Cloud Computing includes established technologies that potentially reduce costs and increase flexibility. An important part of the cloud is the provisioning of infrastructure (Infrastructure-as-a-Service (IaaS)), in particular for storing large amounts of data. However, this is bedeviled by various risks such as unauthorized access to storage resources or dependence on specific service providers. These issues can be mitigated by software systems. 

Current State

The initial CloudRAID prototype has been successfully developed and handed over to the Bundesdruckerei, our project partner.  Bundesdruckerei has developed a commercial, enterprise solution called BDrive based on our prototype. The concepts remain largely the same, however several advanced features are included in BDrive. We are still actively researching on the approaches for improving the CloudRAID concepts based on feedback from the customers and contemporary trends.


Core requirements for reliable cloud storage include security, integrity and availability, these attributes are imperative for transparent and unhindered access to cloud storage resources. CloudRAID is a system developed at the HPI, it provides the above mentioned features and enhances the overall security of cloud storage.

Reference Architecture

The CloudRAID adopts an architecture consisting of a central server and several client applications for desktop PCs, mobile devices and web browsers. The server manages user authentication and the security of metadata in a manner that prevents service providers from intruding into users private information.


Application of RAID concepts to cloud storage

File upload to cloud storage follows three steps: 

  • File is encrypted with symmetric encryption,  the cryptographic hash value is used as the key.
  • A RAID algorithm is applied on the file in order to calculate the parity chunks, which are seperated from the data chunks.
  • The resulting chunks are thereafter distributed to different cloud storage repositories.



File recovery is the reverse of the uploading procedure:

  • A subset of the parity chunks as configured in the original RAID algorithm is required to reconstruct the initial data. This has to be downloaded alongside the available data chunks.
  • The reverse of the RAID algorithm is applied to recover the data, which is still encrypted.
  • The recovered file is then decrypted, note that the symmetric key used for decryption is only known to the user.





Data Security

Each storage vendor is in possession of only a fragment of a file owing to the capacity of the RAID algorithm to seperate a file into multiple chunks, which can be easily reconstructed from a subset of these chunks. Accordingly, an attacker wishing to acquire a file stored in the cloud will have the challenge of getting all the chunks. Moreso, since all chunks are encrypted, there is an additional requirement of obtaining corresponding symmetric keys before successfully accessing data.

Data Availability

Current providers cannot assure users of constant availability of files in their possession. The CloudRAID overcomes this challenge by storing individual chunks at seperate cloud storage repositories thereby defying sole reliance on specific providers. The system also provides users the flexibility of configuring several parameters such as low costs, high bandwidth speed and performance. These factors can be combined to various ways to suit client requirements.


Threat Detection and Security Analytics

Consuming cloud services often enlarges a system's attack surface and introduces loss of control . Therefore, threat detection and security analytics capabilities are implemented to detect security threats and anomalies in CloudRAID's cloud resources. Similarly, intelligent systems are deployed to monitor and detect user-centric threats. These capabilities provide security visibility into the overall systems and narrow the gap between on-premise systems and cloud based infrastructure. Details of the described techniques are available on this page.

Advanced Access Control Mechanisms 

 Access control is also another challenge that needs to be solved by cloud storage services to ensure that only the authorized users can access the files stored in the cloud. We leverage attribute-based encryption to provide fine grained access control in enterprise environments, while ensuring scalable key management and scalability. Other additional features are location-based access control and multi-cloud resource management. Please take a look here for detailed information.



  • Prof. Dr. Christoph Meinel (Project Manager)
  • Philipp Berger
  • Kennedy Torkura
  • Hendrik Graupner
  • Muhammad Sukmana 

Project Partner