How Utah secures shared data
Connecting state and local government leaders
To combat the rising number of cyberattacks, Utah’s Department of Technology Services is encrypting the data it shares internally and externally with other agencies and private entities.
To combat the rising number of cyberattacks, Utah’s Department of Technology Services is encrypting the data it shares internally and externally with other agencies and private entities.
DTS contracted with Virtru, an encryption company, about five years ago to shore up its enterprise cloud-based email system after finding the administrative tools in its previous solution to be problematic.
“You’re somewhat spoiled when you have an on-prem system because you’re in full control of everything, and being able to deal with the encryption and handle issues as they come through,” said Corona Ngatuvai, enterprise architect at DTS.
Using an outside vendor for encryption makes it harder to perform administrative functions because “you have to go through the vendor,” he said. The vendor had to communicate with its third-party encryption group, which had to authorize a direct discussion, implement the change and then tweak it based on feedback. “It became too cumbersome to manage encryption when there was a middle man,” Ngatuvai said.
Virtru works with DTS’ existing email system, automating the encryption. All users must do is toggle it on or off, depending on the contents of a message. To use it on a mobile device, state workers use an app to encrypt and decrypt messages.
Utah’s 26 agencies have different needs for encryption, Ngatuvai said. “Certain agencies in the state require all messages to be encrypted, so we put a couple of email gateways in place to say if there are any email communications going from this group to any other party in the state or externally, it has to be encrypted,” he said. Other agencies tried that and found it problematic. “If I forget that it’s being encrypted and I just want to order a pizza, I send an email off and the pizza guy is like, ‘What is this?’”
To adjust for that, users can set a default for the percentage of their emails that must be encrypted -- or they can just turn it on or off.
Ngatuvai said the state has two main use cases for encryption: “Back in the day when you had an email system that’s on-prem, you had the ability to retract an email,” he said. “In a cloud environment, no way.” Encryption, however, allows users to render messages sent accidentally unreadable.
Similarly, to ensure that someone doesn’t forward sensitive content, encryption makes the information readable only by the intended recipients.
“Now that everybody’s comfortable” with encrypted email, DTS has started talking about expanding the service to other datasets, such as documents created as part of collaborative projects or archived data, Ngatuvai said.
Data-centric security works, said John Ackerly, who founded Virtru with his brother, Will Ackerly, a former National Security Agency architect who developed the Trusted Data Format, encryption tech still used within the DOD. Virtru’s encryption can be integrated into specific workflows such as email, file sharing and internet of things. It’s important for information stored in cloud networks but also for organizations such as state agencies that need to share sensitive data, such as criminal justice, health or payment information.
“They also need to collaborate with thousands of external organizations, so we enable states to embrace the cloud, move sensitive data into these cloud systems and then share data with third parties while always maintaining control over that content,” John Ackerly said.
Maryland began using Virtru in 2015 to shore up its use of Google tools such as Gmail and Google Drive. They embed the platform into automated workflows, including but not limited to email because data comes off many endpoints, such as file sharing.
In Utah, an ongoing challenge is ensuring that encryption is seamless for users. For example, one system requires them to log in with two-factor authentication, but if they are using a new device, it asks for additional security information. That’s a safeguard against bad actors acquiring someone’s credentials, but it happens in the background and is triggered only when necessary.
Adapting to encryption takes some cultural change. To smooth the process, Ngatuvai recommends making workers aware of what’s happening and how it will keep them safe.
“When you think about Buckingham Palace and those guards with the fuzzy hats, you can show that picture and automatically people have some idea of what you’re talking about and where,” he said. “I think that’s what we wanted to accomplish here with our encryption and our use of it: ‘When you see this icon on your desktop, it’s secure.’”
Editor's note: This article was corrected May 28 to say that the Trusted Data Format is still used within the DOD, not the CIA.