****WORKING DOCUMENT****
3.6 Erase Data Objects In a Cloud
Actors: unidentified-user, cloud-subscriber, cloud-provider.
Goals: Erase a data object on behalf of a cloud-subscriber or unidentified-user.
Assumptions: One or more data objects already exist in a cloud-provider's system. A request to erase a data object includes the unique identifiers of the objects to delete, date and time when the deletion should occur, and the means that the cloud-provider should employ to perform the deletion operation (e.g., simply returning the space for use by others, zero-filling the object prior to return, n-pass overwriting of the object with random data). There is no redundant data storage by cloud-provider or redundant copies are deleted together.
Success Scenario 1 (erase, IaaS, PaaS, SaaS): A cloud-subscriber (or unidentified-user if they have been granted access to a container/object) sends a delete-objects request to the cloud-provider's system. At the requested deletion time, the cloud-provider disables all new attempts to access the object. The cloud-provider continues to perform in-process data transfers for the object. When all current data transfers have completed or timed out, the cloud-provider performs the requested deletion operation on the media that stored the object, charges the cloud-subscriber for the service, and then sends back to the cloud-subscriber a time-stamped, signed message attesting to the steps that have been taken to delete the object within an agreed to period of time after deletion.
Failure Conditions: (1) the object is moved or renamed before the deletion operation is attempted (race condition); (2) cloud-provider erases an incorrect data object; (3) an unauthorized user accesses a cloud-provider's account management web page and impersonates the real cloud-subscriber and requests the data deletion which then occurs; (4) access to the object is disabled before date and time requested by cloud-subscriber; (5) cloud-provider fails to notify the cloud-subscriber that the object is erased; (6) erasure of the object is not performed completely or at all by cloud-provider.
Failure Handling: For (1) the cloud-provider should receive an error message from the attempted erasure and should retry; For (2) the cloud-subscriber should notify the cloud-provider and the cloud-provider should undo deletion on wrong data and perform deletion on the correct data object; For (3) the cloud-subscriber should notify the cloud-provider and the cloud-provider should undo the deletion; For (4) the cloud-subscriber must contact the cloud-provider to undo erasure; For (5) the cloud-subscriber must query the cloud-provider to ask if the deletion did occur – if not, the cloud-provider must retry the delete operation immediately; For (6) the cloud-subscriber must contact the cloud-provider and the cloud-provider must delete immediately or reattempt deletion.
Requirements File:
Credit: TBD