In what could serve as a model for other state and local governments, Colorado has found a way to secure its cloud-based email in a manner that should meet even the most stringent digital security standards.
Colorado partnered with Zix Corp. to develop a tool that gives additional layers of email encryption and authentication for state law enforcement personnel and other highly sensitive data users. Officials believe the enhanced technology meets the FBI’s Criminal Justice Information Services (CJIS) data requirements and the privacy standard set forth by the Health Insurance Portability and Accountability Act (HIPAA) regarding protected health information.
Online since last October when the state moved its employees to Gmail, the system operates fairly seamlessly for users. When Colorado employees start up their systems, they access their Gmail through the Google Chrome browser. But when those workers who need extra encryption log in, a separate tab opens automatically in Chrome to a Web portal from ZixCorp. That portal requires an additional login and password as another authentication step to send and receive email with sensitive data.
The only time the email on the Zix portal is readable is when the user is composing or reading a message. ZixCorp fully encrypts the data and makes email contents completely unreadable in any of the user’s Zix email account folders.
If an encrypted message is sent to Colorado employees through the ZixCorp system, they receive a notification in their regular Gmail that they have sensitive data mail. Those employees who already have a ZixCorp account can toggle over to the portal and log in to read their mail, while users without the additional mailbox need to create an account with ZixCorp in order to access the information.
Jonathan Trull, Colorado’s chief information security officer, said that despite the additional steps, he’s very confident with the security already built into Google Apps and Google Apps for Government. The former was the first cloud productivity suite to receive FISMA — Federal Information Security Management Act — certification from the U.S. government.
But Trull felt the extra layer of protection and authentication helped further address CJIS-specific security needs.
“Zix has the capacity to meet some of the more process-oriented requirements,” Trull explained. “For example, their people were willing to undergo a separate background check, and their fingerprints are submitted on file with our local law enforcement agency. It just allows us to have a little more control.”
Nigel Johnson, vice president of business development and product management for Zix Corp., said the company doesn’t have a name for the tool yet, but based it off Zix Corp.’s Google Message Encryption (GME) solution. That application takes the mail with sensitive information and encrypts it from the edge of the Google network to the end user. Encrypting the mail while it resides inside the email account folders was the primary alteration the company made to meet Colorado's needs.
Johnson added that this was the first time ZixCorp has gone to this extreme level of encryption control for a customer. But now that they’ve done it, they can reproduce it for any future project.
Google Apps for Government has been successfully rolled out in cities, states and federal agencies since its debut in 2010. In addition to Colorado, Utah and Wyoming both use Google's cloud productivity suite, as do the cities of Pittsburgh, Orlando, Los Angeles, Des Moines and St. Louis. A number of federal government agencies, including the General Services Administration, are also customers.
But not every user has been satisfied with Google's email security.
In late 2011, the Los Angeles City Council axed plans to add police and other criminal justice employees on the Google email system, believing the FBI’s CJIS requirements for data storage and security were not fully met by Google’s cloud technology.
The Los Angeles Police Department and others in the city that need heightened security instead were left on the city’s in-house Novell GroupWise email system. The Los Angeles Times reported in December 2011 that Google will pay $350,000 per year for those employees to stay on the Novell system.
The city had signed a $7.2 million contract with systems integrator CSC in 2009 to move all 30,000 city employee email accounts to Gmail. The email security issues Los Angeles had with Gmail were revealed publicly in October 2011, when Santa Monica, Calif.-based Consumer Watchdog released on its website a letter from then-Los Angeles CTO Randi Levin to CSC. In the letter, Levin formally requested a refund on seat licenses and migration costs associated with moving its law enforcement and criminal justice personnel to Gmail.
Levin resigned from her position in July 2012, and colleagues close to Levin – a former vice president of NBC Universal -- indicated to Government Technology at the time that the Gmail project may have been a factor in her decision to leave.
When contacted by Government Technology about Colorado's Gmail deployment seeking comment on email security, a Google spokesman said the company is committed to keeping its customers' information secure. The spokesperson added that resellers like ZixCorp are among 6,000 partners of Google that provide additional support to meet individual needs, including enhanced security.
The Colorado project wasn't just an email migration. The state also consolidated disparate email systems, accomplishing everything in roughly three months. Approximately 26,000 state employees were moved to Gmail.
Kristin Russell, Colorado's secretary of technology and CIO, said the implementation was “very rapid” and felt it was best to employ a “light switch” approach where everyone is online with the new system at the same time, instead of moving each agency one by one at different times.
“One of the reasons why we chose to take that course of action was the fact that we knew at the end of the day, it really wasn't as much about the technology as it was about the change management of the users,” Russell said.
The state opted to move to the cloud for its email because its old system was deemed unreliable and too costly to maintain. Russell added that they felt moving to Google would increase information security for the state and the tools Google supplied would increase employee productivity.
Russell explained that whenever she mentions the state getting increased security by moving to the cloud, some people raise an eyebrow at how putting information up in the cloud is safer. But she said that early on in the process, Trull signed a nondisclosure agreement with Google and learned how their security was integrated into Gmail and Google Apps for Government.
What Trull learned helped convince Colorado on the general security abilities of Google's productivity suite. According to Russell, Google's database sharding – which is a partitioning scheme for large databases where none of the nodes in the system share memory or data storage – spreads data in hundreds of 64-bit randomly generated chunks across thousands of servers in three or four data centers within the U.S.
“A single email or document doesn't exist as a whole anywhere, nor is it associated with the person that sent it,” Russell said. “And then once it's put on disk, those disks are also encrypted. So even if somebody … broke into Google's data center and stole a disk, they'd only see one chunk of that data and even that chunk is encrypted.”
Although Colorado employees have only been on the cloud-based email system for a few months, both Trull and Russell said most users have transitioned to Gmail well. While more than 2,000 help desk tickets were opened during the first week of the Google email system deployment, that number was significantly down by the end of 2012.
Russell added that most of the tickets the state's help desk received dealt with issues related to user training and general comfort using a new system.
Trull said that while the learning curve is the hardest thing to overcome in a system migration, he hasn't heard any complaints or issues regarding security compliance. He also revealed that the state just went through a Social Security Administration audit and passed it with flying colors with no recommendations regarding security.
Moving forward, Russell explained that the state plans to hire a service delivery manager specifically for the Google system. The person will evaluate the overall performance of Gmail for the state and will also be charged with identifying other ways Colorado can partner with Google in the future.
From a cost-savings perspective, when the announcement was made in March 2012 that Colorado was moving to Google for email and calendar services, the state originally estimated it would save approximately $2 million per year.
But when asked for an update to that savings number, Russell said that while the original figure was established from a forecasting standpoint, there were fluctuations in cost that weren't accounted for initially. As a result, the state is no longer reporting a specific number.
Russell explained that the additional level of security and encryption provided by ZixCorp has a cost assigned to it on a per-mailbox basis. So prior to the move to Gmail, estimates were made based on the general number of mailboxes that might need the extra encryption. But that number dramatically increased, adding to the overall cost.
For example, one Colorado agency was only planning to encrypt 900 users, but bumped it to 4,000 during the project. So a static savings figure is difficult for Russell to pinpoint with concrete certainty.
“We feel very confident that there will be future cost savings and cost avoidance opportunities,” she said. “A lot of our original projections … just had to do with email. It didn't account for a lot of the other costs we'll be avoiding down the road, should the state move to, for example, Google Docs, or Google Apps in general off Microsoft Office.”