NIST logo
*
Bookmark and Share

****WORKING DOCUMENT****

3.4      Copy Data Objects Into A Cloud

Actors: cloud-subscriber, cloud-provider, transport-agent.

Goals: Cloud-subscriber initiates a copy of data objects from the cloud-subscriber's system to a cloud-provider's system. Optionally, protect transferred objects from disclosure.

Assumptions: Assumes the Use Case "Open an Account" for cloud-subscriber on cloud-provider's system.  The cloud-subscriber has modify access to a named data object container on the cloud-provider's system.

Success Scenario 1 (cloud-subscriber-to-network copy, IaaS, PaaS, SaaS): The cloud-subscriber determines a local file for copying to the cloud-provider's system.  The cloud-subscriber issues a command to the cloud-provider's system to copy the object to a container on the cloud-provider's system.  The command may perform both the object creation and the data transfer, or the data transfer may be performed with subsequent commands.  The command specifies the location of the local file, the data encoding of the local file, and the name of the new object within the container.  If the cloud-subscriber requests protection from disclosure, cryptography is used to protect the objects in transit. The command returns the success status of the operation from the cloud-provider's system to the cloud-subscriber. The cloud-provider charges the cloud-subscriber for the transfer according to the terms of the SLA, and begins accruing storage charges.

Failure Conditions 1: (1) partial writes and concurrent accesses; (2) size limitations, i.e., the local file will not fit into the container; (3) network fails repeatedly during transfer; (4) security breaches resulting in stolen data are discovered by cloud-provider; (5) data loss during transfer; (6) data errors during transfer; (7) cloud-provider's system fails to notify the cloud-subscriber the successful data object transfer to container.

Failure Handling 1:  For (1), (3), (5), (6), cloud-subscriber retries request; For (4) cloud-provider sends a notice of unauthorized disclosure to the cloud-subscriber; For (2), cloud-subscriber contacts cloud-provider for larger container; For (7), See Use Case "Close Account" on failure handling related to notifications from cloud-provider to cloud-subscriber.

Additional Assumptions: Data in transit is protected by one of two methods: 1) the cloud-subscriber encrypts data prior to copying it onto the disk drive and also informs the cloud-provider of the decryption key via a secure connection and the cloud-provider then decrypts the data before copying it into a new object, 2) the cloud-subscriber encrypts the data prior to copying it onto the disk drive and then, later, performs the decryption using processing resources of the cloud.  The cloud-provider will provide disk drives to cloud-subscriber or will accept cloud-subscriber-provided disk drives.

Success Scenario 2 (cloud-subscriber-to-transport-agent copy, IaaS, PaaS, SaaS):  The cloud-subscriber prepares a local file for copying to the cloud-provider's system. The cloud-subscriber accesses the cloud-provider's documentation and determines the characteristics of disk drives that the cloud-provider accepts for data import.  The cloud-subscriber uses a cloud-provider-compatible disk and connects the disk drive to the cloud-subscriber's computer system and performs a local copy of the local file onto the disk drive, along with a manifest specifying the encoding of the file, the container in which the file should be placed at the cloud-provider, access control metadata about the file, and the file's intended name.  The cloud-subscriber uses a transport-agent to deliver the disk drive to the cloud-provider.  On receipt of the disk drive, the cloud-provider connects the disk drive to the cloud-provider's system and performs a local copy of the data into the container specified by the cloud-subscriber, and either retains or returns the disk drive according how the drive was provisioned.  If the drive is to be re-used by the cloud-provider, the cloud-provider erases all cloud-subscriber data on the disk using a suitable mechanism (see Use Case: "Erase Data Objects In a Cloud"), sends an attestation to the cloud-subscriber that the erase operations have been performed, and charges the cloud-subscriber if they requested special erase operations.

Failure Conditions 2: (1) cloud-subscriber sends inappropriate disk that fails to satisfy the requirements of the cloud-provider; (2) data object is in format not supported by cloud-provider; (3) transport-agent loses disk

Failure Handling 2: For (1) cloud-provider returns disk to cloud-subscriber; For (2) cloud-provider returns disk to cloud-subscriber and sends message to cloud-subscriber requesting data is resent in proper file encoding format; (3) transport-agent notifies cloud-subscriber of loss.

Requirements File:

Credit:  This scenario is inspired by the Amazon S3 system.