I'm currently researching cloud storage solutions and I came across Ceph which looks quite interesting. I need it for a project where customers can store data that needs to be processed by a piece of software. Potentially that data contains sensitive information, which brings me to my actual question: if a customer or an automated system removes data from the Ceph cluster, do I have to take further steps to ensure a DoD compliant removal?
Assessing Department of Defence compliance without listing a standard or security level of the information leads to a lot of guess-work and assumptions on the answerers part.
The aforementioned being said, the definitive answer is yes, you will have to take additional steps to adhere to any applicable data erasure standards. Ceph does not provide any automated sanitizing processes to remove data from disks, however, the general practice for decommissioning disks that may have held sensitive information includes strict chain-of-custody, degaussing and destruction procedures. Typical government standards also call for verification of data sanitation and usually exclude the sanitizing system from performing the verification
Generally, overwrite procedures (such as the superseded DoD 5220.22-M standard) are no longer considered sufficient to mitigate possible recovery tactics, and only layered defences including the final destruction of the disk have been demonstrated to be effective.
Additionally, Ceph is generally not considered a "cloud storage solution" as it is not typically used on top of a cloud platform, but rather is used to provide distributed storage leveraged in some on-premise solution. Using Ceph on top of something like AWS's Elastic Block Storage or GCP's Persistent Disk is not advisable.