Towards a New Paradigm for Privacy and Security in Cloud Services

The market for cloud computing can be considered as the major growth area in ICT. However, big companies and public authorities are reluctant to entrust their most sensitive data to external parties for storage and processing. The reason for their hesitation is clear: There exist no satisfactory approaches to adequately protect the data during its lifetime in the cloud. The EU Project Prismacloud (Horizon 2020 programme; duration 2/2015-7/2018) addresses these challenges and yields a portfolio of novel technologies to build security enabled cloud services, guaranteeing the required security with the strongest notion possible, namely by means of cryptography. We present a new approach towards a next generation of security and privacy enabled services to be deployed in only partially trusted cloud infrastructures.

💡 Research Summary

The paper presents the EU Horizon 2020 project Prismacloud, which aims to overcome the fundamental trust problem that hampers the adoption of cloud services for highly sensitive data. Traditional security mechanisms—service‑level agreements, audits, or monitoring—are insufficient because they rely on the cloud provider being trustworthy and cannot protect against insider threats, legal compulsion, or sophisticated cyber‑attacks. Prismacloud’s vision is to embed the strongest possible security, based on cryptography, directly into cloud services, thereby achieving “security by design” even when the underlying infrastructure is only partially trusted.

The project’s core technical contributions are organized around six innovation pillars. First, it develops verifiable computing techniques that allow users to outsource computations to one or more untrusted processing units while efficiently proving the correctness of the results. This is achieved by combining general‑purpose zero‑knowledge proofs, homomorphic signatures, and more lightweight, class‑specific schemes such as redactable signatures. Second, it introduces cryptographic mechanisms for certifying the integrity of virtualized cloud infrastructures. By modeling the cloud topology as a graph and employing graph signatures together with a formal verification framework (VALID), Prismacloud can provide zero‑knowledge proofs of high‑level security properties such as tenant isolation without revealing any confidential configuration details.

Third, the project tackles user privacy through advanced attribute‑based anonymous credential (ABC) systems and group‑signature variants. Building on well‑known schemes like Idemix and U‑Prove, Prismacloud enhances their efficiency and integrates them into cloud service authentication, authorization, and privacy‑preserving billing, ensuring that users disclose only the minimal attributes required for a transaction. Fourth, it advances big‑data anonymization by designing scalable algorithms that approach optimal k‑anonymity while preserving data utility, addressing the NP‑hard nature of the problem with parallelizable heuristics.

Fifth, Prismacloud proposes a distributed multi‑cloud storage architecture that employs proactive secret sharing and dynamic data update techniques. Data is split across several providers, mitigating vendor lock‑in, improving availability, and maintaining long‑term privacy guarantees. Finally, the project complements these cryptographic advances with work on secure user interfaces, service composition, hardware‑software co‑design, security certification, and impact analysis from an end‑user perspective.

To validate the approach, three realistic use‑cases—smart city, e‑government, and e‑health—are fully implemented and evaluated, covering functional security, usability, legal compliance, and governance aspects. The results are intended to feed into European standards and to strengthen the EU’s digital agenda by removing a major barrier to cloud adoption in high‑security domains, fostering innovation, and enhancing the competitiveness of European industry and research.