Client-side encryption enables Gmail for state users
- By Stephanie Kanowitz
- Dec 09, 2016
Maryland has moved more state employees’ email to Google Cloud after adding a platform that secures sensitive data in the cloud while leaving data ownership squarely in control of the users.
The email migration project that started with just 500 state government users has expanded to 15,000, mainly in the law enforcement and health fields, using a platform from data privacy provider Virtru. The system, which is built on the company’s Trusted Data Format, an open standard that uses client-side 256-bit encryption to protect data throughout its life span wherever it goes.
“It both ensures that [users] can put their most sensitive content into any ecosystem and that they can maintain control of that data after they share it,” said John Ackerly, CEO and cofounder of Virtru.
To use Virtru Pro – there’s also a basic version – the state installed the app from the Google Apps Marketplace and synced its user groups and distribution lists with the company’s encryption server. Then, Maryland added the service to its existing Gmail accounts. This forces encryption of every email based on the state’s data loss prevention policies.
“Typical encryption is incredibly difficult to set up,” Ackerly said. “You have to often install a big on-premise server and it takes months to do and it’s very painful for the recipient…. We take out that friction, both from an install perspective for the state and [for the] employee and recipient perspective.”
Before implementing Virtru, more than 10,000 workers had to use on-premise systems for email to comply with regulations set by the Health Insurance Portability and Accountability Act and Criminal Justice Information Services.
For example, employees of the Maryland Department of Public Safety and Correctional Services (DPSCS) needed data to be encrypted before their systems moved to the cloud to comply with CJIS. Because Virtru encrypts email messages before they leave end users’ devices, mail hosts have access only to encrypted content, making the department compliant.
Now, those workers can use desktop or mobile devices to share sensitive information via email while they maintain control of the data, including revoking access, setting expiration dates for the email and controlling forwarding.
“The state of Maryland has achieved great collaboration and cost efficiency with Google Cloud, and Virtru allows us to extend these benefits to all of our agencies,” said Susan Lyon, manager of Maryland's Google Cloud team, in a statement. “By enabling CJIS compliance for DPSCS employees, Virtru gave us a path toward a complete cloud migration. Now we’re using it to meet CJIS and HIPAA requirements and protect the privacy of our citizens statewide.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.