Cloud services become popular in recent years and change how people use the Internet deeply. Many software vendors also utilize the cloud resource to supply greater services for their users. In most of the cloud services, the mechanism of data query always plays an important role. However, during the query process, it usually involves the inspection of what user concerns or even the private data, which should not be disclosed to an untrusted entity, such as a cloud service provider. Maintaining end-user privacy and allowing the query mechanism to work on the cloud seem contradictory. From users’ point of view, there are two kinds of query scenarios. One is the service provider with the readable dataset, like the search engine to its crawled data. The other one is the service provider with the user data which is encrypted. To protect user privacy, the query and the result should be hidden in the former scenario. On the other hand, as the user data is unknown for the service provider in the latter scenario, the user needs to offer a secure index structure. For those scenarios above, we firstly present a framework for building privacy-preserving cloud-based security services. For resource-constrained end-user devices, the security vendors not only provide the fundamental functions for security analysis, but also integrate with cloud-based security services which contain constantly improved security intelligence to assist in protecting against security attacks. With abundant hardware and strong support by security professionals, cloud-based security services can provide better protection than traditional solutions. The framework consists of an architecture for building cloud-based security services and a technique, called private signature filtering, to preserve end-user privacy. The framework supports security monitoring signatures whose correspondence with end-user device queries can be established through conjunction of keywords and numeric value ranges. The framework also allows a trusted middle layer to do a part of the security monitoring computation for the end-user device to reduce the computation overhead on the end-user device. We implement the prototype systems for the cloud-based network intrusion service and the cloud-based malicious URL detection service, to verify effectiveness of our design. The experimental results show that the framework can indeed ensure end-user privacy with acceptable performance overhead in a practical cloud-based security service setting. On the other hand, with the growth in the popularity of cloud storage service (CSS), users can simply store their data in the cloud provided by the CSS and access the data through any device via the Internet anytime and anywhere. For security concern, the accumulation of private data on the cloud requires the use of data encryption to prevent leakage of sensitive information to untrusted third parties. However, as the amount of data kept on the cloud storage is increasing, the use of data encryption makes it difficult or even impossible to locate the data of interest efficiently and securely. Therefore, for the second scenario, we also present a framework for CSS to support queries in encrypted form so that the data on cloud storage can be located efficiently and securely. At the core of the framework is a novel indexing structure, called the bloom filter encrypted search tree (BFEST). The BFEST supports queries in the form of phrase keywords. Client-side encryption, using secret keys that are unknown to the cloud service provider, protects the queries and the retrieved data. We implemented a prototype by extending the hicloud S3 CSS with the proposed framework. The experimental results indicate that the framework can ensure query privacy for encrypted data with an acceptable performance overhead in a practical setting.