Utah’s Department of Technology Services is encrypting the data it shares internally and externally with other agencies and private entities to combat the rising number of cyberattacks. DTS contracted with Virtru, an encryption company, about five years ago to shore up its enterprise cloud-based email system after finding the administrative tools in its previous solution to be problematic.
Using an outside vendor for encryption makes it harder to perform administrative functions. The vendor had to communicate with its third-party encryption group, which had to authorise a direct discussion, implement the change and then tweak it based on feedback. It became cumbersome to manage encryption when there was a middle man.
Virtru works with DTS’ existing email system, automating the encryption. All users must do is toggle it on or off, depending on the contents of a message. To use it on a mobile device, state workers use an app to encrypt and decrypt messages.
Utah’s 26 agencies have different needs for encryption. Certain agencies in the state require all messages to be encrypted, so they put a couple of email gateways in place to say if any email communications are going from this group to any other party in the state or externally, it has to be encrypted. Other agencies tried that and found it problematic.
Users can set a default for the percentage of their emails that must be encrypted to adjust for that or they can just turn it on or off. To ensure that someone doesn’t forward sensitive content, encryption makes the information readable only by the intended recipients.
After everyone is comfortable with encrypted email, DTS starts talking about expanding the service to other datasets, such as documents created as part of collaborative projects or archived data. Virtru’s encryption can be integrated into specific workflows such as email, file sharing and the internet of things. It’s important for information stored in cloud networks but also for organisations such as state agencies that need to share sensitive data, such as criminal justice, health or payment information.
They also aim to collaborate with thousands of external organisations, so the states need to embrace the cloud, move sensitive data into these cloud systems and then share data with third parties while always maintaining control over that content.
In Utah, an ongoing challenge is ensuring that encryption is seamless for users. For example, one system requires them to log in with two-factor authentication, but if they are using a new device, it asks for additional security information. It is a safeguard against bad actors acquiring someone’s credentials, but it happens in the background and is triggered only when necessary. Adapting to encryption takes some cultural change. Workers need to be aware of what is happening to smooth the transition process.
According to the recommendations of the National Institute of Standards and Technology (NIST), many threats against end-user devices could cause information stored on the devices to be accessed by unauthorised parties. To prevent such disclosures of information, particularly sensitive data, the information needs to be secured.
Securing other components of end-user devices, such as operating systems, is also necessary, but in many cases, additional measures are needed to secure the stored information. The primary security controls for restricting access to sensitive information stored on end-user devices are encryption and authentication. Encryption can be applied granularly, such as to an individual file containing sensitive information, or broadly, such as encrypting all stored data.
The appropriate encryption solution for a particular situation depends primarily upon the type of storage, the amount of information that needs to be protected, the environments where the storage will be located, and the threats that need to be mitigated. When selecting a solution type, organisations should consider the range of solutions that meet the organisation’s security requirements, and not just the solution type that is most commonly used.