Terminology
Transfer General (TG) is a data management service that utilizes cryptography to enable data owners to securely distribute, archive, and transfer highly-sensitive data from any location, including data centers and the cloud. Transfer General consists of two components - Transfer General Main (TGM) and Transfer General Remote (TGR). The TGM is deployed next to the source of the data within a data center or in the cloud and the TGR is deployed at the destination site. One TGM can handle multiple TGR’s.
TG consists of two main components - Transfer General Main (TGM) and Transfer General Remote (TGR). The TGM is deployed next to the source of the data within a data center or in the cloud and is responsible for encrypting data-at-rest using AES encryption. The TGR is deployed at the destination site, typically within a partner's network in the DMZ. The TGR acts as a recipient of data that is being shared by the data owner. Multiple TGRs can be managed by a single TGM.
There are several actors involved in a TG setup, including:
- TG Administrator - responsible for managing and maintaining the TG infrastructure, including TGMs and TGRs.
- Uploader - the data owner who uploads data to be shared via TG.
- Downloader - both the TGM and TGR can make use of this user to download data for processing or storage.
- Key Locker - TG uses its own key lockers to manage data encryption keys, which are used to encrypt data during transit and storage. These keys are protected using advanced encryption algorithms and best practices, and are managed securely to prevent unauthorized access.
- Google Cloud Storage Bucket - data can be stored in Google Cloud Storage buckets for additional backup and redundancy.
Overall, TG is a secure and cost-effective solution for sharing sensitive data, allowing data owners to distribute, archive, and transfer their data without the need for expensive VPNs or other traditional solutions. TG's use of cryptography and advanced security measures ensure that data is kept safe and secure throughout the data management process.
| Transfer General Main (TGM) | A Transfer General Main (TGM) is a component of the Transfer General (TG) data management service that is deployed next to the source of highly sensitive data, such as a file server deployed within a data center or in the cloud. The TGM is responsible for receiving and securely encrypting the data using cryptography techniques before storing it on disk. Once the data is ingested, the TGM can upload the encrypted data into a Google Cloud Storage bucket or directly transfer it to a Transfer General Remote (TGR) component located at the destination site. The TGM can handle multiple TGRs and allows data owners to securely distribute, archive, and transfer highly-sensitive data from any location, while minimizing costs. |
| Transfer General Remote (TGR) | A Transfer General Receiver (TGR) is a component of the Transfer General (TG) data management service that receives and stores data that has been ingested and encrypted by a Transfer General Main (TGM) component. The TGR provides a secure and scalable way to store and share data, and it can be mapped to one or more TGMs, depending on the data management needs of the organization. The TGR can receive data either directly from a TGM or from a Google Cloud storage bucket where the encrypted data is stored. It does not encrypt data itself, but can decrypt data that it receives, using the encryption keys managed by the data owner. The TGR also provides access controls and permissions, allowing authorized users to download and use the decrypted data. |
| Security Officer | An authorized entity that manages Data Administrators. |
| SMK | The SMK stands for Security Officer's Master Key, which is a passphrase generated during the initial installation of Transfer General. The Security Officer is the person responsible for managing the TGM administrator and has access to the SMK. |
| Data Administrator | An authorized entity who is trusted with the management of sensitive data sets. Usually the TGM admin will play this role. |
| DMK | The DMK is a passphrase used to encrypt/decrypt the actual data encryption key used to encrypt and decrypt the data stored in the TGM. The DMK is usually known only to the TGM administrator and is used to access and manage the encrypted data. |
| uploader | The "uploader" is a user who has been assigned the role to upload data to the Transfer General Main (TGM) system, typically through SFTP/SCP protocols. |
| downloader | The "downloader" is a user who has been assigned the role to download backed up data to the Transfer General Main (TGM) system from a Google Cloud storage bucket. |
| TGM admin | The TGM admin is responsible for managing the TGM and all TGRs under its control, managing the vault, uploading data into Google Cloud Storage bucket or sending the data directly to a TGR, and revoking access to data stored within a TGR. The TGM admin is also responsible for rotating the DMK to ensure the security of the data encryption keys. |
| Data Owner | The data owner is typically the person or entity that has legal ownership or custodianship of the data, and is ultimately responsible for its proper use and management throughout its lifecycle. |
| Partner | A partner refers to an entity or organization with whom the data owner wishes to share data. |
| Google Cloud Storage | A Google Cloud storage bucket is a cloud-based object storage solution offered by Google Cloud Platform that allows users to store and access data objects. In the context of TG, a Google Cloud storage bucket is used as a storage location for encrypted data uploaded by the TGM, which can then be accessed and distributed as needed through the use of TGRs. |
| Direct Transfer | Direct Transfer refers to the direct transfer of encrypted data from a TGM to a TGR without the use of a Google Cloud Storage bucket as an intermediary. |