Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

3.6 Erase Data Objects in a Cloud


3.6    Erase Data Objects In a Cloud

Actors:  unidentified-user, cloud-subscriber, cloud-provider.

Goals:  Erase a data object on behalf of a cloud-subscriber or unidentified-user.

Assumptions: One or more data objects already exist in a cloud-provider's system.  A request to erase a data object includes the unique identifiers of the objects to delete, date and time when the deletion should occur, and the means that the cloud-provider should employ to perform the deletion operation (e.g., simply returning the space for use by others, zero-filling the object prior to return, n-pass overwriting of the object with random data).  There is no redundant data storage by cloud-provider or redundant copies are deleted together.

Success Scenario 1 (erase, IaaS, PaaS, SaaS): A cloud-subscriber (or unidentified-user if they have been granted access to a container/object) sends a delete-objects request to the cloud-provider's system.  At the requested deletion time, the cloud-provider disables all new attempts to access the object.  The cloud-provider continues to perform in-process data transfers for the object.  When all current data transfers have completed or timed out, the cloud-provider performs the requested deletion operation on the media that stored the object, charges the cloud-subscriber for the service, and then sends back to the cloud-subscriber a time-stamped, signed message attesting to the steps that have been taken to delete the object within an agreed to period of time after deletion.

Failure Conditions:  (1) the object is moved or renamed before the deletion operation is attempted (race condition); (2) cloud-provider erases an incorrect data object; (3) an unauthorized user accesses a cloud-provider's account management web page and impersonates the real cloud-subscriber and requests the data deletion which then occurs; (4) access to the object is disabled before date and time requested by cloud-subscriber; (5) cloud-provider fails to notify the cloud-subscriber that the object is erased; (6) erasure of the object is not performed completely or at all by cloud-provider.

Failure Handling:  For (1) the cloud-provider should receive an error message from the attempted erasure and should retry; For (2) the cloud-subscriber should notify the cloud-provider and the cloud-provider should undo deletion on wrong data and perform deletion on the correct data object; For (3) the cloud-subscriber should notify the cloud-provider and the cloud-provider should undo the deletion; For (4) the cloud-subscriber must contact the cloud-provider to undo erasure; For (5) the cloud-subscriber must query the cloud-provider to ask if the deletion did occur – if not, the cloud-provider must retry the delete operation immediately; For (6) the cloud-subscriber must contact the cloud-provider and the cloud-provider must delete immediately or reattempt deletion.

Requirements File:

Credit: TBD

Created November 1, 2010, Updated March 23, 2018