Security

Identity Is the New Perimeter for State Government Cybersecurity

Why identity-first security, not networks, now defines cyber resilience for agencies.

Iqbal Asim Mohammad is a CDW subject matter expert.

For years, state and local governments approached cybersecurity by trying to defend a perimeter: Keep the bad actors out, trust what’s inside and secure the network accordingly. That model no longer reflects how government operates — or how modern attacks happen.

Today, identity is the perimeter.

This reality is reflected clearly in the latest State CIO Top 10 Priorities from the National Association of State Chief Information Officers, where identity and access management appears both explicitly and implicitly, supporting workforce access, citizen digital services, authentication, credentialing and digital standards. That emphasis is overdue, because identity now underpins nearly every meaningful security decision governments make.

Click the banner below to explore five identity management security trends.

Making the Transition From Networks to Identity

What still surprises me is how often organizations acknowledge this shift in theory but continue to operate as if the old model still applies. I’ve been in conversations where everyone agrees that perimeter-based security no longer works — and then immediately they ask for solutions designed around VPNs, “inside” users and network zones.

The fundamental question is no longer where someone is connecting from. It’s who they are, and how confident we are in that answer.

Before we talk about access levels, applications or data, identity must be established with confidence. Once that identity is verified, trust is not binary. Being authenticated does not mean unlimited access. Identity should follow users — employees, contractors, citizens and even nonhuman accounts — across every system, defining exactly what they are allowed to do and nothing more.

That principle is central to zero trust, but it doesn’t require a wholesale infrastructure overhaul to begin applying it. Many governments already own platforms that support identity-centric controls. The challenge is enabling them consistently and accepting the process changes that come with that shift.

Establishing One Identity for Citizens and Protecting It Well

Citizen-facing services are where identity strategy becomes most visible — and most consequential. Too often, residents are forced to manage multiple logins for tax systems, health services, motor vehicles or local programs. Each additional credential weakens security and erodes trust.

Citizens expect and deserve a single, well-protected digital identity.

But providing one login isn’t enough; it must also be strongly protected and consistently enforced. When users juggle multiple credentials, they naturally become less careful. But when identity truly matters, behavior improves, and so does security.

Single sign-on and federation are already common at the state level, but adoption often varies by agency or program. Stronger top-down mandates can help ensure that identity isn’t optional or unevenly applied, but foundational to every digital service.

Maintaining Consistent MFA Protections

Many organizations point to multifactor authentication as evidence of maturity, and to be clear, MFA is essential. But it’s no longer a differentiator — it’s a baseline.

Threat actors have evolved, and defenses must evolve with them. Passwordless authentication, implemented thoughtfully and pragmatically, significantly reduces risk while improving user experience. Most citizens already rely on password managers, which can serve as a natural transition point toward stronger authentication models.

This doesn’t require an all-or-nothing approach. Governments can phase improvements, document where they’re headed and give agencies time to prepare. Progress matters more than perfection.

DIVE DEEPER: Continuous authentication builds a zero-trust environment.

Assuming Identity Is Only About People

One of the fastest-growing identity challenges involves service accounts, bots and artificial intelligence agents. These nonhuman identities often have broad access — sometimes more than they should — simply because they aren’t treated with the same rigor as users.

That’s a mistake.

Bots and agents should be governed by enforceable policies, not just assumed behavior. If an AI system can see sensitive data, it may disclose it, intentionally or not. Permissions must be constrained, logged and verified, just like for any human account.

It’s equally important to log what shouldn’t happen — and confirm that it doesn’t happen again. Detection without enforcement is not protection.

Enforcing Consistent Action Through Policy

Technology alone won’t solve identity challenges. Policy turns intent into action.

When identity-first principles are embedded into security standards, procurement requirements and system upgrades, they become repeatable and scalable. Vendors already support these capabilities — though sometimes behind premium licenses, which is why it’s critical to define security expectations up front during acquisition, not after deployment.

Identity requirements should apply everywhere: cloud, on-premises, modern platforms and legacy systems alike. Attackers look for the one system that isn’t fully integrated, and they’re patient enough to wait.

Security doesn’t need to be flawless to be effective. It just needs to be harder than the alternative.

There’s a false belief that if an organization can’t implement best-in-class security immediately, it’s better to do nothing. In reality, incremental improvements dramatically reduce risk. Cybercriminals are economical in their actions — they look for unlocked doors, not Fort Knox.

State and local governments don’t need revolutions. They need disciplined progress, and a willingness to do the unglamorous work that strengthens identity, one policy and one system at a time.

iambuff/Getty Images