Please wait a minute...
Tsinghua Science and Technology  2019, Vol. 24 Issue (06): 738-749    doi: 10.26599/TST.2018.9010127
Cloud Storage Security Assessment Through Equilibrium Analysis
Yuzhao Wu, Yongqiang Lyu, Yuanchun Shi*
∙ Yuzhao Wu are with the Institute for Interdisciplinary Information Sciences, Tsinghua University, Beijing 100084, China. E-mail:
∙ Yongqiang Lyu are with the Research Institute of Information Technology & TNList, Tsinghua University, Beijing 100084, China. E-mail:
∙ Yuanchun Shi are with the State Key Laboratory of Intelligent Technology and Systems, Tsinghua University, Beijing 100084, China.
Download: PDF (1314 KB)      HTML
Export: BibTeX | EndNote (RIS)      


With ever greater amounts of data stored in cloud servers, data security and privacy issues have become increasingly important. Public cloud storage providers are semi-trustworthy because they may not have adequate security mechanisms to protect user data from being stolen or misused. Therefore, it is crucial for cloud users to evaluate the security of cloud storage providers. However, existing security assessment methods mainly focus on external security risks without considering the trustworthiness of cloud providers. In addition, the widely used third-party mediators are assumed to be trusted and we are not aware of any work that considers the security of these mediators. This study fills these gaps by assessing the security of public cloud storage providers and third-party mediators through equilibrium analysis. More specifically, we conduct evaluations on a series of game models between public cloud storage providers and users to thoroughly analyze the security of different service scenarios. Using our proposed security assessment, users can determine the risk of whether their privacy data is likely to be hacked by the cloud service providers; the cloud service providers can also decide on strategies to make their services more trustworthy. An experimental study of 32 users verified our method and indicated its potential for real service improvement.

Key wordscloud storage security      security assessment      equilibrium analysis     
Received: 05 July 2018      Published: 20 June 2019
Corresponding Authors: Yuanchun Shi   
About author:

Yuanchun Shi received the BS, MS, and PhD degrees in computer science from Tsinghua University, Beijing, China in 1989, 1993, and 1999, respectively. She is a Changjiang Distinguished Professor with the Department of Computer Science, Tsinghua University. She was a Senior Visiting Scholar with MIT AI Lab during 2001-2002. She has authored and co-authored more than one hundred papers in International Journal of Human-Computer Studies, IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Knowledge and Data Engineering, ACM Transactions on Computer-Human Interaction, ACM Multimedia, ACM User Interface Software and Technology, etc. Her research interests include human-computer interaction, pervasive computing, and multimedia communication. Dr. Shi had chaired several conferences including ACM Ubicomp2011. She serves as the Area Editor of Pervasive and Mobile Computing (Elsevier), an editor of the Interacting With Computer (Oxford University Press), and the Vice Editor-in-Chief of the Communications of China Computer Federation.

Cite this article:

Yuzhao Wu, Yongqiang Lyu, Yuanchun Shi. Cloud Storage Security Assessment Through Equilibrium Analysis. Tsinghua Science and Technology, 2019, 24(06): 738-749.

URL:     OR

Fig. 1 A cloud security risk assessment framework from Ref. [1].
Do not steal users’ dataSteal user’s data
Use the cloud(Bi,Bc)(Bi,Bc)
Do not use the cloud(0, 0)(0, 0)
Table 1 Standard form of the game between user and cloud.
Fig. 2 Third-party security service platform framework.
Fig. 3 Respondents’ selection for their data value in cloud storage classified by their identity.
Fig. 4 Respondents’ thoughts on cloud providers obtaining their data classified by their selection on data value.
Fig. 5 Did respondents upload private or confidential data in cloud storage?
Fig. 6 Respondents’ selection on third-party secure service classified by their selection on data value.
[1]   Reed A., Rezek C., Simmonds P., eds., Security guidance for critical areas of focus in cloud computing v3.0, , 2011.
[2]   Cuschieri D., Cloud encryption and key management considerations, Tech. report, RHUL–MA–2014–9, University of London, Royal Holloway, UK, 2014.
[3]   International Organization for Standardization, ISO 31000, Risk Management: Principles and Guidelines. 2009.
[4]   Fitó J. O., Mácias M., and Guitart J., Toward business driven risk management for cloud computing, in 2010 International Conference on Network and Service Management (CNSM), 2010, pp. 238-241.
[5]   Furuncu E. and Sogukpinar I., Scalable risk assessment method for cloud computing using game theory (CCRAM), Computer Standards & Interfaces, vol. 38, pp. 44-50, 2015.
[6]   Wazir U., Khan F. G., Shah S., Service level agreement in cloud computing: A survey, International Journal of Computer Science and Information Security, vol. 14, no. 6, p. 324, 2016.
[7]   Li J., Li J.W., and Chen X. F., Identity-based encryption with outsourced revocation in cloud computing, IEEE Transactions on Computers, vol. 64, no. 2, pp. 425-437, 2015.
[8]   Yi X., Rao F. Y., and Bertino E., Privacy-preserving association rule mining in cloud computing, in Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, 2015, pp. 439-450.
[9]   Yong Y., Au M. H., and Ateniese G., Identity-based remote data integrity checking with perfect data privacy preserving for cloud storage, IEEE Transactions on Information Forensics and Security, vol. 12, no. 4, pp. 767-778, 2017.
[10]   Narwal P., Kumar D., and Sharma M., A review of game-theoretic approaches for secure virtual machine resource allocation in cloud, in Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies, 2016.
[11]   Manshaei M. H., Zhu Q. Y., and Alpcan T., Game theory meets network security and privacy, ACM Computing Surveys (CSUR), vol. 45, no. 3, p. 25, 2013.
[12]   Anderson R. and Moore T., The economics of information security, Science, vol. 314, no. 5799, pp. 610-613, 2006.
[13]   Camp L. J. and Lewis S., eds., Economics of Information Security. New York, NY, USA: Kluwer, 2006.
[14]   B?hme R. and Schwartz G., Modeling cyber-insurance: Towards a unifying framework, presented at Workshop on the Economics of Information Security (WEIS), Cambridge, MI, USA, 2010.
[15]   Grossklags J., Christin N., and Chuang J., Secure or insure?: A game-theoretic analysis of information security games, in Proceedings of the 17th International Conference on World Wide Web, 2008, pp. 209-218.
[16]   Grosslags J. and Johnson B., Uncertainty in the weakestlink security game, in Game Theory for Networks, 2009. GameNets’ 09. International Conference on, 2009, pp. 673-682.
[17]   Lou J. and Vorobeychik Y., Equilibrium analysis of multi-defender security games, in Proceedings of the Twenty-Fourth International Joint Conference on Artifical Intelligence (IJCAI), 2015, pp. 596-602.
[18]   Ardagna D., Panicucci B., and Passacantando M., A game theoretic formulation of the service provisioning problem in cloud systems, in Proceedings of the 20th International Conference on World Wide Web, 2011, pp. 177-186.
[19]   Bertino E. and Ferrari E., Secure and selective dissemination of XML documents, ACM Transactions on Information and System Security (TISSEC), vol. 5, no. 3, pp. 290-331, 2002.
[20]   Gerome M. and Dan S., Controlling access to published data using cryptography, in Proceedings of the 29th International Conference on Very Large Data-bases, 2003, pp. 898-909.
[21]   Di Vimercati S. D., De Capitani S., and Foresti S., Overencryption: Management of access control evolution on outsourced data, in Proceedings of the 33rd International Conference on Very Large Data-bases, 2007, pp. 123-134.
[22]   Goyal V., Pandey O., and Sahai A., Attribute-based encryption for fine-grained access control of encrypted data, in Proceedings of the 13th ACM Conference on Computer and Communications Security, 2006, pp. 89-98.
[23]   Shamir A., Identity-based cryptosystems and signature schemes, in Workshop on the Theory and Application of Cryptographic Techniques, 1984, pp. 47-53.
[24]   Wang G. J., Liu Q., and Wu J., Hierarchical attribute-based encryption for fine-grained access control in cloud storage services, in Proceedings of the 17th ACM Conference on Computer and Communications Security, 2010, pp. 735-737.
[25]   Nabeel M., Shang N., Zage J., and Bertino E., Mask: A system for privacy-preserving policy-based access to published content, in Proceedings of the 2010 ACM SIGMOD International Conference on Management of Data, 2010, pp. 1239-1242.
[26]   Nabeel M., Shang N., and Bertino E., Privacy preserving policy-based content sharing in public clouds, IEEE Transactions on Knowledge and Data Engineering, vol. 25, no. 11, pp. 2602-2614, 2013.
[27]   Nabeel M. and Bertino E., Privacy preserving delegated access control in public clouds, IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 9, pp. 2268-2280, 2014.
[28]   Sharma N. K. and Joshi A., Representing attribute based access control policies in owl, in 2016 IEEE Tenth International Conference on Semantic Computing(ICSC), 2016, pp. 333-336.
[29]   Sangroya A., Kumar S., Dhok J., and Varma V., Towards analyzing data security risks in cloud computing environments, in International Conference on Information Systems, Technology and Management, 2010, pp. 255-265.
[30]   Kaliski Jr B. S. and Pauley W., Toward Risk assessment as a service in cloud environments, in HotCloud’10 Proceedings of the 2nd USENIX Conference on Hot Topics in Cloud Computing, 2010, p. 13.
[31]   Theharidou M., Tsalis N., and gritzalis D., In cloud we trust: Risk-assessment-as-a-service, in IFIP International Conference on Trust Management, 2013, pp. 100-110.
[32]   Drissi S., Houmani H., and Medromi H., Survey: Risk assessment for cloud computing, International Journal of Advanced Computer Science and Applications, vol. 412, 2013.
[33]   Ismail Z., Kiennert C., Leneutre J., and Chen L., Auditing a cloud provider’s compliance with data backup requirements: A game theoretical analysis, IEEE Transactions on Information Forensics and Security, vol. 11, no. 8, pp. 1685-1699, 2016.
No related articles found!