When contacted by Government Technology about Colorado's Gmail deployment seeking comment on email security, a Google spokesman said the company is committed to keeping its customers' information secure. The spokesperson added that resellers like ZixCorp are among 6,000 partners of Google that provide additional support to meet individual needs, including enhanced security.
The Colorado project wasn't just an email migration. The state also consolidated disparate email systems, accomplishing everything in roughly three months. Approximately 26,000 state employees were moved to Gmail.
Kristin Russell, Colorado's secretary of technology and CIO, said the implementation was “very rapid” and felt it was best to employ a “light switch” approach where everyone is online with the new system at the same time, instead of moving each agency one by one at different times.
“One of the reasons why we chose to take that course of action was the fact that we knew at the end of the day, it really wasn't as much about the technology as it was about the change management of the users,” Russell said.
The state opted to move to the cloud for its email because its old system was deemed unreliable and too costly to maintain. Russell added that they felt moving to Google would increase information security for the state and the tools Google supplied would increase employee productivity.
Russell explained that whenever she mentions the state getting increased security by moving to the cloud, some people raise an eyebrow at how putting information up in the cloud is safer. But she said that early on in the process, Trull signed a nondisclosure agreement with Google and learned how their security was integrated into Gmail and Google Apps for Government.
What Trull learned helped convince Colorado on the general security abilities of Google's productivity suite. According to Russell, Google's database sharding – which is a partitioning scheme for large databases where none of the nodes in the system share memory or data storage – spreads data in hundreds of 64-bit randomly generated chunks across thousands of servers in three or four data centers within the U.S.
“A single email or document doesn't exist as a whole anywhere, nor is it associated with the person that sent it,” Russell said. “And then once it's put on disk, those disks are also encrypted. So even if somebody … broke into Google's data center and stole a disk, they'd only see one chunk of that data and even that chunk is encrypted.”
Although Colorado employees have only been on the cloud-based email system for a few months, both Trull and Russell said most users have transitioned to Gmail well. While more than 2,000 help desk tickets were opened during the first week of the Google email system deployment, that number was significantly down by the end of 2012.
Russell added that most of the tickets the state's help desk received dealt with issues related to user training and general comfort using a new system.
Trull said that while the learning curve is the hardest thing to overcome in a system migration, he hasn't heard any complaints or issues regarding security compliance. He also revealed that the state just went through a Social Security Administration audit and passed it with flying colors with no recommendations regarding security.
Moving forward, Russell explained that the state plans to hire a service delivery manager specifically for the Google system. The person will evaluate the overall performance of Gmail for the state and will also be charged with identifying other ways Colorado can partner with Google in the future.
From a cost-savings perspective, when the announcement was made in March 2012 that Colorado was moving to Google for email and calendar services, the state originally estimated it would save approximately $2 million per year.
But when asked for an update to that savings number, Russell said that while the original figure was established from a forecasting standpoint, there were fluctuations in cost that weren't accounted for initially. As a result, the state is no longer reporting a specific number.
Russell explained that the additional level of security and encryption provided by ZixCorp has a cost assigned to it on a per-mailbox basis. So prior to the move to Gmail, estimates were made based on the general number of mailboxes that might need the extra encryption. But that number dramatically increased, adding to the overall cost.
For example, one Colorado agency was only planning to encrypt 900 users, but bumped it to 4,000 during the project. So a static savings figure is difficult for Russell to pinpoint with concrete certainty.
“We feel very confident that there will be future cost savings and cost avoidance opportunities,” she said. “A lot of our original projections … just had to do with email. It didn't account for a lot of the other costs we'll be avoiding down the road, should the state move to, for example, Google Docs, or Google Apps in general off Microsoft Office.”