If you leak a token to GitHub or push a plaintext credential to your logs, your firewalls don’t matter, as you’ve already granted access from the inside.
Traditional firewalls are useless at this point as they don’t know what secrets are in use. They don’t monitor Git, watch CI/CD logs, or stop developers from accidentally committing an .env file.
You need code-aware secret detection that’s continuous and integrated. That means secret scanning in every PR, blocking pushes with high-confidence exposures and flagging leaked secrets the moment they show up in build logs or container environments. When your runtime firewall sees outbound S3 traffic from a compromised service, it’s too late.
Visibility Without Context Is Useless
You might have dashboards and logs. But if you can’t tie runtime behavior to code changes, you don’t have visibility—you have noise. Without traceability from runtime to repo, you’re guessing. Effective attack surface management requires visibility across the entire software development lifecycle (SDLC), including proactive secrets detection, monitoring of build artifacts, and continuous verification.
Security teams need observability that works like Git blame: show me the line of code, the commit, the author, and the deployment that introduced this behavior. That means tight integration between Git, CI/CD, policy engines, and runtime telemetry.
It also means ditching firewall consoles that exist outside the dev loop. If a rule changes, it should be obvious who changed it and why—not raising questions like “Was this an emergency fix or a legit deploy?”
If Your Firewall Doesn’t Speak Git, It’s Not Helping
The baseline is that your firewall configuration must be Git-backed and testable. Otherwise, you’ve got no confidence in what’s deployed. And let’s be clear: Manual tickets should no longer manage firewalls. If a dev deploys a new service, the firewall rule should be part of the deployment. A policy change affecting service access should be reviewed like code. There should be no out-of-band hotfixes and no mystery ACLs.
Firewalls need to evolve into programmable services and support identity-based rules, dynamic traffic flows, and automation-driven updates. IPs are dead, and identity and intent are what matter. And those only come from tight feedback loops with the codebase and deploy pipeline.
Security Has to Be Inline, Not Reactive
Most organizations still treat security like an external reviewer, which is a fatal delay. When infrastructure is defined and deployed in seconds, anything less than inline policy enforcement is a liability.
Security checks need to be embedded at the point of change. Developers should get instant feedback if their change exposes a sensitive route, violates a trust boundary, or introduces a risk. Additionally, CI/CD should block deploys that fail those checks, with no exceptions.
For example, here’s what a secure hybrid cloud stack might look like:
- Policy as code: Git-backed, versioned, tested, enforced.
- Secret scanning: Every commit, every PR, every log.
- Automated/agentic pen testing: Continuous testing of code, infrastructure, and deployed agents.
- Code-integrated enforcement: CI/CD gates, not runtime alerts.
- Runtime visibility with code traceability: Git-to-prod linkage for all behavior.
- Firewalls as APIs: Programmable, identity-aware, and cloud-native.
Moving Forward: What Should You Do About It?
Hybrid cloud security isn’t a tooling problem. It’s a systems design problem. Firewalls aren’t enough. Dashboards aren’t enough. Best practices aren’t enough. If your security isn’t integrated into your development cycle, versioned alongside your infrastructure, and enforced by automation — you don’t have security. You have a delay.
The gap and fix are the same: code. You can start there—or keep getting breached by bad YAML and leaked tokens.
___
Paul Barbosa leads the Global Cloud Security Business Unit at Check Point, overseeing Sales, R&D, Marketing, Customer Success, and Engineering. With over 23 years in cybersecurity and communications, Paul brings deep expertise across enterprise, federal, and commercial sectors. A former U.S. Marine and security architect, he’s held leadership roles at Skyhigh Security, Cisco, and Cloudflare. His leadership mantra, “Brilliant in the Basics,” reflects his commitment to operational excellence and tactical precision.
Join our LinkedIn group Information Security Community!
