NIST logo
*
Bookmark and Share

****WORKING DOCUMENT****

3.5      Copy Data Objects Out of a Cloud

Actors: unidentified-user, cloud-subscriber, cloud-provider, transport-agent.

Goals: Cloud-subscriber initiates a copy of data objects from a cloud-provider's system to a cloud-subscriber's system. Optionally, protect transferred objects from disclosure.

Assumptions:  The cloud-subscriber has "read" access to the objects and "traverse" access to object containers.

Success Scenario 1 (network-to-cloud-subscriber copy, IaaS, PaaS, SaaS): A cloud-subscriber prepares a local directory to receive a new file obtained from the cloud-provider's system.  The cloud-subscriber issues a command to the cloud-provider's system to retrieve an existing object.  The object resides in a container that itself resides on the cloud-provider's system, and the cloud-subscriber has "read" (or equivalent) access to the file as well as "traverse" (or equivalent) access to the container (and any containing containers).  The cloud-provider authenticates the cloud-subscriber's identity using credentials (e.g., by verifying a signature generated using a private key held by the cloud-subscriber) that have been previously established, e.g., at account setup.  The command specifies the unique identifier of the object to be copied, the location on the cloud-subscriber's system that will receive the object (which is called a file on the user's system), and the data encoding of the object (e.g., ASCII, GIF, ZIP).  Either as part of the command or via a separate command, the cloud-provider generates a checksum value that can be used later to check that object contents were not altered in transit.  Optionally, the command specifies that the object's content should be protected from disclosure during transit.  The command returns the success status of the operation after the object has been copied.  The cloud-provider charges the cloud-subscriber that owns the object for the data transferred according to the terms of service.  Optionally, the cloud-provider charges the cloud-subscriber that made the request (if different from the owning cloud-subscriber).

Failure Conditions 1:  (1) the object is corrupted in transit, or only part of it is received; (2) the object is disclosed in transit even though disclosure protection was requested; (3) the object is made inaccessible (e.g., moved, or "read" access removed by the object's owner) before the copy operation can begin (race condition).

Failure Handling 1:  For (1), the cloud-subscriber retries the operation; For (2), the cloud-provider sends the cloud-subscriber a notice of unauthorized disclosure; For (3), the cloud-subscriber could retry the operation if the object has moved, but must contact the object's owner if access has been revoked.

Success Scenario 2 (network-to-unidentified-user copy, IaaS, PaaS, SaaS): An unidentified-user prepares a local directory to receive a new file obtained from the cloud-provider's system.  The unidentified-user issues a command to the cloud-provider's system to retrieve an existing object.  The object resides in a container that itself resides on the cloud-provider's system, and the unidentified-user has "read" (or equivalent) access to the file as well as "traverse" (or equivalent) access to the container (and any containing containers).  The cloud-provider determines that the command originated from an unauthenticated entity (i.e., an unidentified-user).  The unidentified-user will have the access rights that the cloud-provider offers to all unidentified-users.  The command specifies the unique identifier of the object to be copied, the location on the unidentified-user's system that will receive the object (which is called a file on the unidentified-user's system), and the data encoding of the object (e.g., ASCII, GIF, ZIP).  Either as part of the command or via a separate command, the cloud-provider generates a checksum value that can be used later to check that object contents were not altered in transit.  The command returns the success status of the operation after the object has been copied.  The cloud-provider charges the cloud-subscriber that owns the object for the data transferred according to the terms of service.

Failure Conditions 2:  (1) the object is corrupted in transit, or only part of it is received; (2) the object is made inaccessible (e.g., moved, or "read" access removed by the object's owner) before the copy operation can begin (race condition).

Failure Handling 2:  For (1), the unidentified-user retries the operation; For (2), the unidentified-user could retry the operation if the object has moved, but must contact the object's owner if access has been revoked.

Success Scenario 3 (physical-to-cloud-subscriber, IaaS, PaaS, SaaS):  A cloud-subscriber accesses the cloud-provider's documentation and determines the characteristics of disk drives that the cloud-provider accepts for data export.  The cloud-provider may provide disk drives to cloud-subscribers or may accept cloud-subscriber-provided disk drives.  The cloud-subscriber obtains a cloud-provider-compatible disk.  The cloud-subscriber writes a manifest onto the disk drive that specifies the location of the objects in the cloud to be copied onto the disk drive, and whether the objects should be encrypted prior to shipping to protect their confidentiality.  If the cloud-provider is providing the disk drive, this information may be sent over the network instead.  If the cloud-subscriber is providing the disk drive, the cloud-subscriber uses a transport-agent to deliver the disk drive to the cloud provider.  Once the cloud-provider has the disk drive either by receipt from the transport-agent or by procurement, the cloud-provider connects the disk to the cloud system, computes checksums on the data objects to be transferred, optionally encrypts data objects to be transferred, performs a local copy of the specified data objects onto the disk drive, and uses a transport-agent to send the disk drive to the cloud-subscriber.  The cloud-provider conveys the checksums and key material for decrypting the contents using a different channel that is itself protected using the cloud-subscriber's credentials (e.g., a public key known to the cloud-provider).  The cloud-subscriber takes steps to safeguard the key materials from loss (e.g., backup on stable storage).  On receipt of the disk drive, the cloud-subscriber connects the disk drive to the cloud-subscriber's computer system and performs a local copy of the data objects to the cloud-subscriber's computer system.  If encryption was requested, the cloud-subscriber decrypts the objects using the key material indicated by the cloud-provider.  The cloud-subscriber validates checksums on the objects.  Depending on the provisioning of the disk drive, the cloud-subscriber may return it to the cloud-provider.

Failure Conditions 3: (1) a cloud-subscriber-provided disk is lost before arriving at the cloud-provider or is defective; (2) the disk is lost or damaged in transit from the cloud-provider to the cloud-subscriber; (3) data objects on the disk received by the cloud-subscriber are corrupted; (4) the key material and/or checksum information is lost before it can be received by the cloud-subscriber.

Failure Handling 3:  For (1) and (2), procure a new disk and retry.  For (3) and (4), retry.

Requirements File:  NA

Credit: The idea of charging the owning cloud-subscriber or the requesting cloud-subscriber is from Amazon.  The idea of using a disk for bulk transfer is inspired by Amazon.