Review of the Main Security Threats and Challenges in Free-Access Public Cloud Storage Servers

  • Alejandro Sanchez-Gomez
  • Jesus Diaz
  • Luis Hernandez-Encinas
  • David ArroyoEmail author


The twenty-first century belongs to the world of computing, specially as a result of the so-called cloud computing. This technology enables ubiquitous information management and thus people can access all their data from any place and at any time. In this landscape, the emergence of cloud storage has had an important role in the last 5 years. Nowadays, several free-access public cloud storage services make it possible for users to have a free backup of their assets and to manage and share them, representing a low-cost opportunity for Small and Medium Enterprises (SMEs). However, the adoption of cloud storage involves data outsourcing, so a user does not have the guarantee about the way her data will be processed and protected. Therefore, it seems necessary to endow public cloud storage with a set of means to protect users’ confidentiality and privacy, to assess data integrity and to guarantee a proper backup of information assets. Along this paper, we discuss the main challenges to achieve such a goal, underlining the set of functionalities already implemented in the most popular public cloud storage services.



This work was supported by Comunidad de Madrid (Spain) under the project S2013/ICE-3095-CM (CIBERDINE).


  1. 1.
    Abdalla, M., Fouque, P. A., & Pointcheval, D. (2005). Password-based authenticated key exchange in the three-party setting. In Public key cryptography-PKC 2005 (pp. 65–84). Berlin: Springer.CrossRefGoogle Scholar
  2. 2.
    Alphr. How secure are Dropbox, Microsoft OneDrive, Google Drive and Apple iCloud? [Online]. Available from: Accessed December 29, 2015.
  3. 3.
    Archer, D. W., Bogdanov, D., Pinkas, B., & Pullonen, P. (2015). Maturity and performance of programmable secure computation. Technical Report, IACR Cryptology ePrint Archive.Google Scholar
  4. 4.
    Armknecht, F., Bohli, J. M., Karame, G. O., & Youssef, F. (2015). Transparent data deduplication in the cloud. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 886–900). New York: ACM.Google Scholar
  5. 5.
    Arroyo, D., Diaz, J., & Gayoso, V. (2015). On the difficult tradeoff between security and privacy: Challenges for the management of digital identities (pp. 455–462). Cham: Springer International Publishing.Google Scholar
  6. 6.
    Arroyo, D., Diaz, J., & Rodriguez, F. B. (2015). Non-conventional digital signatures and their implementations - a review. In CISIS’15 (pp. 425–435). Berlin: SpringerGoogle Scholar
  7. 7.
    Bansal, C., Bhargavan, K., Delignat-Lavaud, A., & Maffeis, S. (2014). Discovering concrete attacks on website authorization by formal analysis. Journal of Computer Security, 22(4), 601–657.CrossRefzbMATHGoogle Scholar
  8. 8.
    Becker, G. (2008). Merkle signature schemes, Merkle trees and their cryptanalysis. Ruhr-Universität Bochum.Google Scholar
  9. 9.
    Bellare, M., Keelveedhi, S., & Ristenpart, T. (2013). Message-locked encryption and secure deduplication. In Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp. 296–312). New York: Springer.Google Scholar
  10. 10.
    Best Backups. 7 cloud storage managers for multiple cloud storage services - Best [Online]. Available from: Accessed March 26, 2016.
  11. 11.
    Bogdanov, D., Laur, S., & Willemson, J. (2008). Sharemind: A framework for fast privacy-preserving computations. In Computer Security-ESORICS 2008 (pp. 192–206). New York: Springer.CrossRefGoogle Scholar
  12. 12.
    Bowers, K. D., van Dijk, M., Juels, A., Oprea, A., & Rivest, R. L. (2011). How to tell if your cloud files are vulnerable to drive crashes. In Proceedings of the 18th ACM Conference on Computer and Communications Security (pp. 501–514). New York: ACM.Google Scholar
  13. 13.
    Boyd, C. (2013). Cryptography in the cloud: Advances and challenges. Journal of Information and Communication Convergence Engineering 11(1), 17–23.CrossRefGoogle Scholar
  14. 14.
    Butler, B. Researchers steal secret RSA encryption keys in Amazon’s cloud [Online]. Available from: Accessed November 22, 2015.
  15. 15.
    Cavoukian, A., & Dixon, M. (2013). Privacy and security by design: An enterprise architecture approach. Ontario: Information and Privacy Commissioner.Google Scholar
  16. 16.
    Cryptosense. Cryptosense automated analysis for cryptographic systems [Online]. Available from: Accessed November 22, 2015.
  17. 17.
    Diaz, J., Arroyo, D., & Rodriguez, F. B. (2014). A formal methodology for integral security design and verification of network protocols. Journal of Systems and Software, 89, 87–98.CrossRefGoogle Scholar
  18. 18.
    Dmitrienko, A., Liebchen, C., Rossow, C., & Sadeghi, A. R. (2014). Security analysis of mobile two-factor authentication schemes. Intel®; Technology Journal, 18(4), 138–161.Google Scholar
  19. 19.
    Escobar, S., Meadows, C., & Meseguer, J. (2009). Maude-NPA: Cryptographic protocol analysis modulo equational properties. In Foundations of security analysis and design V (pp. 1–50). Berlin: Springer.Google Scholar
  20. 20.
    Escobar, S., Meadows, C., & Meseguer, J. (2012). The Maude-NRL protocol analyzer (Maude-NPA) [Online]. Available from: Accessed October 9, 2016.
  21. 21.
    European Commission. European Commission launches EU-U.S. Privacy shield: stronger protection for transatlantic data flows [Online]. Available from: Accessed September 12, 2016.
  22. 22.
    Fernandez, E. B., Monge, R., & Hashizume, K. (2015). Building a security reference architecture for cloud systems. Requirements Engineering, 21, 1–25.Google Scholar
  23. 23.
    Fett, D., Küsters, R., & Schmitz, G. (2016). A comprehensive formal security analysis of OAuth 2.0 (pp. 1–75).
  24. 24.
    Ford, W., & Kaliski, B. S., Jr. (2000). Server-assisted generation of a strong secret from a password. In IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2000. (WET ICE 2000). Proceedings (pp. 176–180).Google Scholar
  25. 25.
    González-Manzano, L., & Orfila, A. (2015). An efficient confidentiality-preserving proof of ownership for deduplication. Journal of Network and Computer Applications, 50, 49–59.CrossRefGoogle Scholar
  26. 26.
    Gordon, W. Two-factor authentication: The big list of everywhere you should enable it right now [Online]. Available from: Accessed December 31, 2015.
  27. 27.
    Grassi, P. A., Fenton, J. L., Newton, E. M., Perlner, R. A., Regenscheid, A. R., Burr, W. E., Richer, J. P., Lefkovitz, N. B., Choong, J. M. D. Y. Y., Mary, K. K. G., & Theofanos, F. (2016). Digital authentication guideline; authentication and lifecycle management. Technical Report Draft NIST SP 800-63B, National Institute of Standards and Technology.Google Scholar
  28. 28.
    Hankerson, D., Menezes, A. J., & Vanstone, S. (2004). Guide to elliptic curve cryptography. New York, NY: Springer.zbMATHGoogle Scholar
  29. 29.
    Happe, A. Git with transparent encryption [Online]. Available from: Accessed August 16, 2016.
  30. 30.
    Imperva. Man in the cloud attacks [Online] Accessed December 27, 2016.
  31. 31.
    Jansma, N., & Arrendondo, B. (2004). Performance comparison of elliptic curve and RSA digital signatures. Technical Report, University of Michigan College of Engineering (pp. 1–20).Google Scholar
  32. 32.
    Juels, A., & Kaliski, B. S., Jr. (2007). PORs: Proofs of retrievability for large files. In Proceedings of the 14th ACM Conference on Computer and Communications Security (pp. 584–597).Google Scholar
  33. 33.
    Kandias, M., Virvilis, N., & Gritzalis, D. (2011). The insider threat in cloud computing. In International Workshop on Critical Information Infrastructures Security (pp. 93–103). New York: Springer.Google Scholar
  34. 34.
    Karat, C. M., Brodie, C., & Karat, J. (2005). Usability design and evaluation for privacy and security solutions. In L. F. Cranor & S. Garfinkel (Eds.), Security and usability (pp. 47–74). O’Reilly Media, Inc.Google Scholar
  35. 35.
    Li, J., Chen, X., Xhafa, F., & Barolli, L. (2014). Secure deduplication storage systems with keyword search. In Proceedings of 2014 IEEE 28th International Conference on Advanced Information Networking and Applications (AINA’14) (pp. 971–977).Google Scholar
  36. 36.
    Li, W., & Mitchell, C. J. (2014). Security issues in OAuth 2.0 SSO implementations. In Information Security - 17th International Conference, ISC 2014, Proceedings, Hong Kong, China, October 12–14, 2014 (pp. 529–541).Google Scholar
  37. 37.
    Mainka, C., Mladenov, V., Feldmann, F., Krautwald, J., & Schwenk, J. (2014). Your software at my service: Security analysis of SaaS single sign-on solutions in the cloud. In Proceedings of the 6th Edition of the ACM Workshop on Cloud Computing Security (pp. 93–104). New York: ACM.Google Scholar
  38. 38.
    Meadows, C. (2015). Emerging issues and trends in formal methods in cryptographic protocol analysis: Twelve years later. In Logic, rewriting, and concurrency (pp. 475–492). New York: Springer.CrossRefGoogle Scholar
  39. 39.
    Pasquier, T., Singh, J., Bacon, J., & Eyers, D. (2016). Information flow audit for PaaS clouds. In International Conference on Cloud Engineering (IC2E). New York: IEEE.Google Scholar
  40. 40.
    Pulls, T., & Slamanig, D. (2015). On the feasibility of (practical) commercial anonymous cloud storage. Transactions on Data Privacy, 8(2), 89–111.Google Scholar
  41. 41.
    Puzio, P., Molva, R., Onen, M., & Loureiro, S. (2013). ClouDedup: secure deduplication with encrypted data for cloud storage. In Proceedings of 2013 IEEE 5th International Conference on Cloud Computing Technology and Science (CloudCom’13) (pp. 363–370).Google Scholar
  42. 42.
    Puzio, P., Molva, R. Önen, M., & Loureiro, S. (2016). PerfectDedup: Secure data deduplication. In J. Garcia-Alfaro, G. Navarro-Arribas, A. Aldini, F. Martinelli, N. Suri (Eds.), Data Privacy Management, and Security Assurance: 10th International Workshop, DPM 2015, and 4th International Workshop QASA 2015, Vienna, Austria, September 21–22, 2015 (pp. 150–166). Cham: Springer International Publishing. doi:10.1007/978-3-319-29883-2_10, ISBN:978-3-319-29883-2,
  43. 43.
    Rabotka, V., & Mannan, M. (2016). An evaluation of recent secure deduplication proposals. Journal of Information Security and Applications, 27, 3–18.CrossRefGoogle Scholar
  44. 44.
    Radke, K., Boyd, C., Nieto, J. G., & Bartlett, H. (2014). CHURNs: Freshness assurance for humans. The Computer Journal, 58, 2404–2425. p. bxu073.Google Scholar
  45. 45.
    Radke, K., Boyd, C., Nieto, J. G., & Brereton, M. (2011). Ceremony analysis: Strengths and weaknesses. In Future challenges in security and privacy for academia and industry (pp. 104–115). Berlin: Springer.CrossRefGoogle Scholar
  46. 46.
    Rahumed, A., Chen, H. C. H., Tang, Y., Lee, P. P. C., & Lui, J. C. S. (2011). A secure cloud backup system with assured deletion and version control. In Proceedings of the International Conference on Parallel Processing Workshops (pp. 160–167).Google Scholar
  47. 47.
    Ransome, J., & Misra, A. (2013). Core software security: Security at the source. Boca Raton: CRC Press.Google Scholar
  48. 48.
    Razavi, K., Gras, B., Bosman, E., Preneel, B., Giuffrida, C., & Bos, H. (2016). Flip Feng Shui: hammering a needle in the software stack. In Proceedings of the 25th USENIX Security Symposium.Google Scholar
  49. 49.
    Renaud, K., Volkamer, M., & Renkema-Padmos, A. (2014). Why doesn’t Jane protect her privacy? In Privacy enhancing technologies (pp. 244–262). New York: Springer.Google Scholar
  50. 50.
    Rifà-Pous, H., & Herrera-Joancomartí, J. (2011). Computational and energy costs of cryptographic algorithms on handheld devices. Future Internet, 3(1), 31–48.CrossRefGoogle Scholar
  51. 51.
    Rusbridger, A. (2013). The Snowden leaks and the public.Google Scholar
  52. 52.
    Ruvalcaba, C., & Langin, C. (2009). Four attacks on OAuth - How to secure your OAuth implementation. System, 1, 19. Scholar
  53. 53.
    Samarati, P., & di Vimercati, S. (2016). Cloud security: Issues and concerns. In Encyclopedia on cloud computing. New York: Wiley.Google Scholar
  54. 54.
    Shirey, R. G., Hopkinson, K. M., Stewart, K. E., Hodson, D. D., & Borghetti, B. J. (2015). Analysis of implementations to secure Git for use as an encrypted distributed version control system. In 2015 48th Hawaii International Conference on System Sciences (HICSS) (pp. 5310–5319). New York: IEEE.CrossRefGoogle Scholar
  55. 55.
    Shostack, A. (2014). Threat modeling: Designing for security. New York: Wiley.Google Scholar
  56. 56.
    Srinivasan, S. (2014). Security, trust, and regulatory aspects of cloud computing in business environments. In IGI Global.Google Scholar
  57. 57.
    Strandburg, K. (2014). Monitoring, datafication and consent: Legal approaches to privacy in a big data context. In J. Lane, V. Stodden, S. Bender, & H. Nissenbaum (Eds.), Privacy, big data, and the public good: Frameworks for engagement. Cambridge: Cambridge University Press.Google Scholar
  58. 58.
    Torres-Arias, S., Ammula, A. K., Curtmola, R., & Cappos, J. (2016) On omitting commits and committing omissions: Preventing Git metadata tampering that (re)introduces software vulnerabilities. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10–12, 2016 (pp. 379–395).Google Scholar
  59. 59.
    Tysowski, P. K. (2013). Highly scalable and secure mobile applications in cloud computing systems. Ph.D. thesis, University of Waterloo.Google Scholar
  60. 60.
    Whitten, A., & Tygar, J. D. (1999). Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In Usenix Security (Vol. 1999).Google Scholar
  61. 61.
    Wilcox-O’Hearn, Z. (2008). Drew Perttula and attacks on convergent encryption [Online]. Available from: Accessed December 9, 2016.
  62. 62.
    Wu, T. D., et al. (1998). The secure remote password protocol. In NDSS (Vol. 98, pp. 97–111).Google Scholar
  63. 63.
    Xue, K., & Hong, P. (2014). A dynamic secure group sharing framework in public cloud computing. IEEE Transactions on Cloud Computing, 2(4), 459–470.CrossRefGoogle Scholar
  64. 64.
    Yang, G., Yu, J., Shen, W., Su, Q., Fu, Z., & Hao, R. (2016). Enabling public auditing for shared data in cloud storage supporting identity privacy and traceability. Journal of Systems and Software, 113, 130–139.CrossRefGoogle Scholar
  65. 65.
    Yeo, H. S., Phang, X. S., Lee, H. J., & Lim, H. (2014). Leveraging client-side storage techniques for enhanced use of multiple consumer cloud storage services on resource-constrained mobile devices. Journal of Network and Computer Applications, 43, 142–156.CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Alejandro Sanchez-Gomez
    • 1
  • Jesus Diaz
    • 2
  • Luis Hernandez-Encinas
    • 3
  • David Arroyo
    • 1
    Email author
  1. 1.Departamento de Ingeniería Informática, Escuela Politécnica SuperiorUniversidad Autónoma de MadridMadridSpain
  2. 2.BEEVAMadridSpain
  3. 3.Institute of Physical and Information Technologies (ITEFI)Spanish National Research Council (CSIC)MadridSpain

Personalised recommendations