CAPEC-546

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: Low Severity: Medium
Incomplete Data Deletion in a Multi-Tenant Environment

Description

An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there.

Prerequisites

The cloud provider must not assuredly delete part or all of the sensitive data for which they are responsible.The adversary must have the ability to interact with the system.

Mitigations

Cloud providers should completely delete data to render it irrecoverable and inaccessible from any layer and component of infrastructure resources.

Deletion of data should be completed promptly when requested.

Skills Required

[Low] The adversary requires the ability to traverse directory structure.