"Building Guardrails" — How Georgia Technology Authority Created a Blueprint for Statewide Data Protection
/case%20study%20-%20GTA/gta_logo_cs.df7a48f63926e385a1355c26ac447069a59c1f3d.png?width=601&height=464&name=gta_logo_cs.df7a48f63926e385a1355c26ac447069a59c1f3d.png){kind=logo}
The Georgia Technology Authority (GTA) serves as the central IT and cybersecurity organization for Georgia state government, providing shared technology services, enterprise governance, and strategic leadership across agencies. With a mission to provide technology leadership for sound IT enterprise management, GTA's vision centers on a transparent, integrated enterprise where technology decisions are made with the citizen in mind.
As the cybersecurity backbone for state operations, GTA handles some of the most sensitive data imaginable: criminal justice information, tax records, legal contracts, procurement documents, and personally identifiable information for millions of Georgia residents. When it became clear that staff were inadvertently creating security gaps while simply trying to do their jobs, GTA leadership knew they needed to establish what they call "encryption guardrails,” automated protections that would secure data leaving the organization without creating friction for employees.
After a comprehensive evaluation of secure file sharing and email encryption solutions, GTA selected Virtru's end-to-end encryption platform with Private Keystore, positioning the state to become a leading example of zero-trust data protection in government.
- A zero-trust foundation for the entire state: GTA deployed Virtru Email Encryption and Secure Share with Virtru Private Keystore, creating a replicable model that other Georgia agencies can leverage through GTA's existing contract.
- Automated security that doesn't slow down government: Integration with Microsoft 365, OneDrive, Teams, SharePoint, Outlook, and Okta SSO enables persistent encryption, automated policies, and granular access controls without disrupting workflows.
- True data sovereignty: Virtru Private Keystore ensures encryption keys remain under state control with zero access by Microsoft, Google, or Virtru, which is critical for CJIS, FedRAMP, HIPAA, IRS Pub 1075, and GovRAMP compliance.
- From honor system to audit trail: The ability to track, revoke, set expiration dates, and disable forwarding or downloads transforms data governance from hope to certainty.
The Challenge: When Good Intentions Create Security Gaps
GTA's challenge wasn't a lack of security tools — it was a fundamental gap in controlling data after it left their environment.
The core issue was simple: no unified data classification, which made it impossible to effectively enforce encryption policies. Without a consistent framework for identifying what needed protection, staff made individual judgment calls. Microsoft Purview existed, but employees rarely proactively chose to use it.
Once a file was shared with a contractor or sent to another agency, all control disappeared. No ability to revoke access. No audit trail. No expiration dates or forwarding restrictions. No External Digital Rights Management (EDRM) on sensitive data leaving the state. GTA had no ability to automate encryption and EDRM for objects being shared outside of their AWS Object store. The state was operating on an honor system for securing shared data.
The workarounds created additional exposure. Staff would chop up large files and zip them to bypass email size limits. Sensitive documents ended up in individual Dropbox accounts. Teams accidentally exposed entire folder structures through OneDrive and Teams links. There was no central tool to disable forwarding, no automated policies to catch PII or criminal justice data being sent unprotected.
Business email compromise compounded the risk. If an attacker gained access to an employee's account, GTA had no way to revoke access to already-shared sensitive communications.
The departments handling the most sensitive information — HR, Finance, Legal, Procurement — were particularly exposed, routinely sharing contracts, PII, and investigation files externally with limited post-sharing protection.
GTA needed comprehensive encryption "guardrails" that would work across their Microsoft 365 environment, protect data at the object level, maintain control after sharing, and critically, keep encryption keys under state control rather than with Microsoft or other third parties. The solution needed to meet CJIS, FedRAMP, HIPAA, and IRS Publication 1075 requirements while remaining user-friendly enough for non-technical staff to actually adopt.
Why Traditional Solutions Fell Short
GTA's evaluation examined the full landscape of file-sharing and secure communication solutions. They considered existing tools like Microsoft OneDrive, Dropbox, SharePoint, and Teams portal, but found them insufficient for secure external sharing. Other options included Secure FTP, legacy secure mail systems, NTT, Barracuda, and Symantec. Microsoft Outlook's native encryption was available but perceived as too convoluted for widespread staff adoption.
None of them solved the core problem.
Traditional SFTP tools like MOVEit worked for specific use cases but created friction. Solutions like Egress, KiteWorks, Accellion, and Box offered file-sharing capabilities, but they all shared a fundamental limitation: data was encrypted on their platforms, but the providers themselves had access to unencrypted files. For a state government handling criminal justice data, tax information, and confidential investigations, this violated the data sovereignty principle GTA wanted to establish.
Recommended Reading: Utah State Government Migrates from MOVEit Transfer to Virtru Secure Share
The Virtru Private Keystore capability addressed GTA's most fundamental requirement: true zero trust. By hosting encryption keys on their own infrastructure, GTA ensured that Microsoft, Google, and even Virtru itself had zero access to state data, essential for compliance with CJIS, FedRAMP, HIPAA, and IRS Publication 1075.
Rather than replacing GTA's Microsoft 365 environment, Virtru enhanced it, integrating seamlessly with Outlook, OneDrive, Teams, and SharePoint. Staff wouldn't need to learn new systems.
The Deployment: Building Guardrails Across Government Operations
GTA approached deployment with the understanding that this wasn't just a technology implementation, it was establishing a new standard for how the Georgia government handles sensitive data. The rollout needed to work not only for GTA staff but also create a replicable model for other state agencies.
The technical integration centered on GTA's Microsoft 365 environment. Virtru's email encryption deployed directly into Outlook, giving staff one-click encryption for messages and attachments. Secure Share integrated with OneDrive, Teams, and SharePoint, enabling encrypted file sharing without forcing employees to change where they stored documents.
The Private Keystore implementation was more complex but strategically essential. By hosting encryption keys on GTA's own infrastructure rather than in Virtru's cloud, the state achieved its desired goal of data sovereignty. This architecture meant that even if Microsoft, Google, or Virtru were compelled by legal process to provide access to encrypted data, they literally couldn't — the keys existed only within GTA's control.
The emphasis throughout was on minimizing workflow disruption. Staff could continue using the same Microsoft applications they'd always used. The interface was intuitive enough for non-technical employees. Recipients on the other end — contractors, other agencies, citizens — could access encrypted content through a web browser or mobile device without creating accounts or remembering yet another password.
Building a Blueprint for Government Data Security
GTA's Virtru deployment establishes a comprehensive approach to data protection that other state agencies — and other states — can learn from.
By creating encryption guardrails rather than relying on staff to remember security protocols, GTA has made secure data sharing the default rather than the exception. By deploying Private Keystore, they've demonstrated that government can maintain data sovereignty while embracing cloud productivity tools. By integrating with existing Microsoft infrastructure rather than requiring wholesale replacement, they've shown that enterprise security doesn't require abandoning existing investments.
As GTA expands Virtru across additional Georgia agencies, the state is building a consistent security posture where sensitive data — whether HR records, legal documents, procurement contracts, or criminal justice information — receives the same persistent protection regardless of which department handles it.
For a state government organization whose vision centers on making technology decisions with citizens in mind, Virtru enables GTA to protect constituent data with the same rigor that citizens expect and regulations demand. The honor system has been replaced with cryptographic certainty. Workarounds that created security gaps have been replaced with tools that make secure sharing easier than insecure sharing.
Georgia isn't just protecting data. They're setting the standard for how state government should handle the sensitive information citizens entrust to them.
/Carissa/VVOC-ATX-hero-image-.webp)
/resource%20-%20la%20county%20natural%20history%20museum/LA-count-natural-history-museum-resource-card.webp)
