JIS  Vol.11 No.4 , October 2020
A Cloud Computing Security Assessment Framework for Small and Medium Enterprises
Abstract: Cloud computing plays a very important role in the development of business and competitive edge for many organisations including SMEs (Small and Medium Enterprises). Every cloud user continues to expect maximum service, and a critical aspect to this is cloud security which is one among other specific challenges hindering adoption of the cloud technologies. The absence of appropriate, standardised and self-assessing security frameworks of the cloud world for SMEs becomes an endless problem in developing countries and can expose the cloud computing model to major security risks which threaten its potential success within the country. This research presents a security framework for assessing security in the cloud environment based on the Goal Question Metrics methodology. The developed framework produces a security index that describes the security level accomplished by an evaluated cloud computing environment thereby providing the first line of defence. This research has concluded with an eight-step framework that could be employed by SMEs to assess the information security in the cloud. The most important feature of the developed security framework is to devise a mechanism through which SMEs can have a path of improvement along with understanding of the current security level and defining desired state in terms of security metric value.
Cite this paper: Rupra, S. and Omamo, A. (2020) A Cloud Computing Security Assessment Framework for Small and Medium Enterprises. Journal of Information Security, 11, 201-224. doi: 10.4236/jis.2020.114014.

[1]   Adeyeye, A. (2016) Challenges to SME Growth in Kenya. In Africa Business Insight: Academic Conferences.

[2]   Kenya Gazette Supplement No. 54 (Acts No. 11) (2017) Kenya Gazette Supplement.

[3]   Bowen, M., Morara, M. and Mureithi, M. (2009) Management of Business Challenges among Small and Micro Enterprises in Nairobi-Kenya. KCA Journal of Business Management, 2, 16-31.

[4]   Velte, A.T., Velte, T.J., Elsenpeter, R.C. and Elsenpeter, R.C. (2010) Cloud Computing: A Practical Approach. McGraw-Hill, New York, 44.

[5]   Fox, A., Griffith, R., Joseph, A., Katz, R., Konwinski, A., Lee, G., Stoica, I., et al. (2009) Above the Clouds: A Berkeley View of Cloud Computing. Dept. Electrical Eng. and Comput. Sciences, University of California, Berkeley, Rep. UCB/EECS, 28(13).

[6]   Sultan, N.A. (2011) Reaching for the “Cloud”: How SMEs Can Manage. International Journal of Information Management, 31, 272-278.

[7]   Daniel, W.K. (2014) Challenges on Privacy and Reliability in Cloud Computing Security. 2014 International Conference on Information Science, Electronics and Electrical Engineering, Vol. 2, 1181-1187.

[8]   Seccombe, A., Hutton, A., Meisel, A., Windel, A., Mohammed, A. and Licciardi, A. (2009) Security Guidance for Critical Areas of Focus in Cloud Computing. Cloud Security Alliance, 2, 2-70.

[9]   Bhardwaj, S., Jain, L. and Jain, S. (2010) An Approach for Investigating Perspective of Cloud Software-as-a-Service (SaaS). International Journal of Computer Applications, 10, 40-43.

[10]   Li, Y. and Liu, Z. (2011) The ICT Industrial Interaction between Mainland China and Taiwan: Empirical Analysis and Policy Implications. 2011 IEEE 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce, Dengfeng, 8-10 August 2011, 3478-3484.

[11]   Palmer, S.A. (2015) U.S. Patent No. 9,172,918. U.S. Patent and Trademark Office, Washington DC.

[12]   Cashell, B., Jackson, W.D., Jickling, M. and Webel, B. (2004) The Economic Impact of Cyber-Attacks. Congressional Research Service Documents, CRS RL32331, Washington DC, 2.

[13]   Reveron, D.S. (2012) Cyberspace and National Security: Threats, Opportunities, and Power in a Virtual World. Georgetown University Press, Washington DC.

[14]   Khajeh-Hosseini, A., Greenwood, D., Smith, J.W. and Sommerville, I. (2012) The Cloud Adoption Toolkit: Supporting Cloud Adoption Decisions in the Enterprise. Software: Practice and Experience, 42, 447-465.

[15]   Hayden, L. (2010) IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data. McGraw-Hill Education Group, New York.

[16]   Herrmann, D.S. (2007) Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI. Auerbach Publications, New York.

[17]   Caldiera, V.R.B.G. and Rombach, H.D. (1994) The Goal Question Metric Approach. In: Marciniak, J.J., Ed., Encyclopedia of Software Engineering, 528-532.

[18]   National Institute of Standards and Technology (2017).

[19]   Muthee, J.W. (2016) A Data Security Implementation Model for Cloud Computing in Government Parastatals. University of Nairobi, Nairobi.

[20]   Padgett, D.K. (2016) Qualitative Methods in Social Work Research (Vol. 36). Sage Publications, Thousand Oaks.

[21]   Rittinghouse, J.W. and Ransome, J.F. (2016) Cloud Computing: Implementation, Management, and Security. CRC Press, Boca Raton.

[22]   Denning, D.E. (2003) Information Technology and Security.