In a previous article I discussed how the 2023 edition of the National Association of State Chief Information Officers (NASCIO) the top 10 priorities highlighted the importance of securing applications and APIs in complex environments. Now NASCIO has published its”State CIO’s top ten policy and technology priorities for 2024,” and while some things remain, there are a few notable changes.
-
The priority of identity and access management and cloud services has dropped from numbers five and six respectively to numbers eight and nine (though perhaps not for the reasons you might think)
-
Cyber security and risk management remain the top priority, but digital government and digital services come first
-
Artificial Intelligence (AI), which hasn’t even made the last year’s top 10it is now priority number three
-
Legacy modernization remained the fourth priority
Let’s roll up our sleeves and delve a little deeper into these changes. I will look at them with an eye towards API Security in particular.
Identity and access management and cloud services collapse: but why?
Identity and access management (IAM) and cloud services have dropped three rungs in terms of priority, from numbers five and six in 2023 to numbers eight and nine respectively in 2024. This may not be because the technologies are suddenly less important, but they may simply have integrated more deeply into today’s environment.
It seems to me that they form a vital part of the two priorities linked first and foremost: cybersecurity and risk management and digital government/digital services, as well as legacy modernization.
In other words, state and local governments may have already done significant work on the IAM and cloud services they rely on to meet the highest priorities on this list. If that were the case, the change in priorities this year would be absolutely logical.
Cybersecurity and risk management joined at the top by digital government/digital services
Infrastructures have become significantly more complex and distributed over time. Many companies are adding more cloud environments, which brings additional complexity.
At the same time, increasingly digitally savvy voters expect more from the state and local governments that serve them. Unfortunately, the force that drives governments to deliver cutting-edge digital capabilities is the same force that can introduce additional risks: the need for speed.
Digital government/digital services create the need for distributed cloud capability to simplify complexity and manage and secure digital assets. In this environment of increasing complexity and demand, attacks against applications have continued to increase, too attacks against APIs. Attackers have realized that the pressure to innovate and better serve citizens has created an API-driven world. It is not surprising that attackers are trying to take advantage of this.
Addressing citizen expectations as quickly as expected means that, in some cases, applications and APIs may not be adequately developed, managed, inventoried and protected. While there are several ways to address this risk, the ability to create and enforce security policies consistently across development, deployment, and operation is one of the primary methods. The same goes for the ability to discover and secure APIs.
Artificial intelligence makes a strong debut
If you haven’t heard a lot of buzz about artificial intelligence (AI) lately, you might be living under a rock. In all seriousness, despite the hype, AI has some real applications – and consequences – for state and local governments.
On the attacker side, AI makes the threat landscape a little broader by introducing new and innovative ways in which cybercriminals can increase both the sophistication of their attacks and the speed with which they develop them. Defensively, AI offers opportunities to improve and increase detection and mitigation capabilities.
One thing is certain: artificial intelligence is a technology that, to be used successfully, must be applied to specific problems. This requires state and local governments to have an AI strategy that helps them explore how best to defend against AI-based or AI-enhanced attacks, as well as how to leverage AI internally to address specific security issues or better mitigate risks.
Legacy modernization remains a concern
State and local governments continue to strategically migrate applications and APIs to optimal environments. Of course, what the optimal environment is can vary. Sometimes, migration can happen from on-premises to public cloud. In other cases, it might move from on-premises to the private cloud/data center. In some cases, the migration may even happen back to on-premises from the public cloud.
Regardless of which applications and APIs target which environments, modernization of the legacy it’s well underway. The resulting mix of environments will need to be adequately managed and protected, regardless of its complexity. That said, it makes sense that legacy modernization remains a top priority this year.
Because applications and APIs are central
Topics of interest and priorities change from year to year in many sectors, and state and local government are no exception. One thing that remains constant, however, is that top priorities must cover application and API security.
Governments must be prepared to address the complexity, as well as management and security responsibilities, that come with the modern infrastructure needed to support such applications and APIs. The NASCIO top 10 certainly captures that.