A Closer Look at State and Local Government Cybersecurity Priorities

In my previous column, I offered some thoughts as to how the State CIO Top Ten Policy and Technology Priorities for 2023 relate to developing, delivering, and securing the applications and APIs that help make state and local governments run. In this piece, I'd like to take a closer look at three of those priorities — cybersecurity and risk management, legacy modernization, and consolidation/optimization — and how they affect security policy.

Cybersecurity and Risk Management

Citizen demands have caused many state and local governments to become essentially technology companies. People expect their state and local governments to shift with them online — offering more services virtually and providing those services in a timely manner. This has necessitated that state and local governments move some services to cloud environments to be more responsive to their citizens.

This has created a large amount of complexity. Many state and local governments are now managing their legacy on-premises environment, as well as multiple cloud environments. This hybrid, multicloud environment presents a number of challenges for cybersecurity and risk management.

The increased complexity of hybrid and multicloud environments creates the potential to introduce vulnerabilities. More complexity means more potential for oversight and human error. It also means that vulnerability management efforts will need to be expanded and performed diligently to ensure that all applications and APIs are included within them.

This highlights another challenge — that of asset management and discovery. State and local governments can only secure and protect APIs that they are aware of. APIs often come online or are modified unbeknownst to the security team (for a number of different reasons). In fact, the number of APIs that are unknown and uninventoried can vastly exceed the number of known and inventoried APIs. This highlights the importance of API security as part of the overall cybersecurity and risk management efforts.

Visibility for security monitoring and compliance purposes is another challenge that hybrid and multicloud environments present for state and local governments. Visibility across cloud environments is not guaranteed to be as pervasive and readily available as it is across an on-premises environment. This requires state and local governments to make a conscious effort to ensure that visibility exists, and also to leverage that visibility to properly monitor all environments for compliance problems, security incidents, and other issues.

Legacy Modernization

Legacy modernization is something that lots of state and local governments are working through. Like many enterprises, state and local governments have migrated, or are in the process of migrating, some applications to the cloud or multiple cloud environments. Not all applications are being migrated, though — some are being deliberately left on-premises, and some have even been repatriated from the cloud back to on-premises.

All of these factors combine to create complex hybrid and multicloud environments for many state and local governments. These complex environments create many challenges that require a proper cloud strategy to address. State and local governments need to remain focused on understanding how to create an environment that makes developing, delivering, and maintaining security applications and APIs less complex and more achievable. This requires proper cybersecurity and risk management, as discussed above, alongside consolidation/optimization efforts.

Consolidation/Optimization

Increased complexity serves the interests of no one but attackers. Simplifying and optimizing the management, operations, maintenance, and security of hybrid and multicloud environments is a must. Why?

Back when environments were entirely on-premises or in private data centers, state and local governments understood how to manage, operate, maintain, and secure those environments. They had technology stacks designed for each of these functions and dedicated teams tasked with running and leveraging those technology stacks. This "utopia" was short-lived, unfortunately.

As many state and local governments find themselves with complex hybrid and multicloud environments, they have to replicate each of those technology stacks in each and every environment. Those who enjoy algorithms will notice that this is an N-squared problem. This has resulted in state and local governments needing multiple teams dedicated to simply keeping these technology stacks running, never mind leveraging them as required. This simply does not scale and begs for a better approach.

In addition to these infrastructure challenges, complexity is the enemy of security. Complexity impedes the universal and consistent application of security policy. This is a considerable obstacle to adequately securing state and local government environments. In addition, complexity introduces the potential for human error and oversight. It is too easy for security team members to overlook something that can later result in security and/or compliance issues.

The infrastructure and security challenges point toward a need to consolidate and centralize management of hybrid and multicloud environments. Creating such a centralized control center would facilitate efficient and effective management of complex infrastructure. It also would provide the ability to properly secure that complex infrastructure. Both results are important for state and local governments.

State and local governments are not islands in time that can avoid the evolving expectations of their citizens. These expectations necessitate a complex infrastructure consisting of hybrid and multicloud environments that presents management and security challenges. With the proper strategy to address these challenges, state and local governments can address their citizens' needs without sacrificing security.