In what could serve as a model for other state and local governments, Colorado has found a way to secure its cloud-based email in a manner that should meet even the most stringent digital security standards.

Colorado partnered with Zix Corp. to develop a tool that gives additional layers of email encryption and authentication for state law enforcement personnel and other highly sensitive data users. Officials believe the enhanced technology meets the FBI’s Criminal Justice Information Services (CJIS) data requirements and the privacy standard set forth by the Health Insurance Portability and Accountability Act (HIPAA) regarding protected health information.

Online since last October when the state moved its employees to Gmail, the system operates fairly seamlessly for users. When Colorado employees start up their systems, they access their Gmail through the Google Chrome browser. But when those workers who need extra encryption log in, a separate tab opens automatically in Chrome to a Web portal from ZixCorp. That portal requires an additional login and password as another authentication step to send and receive email with sensitive data.

The only time the email on the Zix portal is readable is when the user is composing or reading a message. ZixCorp fully encrypts the data and makes email contents completely unreadable in any of the user’s Zix email account folders.

If an encrypted message is sent to Colorado employees through the ZixCorp system, they receive a notification in their regular Gmail that they have sensitive data mail. Those employees who already have a ZixCorp account can toggle over to the portal and log in to read their mail, while users without the additional mailbox need to create an account with ZixCorp in order to access the information.

Jonathan Trull, Colorado’s chief information security officer, said that despite the additional steps, he’s very confident with the security already built into Google Apps and Google Apps for Government. The former was the first cloud productivity suite to receive FISMA — Federal Information Security Management Act — certification from the U.S. government.

But Trull felt the extra layer of protection and authentication helped further address CJIS-specific security needs.

“Zix has the capacity to meet some of the more process-oriented requirements,” Trull explained. “For example, their people were willing to undergo a separate background check, and their fingerprints are submitted on file with our local law enforcement agency. It just allows us to have a little more control.”

Nigel Johnson, vice president of business development and product management for Zix Corp., said the company doesn’t have a name for the tool yet, but based it off Zix Corp.’s Google Message Encryption (GME) solution. That application takes the mail with sensitive information and encrypts it from the edge of the Google network to the end user. Encrypting the mail while it resides inside the email account folders was the primary alteration the company made to meet Colorado's needs.

Johnson added that this was the first time ZixCorp has gone to this extreme level of encryption control for a customer. But now that they’ve done it, they can reproduce it for any future project.

Security Questions

Google Apps for Government has been successfully rolled out in cities, states and federal agencies since its debut in 2010. In addition to Colorado, Utah and Wyoming both use Google's cloud productivity suite, as do the cities of Pittsburgh, Orlando, Los Angeles, Des Moines and St. Louis. A number of federal government agencies, including the General Services Administration, are also customers.

But not every user has been satisfied with Google's email security.

In late 2011, the Los Angeles City Council axed plans to add police and other criminal justice employees on the Google email system, believing the FBI’s CJIS requirements for data storage and security were not fully met by Google’s cloud technology.

The Los Angeles Police Department and others in the city that need heightened security instead were left on the city’s in-house Novell GroupWise email system. The Los Angeles Times reported in December 2011 that Google will pay $350,000 per year for those employees to stay on the Novell system.

The city had signed a $7.2 million contract with systems integrator CSC in 2009 to move all 30,000 city employee email accounts to Gmail. The email security issues Los Angeles had with Gmail were revealed publicly in October 2011, when Santa Monica, Calif.-based Consumer Watchdog released on its website a letter from then-Los Angeles CTO Randi Levin to CSC. In the letter, Levin formally requested a refund on seat licenses and migration costs associated with moving its law enforcement and criminal justice personnel to Gmail.

Levin resigned from her position in July 2012, and colleagues close to Levin – a former vice president of NBC Universal -- indicated to Government Technology at the time that the Gmail project may have been a factor in her decision to leave.

Brian Heaton  |  Senior Writer

Brian Heaton is a senior writer for Government Technology. He primarily covers technology legislation and IT policy issues. Brian started his journalism career in 1999, covering sports and fitness for two trade publications based in Long Island, N.Y. He's also a member of the Professional Bowlers Association, and competes in regional tournaments throughout Northern California and Nevada.