Security & Privacy Architecture as a Service for

Small and Medium Enterprises

Nilaykumar Kiran Sangani Tejas Vithani

IT Security Analyst, M.E. (Software Systems) M.E.(Software Systems)
Abu Dhabi Company for Onshore Oil Operations (ADCO), BITS Pilani, Dubai Campus
BITS Pilani, Dubai Campus Dubai, V.A.E.
Abu Dhabi, V.A.E. tejas.vithani@gmail.com
sanganinilay@hotmail.com

Velmurugan P M Madiajagan
Assistant Manager Network & Communications Assistant Professor
Sharjah Islamic Bank BITS Pilani, Dubai Campus
Sharjah, U.A.E. Dubai, U.A.E.
pvels@emirates.net.ae jagan@bits-dubai.ac.ae

Abstract- This paper focuses on Security and Privacy for Small

and Medium Enterprises pertaining to their dependency on small I. INTRODUCTION
clouds to carry out their business activities. They lack the
A lot of detailed attention has been given to Cloud Computing
knowledge pertaining to the security to be applied to safeguard
technology over the past few years. Small and Medium
their data and services due to lack of in-house expert technical
resources, security architects or less budgets to carry out the
enterprises adapt Internet as one of the primary method to
vulnerability study for them and to safeguard their data.
showcase their products, services and increase the company's
Customers can rely on the services offered by the SMEs only if business profit, save costs and rises up their operation
the hired services are secured. SMEs should have a proper efficiency.SMEs depend on information technology
understanding of the threats pertaining to the security aspect of investments which assist them to enhance and grow their
the Software as a Service which they undertake. They should be business [I]. A large amount of capital has been invested in IT
able to investigate and asses the risk involved in showcasing their Infrastructure and Softwares by hiring professionals in - house
services on a cloud via the internet. The aim of this paper is to
or on a contract basis to maintain their continuity in their
design a framework that brings out a Security & Privacy
business though they end up in spending a huge amount
Architecture as a service for SMEs (SPAaaS) pertaining to Web
Applications which can be offered by various security vendors.
without any significant profit in return[l]. With Cloud
SPAaaS will assist the SMEs to evaluate the security
Computing they can have their own IT Setup as IaaS or SaaS
requirements pertaining to host their data and services on cloud. by paying just for their usage which can help them to save
huge amount of organization's capital in turn being benefited
Keywords- Cloud Computing, Small and Medium Enterprises, for the organization's economic benefits by eradicating
Cloud Security, Cyber Security Threats CAPEX making way for OPEX. For SMEs customer's
satisfaction with rise up in profits is the primary component
Acronyms: for their success which cloud computing offers such solutions
SME -Small and Medium Enterprises through their SaaS modeL The ROI pertaining to cloud
computing is much way higher than the implementation of
SPAaaS - Security & Privacy Architecture as a service for
newly infrastructure and software for different IT business use
SMEs
cases. Having cloud computing within a SME, they can
IT -Information Technology remove their dependency on having their own IT Department
[2].
ROI -Return on Investment

IaaS -Infrastructure as a Service SMEs either deploy or hire vendors who provide SaaS for
various web applications onto the cloud for services such as
SaaS -Software as a Service
CRM, Social Media, Mobility Solutions etc to their customers.
DDOS -Distributed Denial-of-service Such services enhances the productivity of SMEs, plays a huge
factor in cost savings and increase the trust in customers towards

Proceedings of 20l21ntemational Conference on Cloud Computing, Technologies, Applications & Management

978-1-4673-4416-6/12/$ 31.00 © 20121EEE 16
 149741175: Security & Privacy Architecture as a Service for Small and Medium Enterprises
their products and services [1]. Once the web applications are
deployed on cloud, it makes it possible for the services to be
accessed at anytime from anywhere [2]. SMEs are an important
element which contributes direct rise in profits for an economy
[3].
Web sites are the primary target for hackers to carry out their
attacks. As there are more than 200 million websites running, it
makes it very easy for the attackers and hackers to select their
target. As the web is so vast, there is something for everyone
within the internet[4]. Once the web application is on cloud, its
security is not the prime concern for the SMEs. Application
security is one of the key factors of any business governed IT
strategy which is hardly understood by the management of the
SMEs as it does not align to their business goals [5]. When it
comes to offer a service on cloud, most of the SMEs do not have
the knowledge towards the secure control of the web application
which offers their solutions and expertise to their customers.63%
of the business management in SMEs have no clear
understanding about cloud computing in spite of broadcasting
their business solutions on the cloud [6].
II. OBJECTIVES AND MOTlVA TION
In the current economy SMEs are hugely depended on the
Internet to offer their services and products to a large community.
Employment opportunities are created which in turn increases
the country's economy [5]. Around 65% of the SMEs adapt
cloud computing envirornnent to carry out their business which
helps them to mainly concentrate on their strategic organization
goals and plan their budgets more efficiently[7][8]. Services are
hosted on a web-based envirornnent by a SME that permits the
end users to gain the application functionality without any
disruption as these solutions are available just by logging into the
web [9]. Most of the SMEs use clouds for their web hosting
because of ease of management, very low start-up costs etc [1].
The two aspect what an owner of a SME thinks about while
giving out their solution to the users is to save time and save
money in order to see the success of their business, so they turn
to host their web application solutions in a cloud. IT investments
are greatly reduces for a SME once they decided to host their
web solutions on cloud as there are no large costs involved in
setting up the servers, infrastructure, software or hardware
licenses etc[ll]. But when it comes to the security aspect of the
web applications hosted on cloud, SMEs normally tend to ignore
the fact to invest in it due to lack of security expertise, business
needs does not align their budgets to invest in IT security,
management doesn't understand the severity in gaining
knowledge and protecting themselves from attacks initiated by
hackers [5].
A SME owner will be able to meet their capital costs once the
application and services are on cloud for the customers to use
them. With the adaption of Cloud Computing, management of a
SME will be able to align their business needs and concentrate
mainly on increasing the profits rather than solving IT issues /
Proceedings of 2012 International Conference on Cloud Computing, Technologies, Applications & Management
problems. But there are crisis when a web application hosted
gets breached and the organization losses the control of the
system for which they are accountable for. Users and customers
always feel that their sensitive data is protected with the best
security procedures. It has been seen that the management of a
SME think that to implement security within IT is just to install
an anti-virus which is very wrong [5]. In today's world,
information and data keeps on increasing at a fast rate which in
turn is pushing the SMEs to set up the cloud. But it does not
mean that SMEs shouldn't be aware about the security aspect of
it while putting up their web applications on cloud. To safeguard
the company's liability in the cloud requires knowledge as what
security mechanism needs to be implemented to protect a web
application from external threats by the hackers [12]. Web
applications are client-server applications where the browser
provides the user interface and the server takes care of the HTTP
requests and HTTP responses. The web application in the cloud
is connected by hitting the URLs which in turn calls the user
interface via the implementation of various web technologies [2].
Hackers can just alter the whole user interaction by running few
scripts on the web page or they can cause the server downtime
by conducting DDOS attack. Attackers are always focused to
disrupt the application in cloud and gain unauthorized access to
their data [14]. SMEs should have the basic knowledge in
protecting such applications from the hackers. They should be
able to identify the certain plug-able security components to be
plugged in order to protect their application.
Our contribution in this paper is to bring out a framework design
for 'SPAaaS' which will be a component based architecture to be
offered by various security vendors assisting the SMEs in
evaluating security requirements to host their web applications
on cloud.
III. SMEs SHOULD BE WELL - VERSED WITH THE
PROTECTION MECHANISM HOSTING WEB APPLICATIONS IN
CLOUD
The success behind any new technology coming into the
industry depends on how secure it is. There are always questions
pertaining to the data in the cloud, if it is secured enough to
prevent any breaches/attacks by the hackers. We are able to deep
dive into our Operating Systems and Hard Disks whenever we
feel to, but cloud servers, they are deployed at some where in the
world miles away from you. One small breach in those servers
will leave the owner and customer of the data without any
further access to the application in cloud [15]. In the recent
years, cyber attacks have been increased within the latest
technologies as it involves high usage of the Internet [7]. SMEs
are trying very hard to reduce their IT computing costs and have
started to gather their IT operations under one umbrella and
hosting web applications offering services to their customers.
Cloud Computing has taken these SMEs to just another level
which helps them to reduce costs, increase efficiency by
providing in-tact solutions and gaining customer's
confidence[17]. At the same time, organizations should have the
knowledge of securing the hosted application from getting
17

attacked, make a decision and implement the security. Interest of
the customers is very important but also measures taken to have
continuity in business, where attacks shouldn't disrupt the
existing application setup in cloud [17]. Proper investigation and
assurance control should be implemented to carry out the
research pertaining to the cyber threats in small clouds. SMEs
normally tend to ignore this while putting up their applications in
cloud as they may lack technical expertise and other various
resources to do the same. It is estimated that by 2020, more than
70% of the users and customers will undertake cloud services
offered via the internet to carry out their tasks/business activities.
The senior management of a SME are not well - versed with the
functionality of cloud computing nor the method to safeguard
their services in cloud if at all they deploy their application.
While hosting their web applications in cloud for their
customers, SMEs should be aware that they are exposing the
information to everyone over the Internet. Attacks like but not
limited to hijacking session, data leakage, web protocol breaches
etc. are coming in the scene to cloud computing [18]. SMEs
should not turn a blind eye to the fact that their
services/applications/data are migrated to cloud that is outside
their organization's boundary. They should understand that this
move will open vast security related threats conducted by
hackers if they do not apply proper secure & protection
mechanisms to their services [19]. They should know that
adapting cloud is just an upgrade to their existing IT setup. There
are providers who will take care of the security [20]. There are
providers who will not offer such protection service. SMEs
should have the exact knowledge as what security mechanisms
should be applied for their hosted web application.
SMEs have few IT professionals who manage and are
responsible for the entire IT setup pertaining to hardware,
network, and software [21]. Security is not their prime concern
as they are under the notion that by just installing an anti-virus
will take care of all security threats [5]. Selecting the right cloud
provider is very important for a SME to publish their application
[23]. Cloud provider will be able to provide the best services to
the SME in terms of hosting, infrastructure etc. but there are
questions raised in securing the hosted application [23]. SMEs
should have a clear mind about the security components to be
implemented to prevent their application/network/data getting
breached. Large databases to breach are the 1st choice of the
attackers and it is proven that Internet is very difficult to protect
[24]. Small businesses should protect their sensitive information
that they are hosting in cloud via their applications. They should
completely understand the benefits as well as the IT cloud risks
while considering a cloud solution to enhance their business
needs[24]. Cloud service providers offer security service to
Proceedings of 2012 International Conference on Cloud Computing, Technologies, Applications & Management
Nilaykumar Kiran Sangani, Velmurugan P, Tejas Vithani, M Madiajagan
SMEs in terms of expertise and security technical resources
which SMEs [25]. But SMEs should have the knowledge and
drive to understand these security solutions and see if they are
adaptable to their web services placed in cloud.
It is seen that few of the cloud providers expose their customer's
data which results in a serious glitch and can lead the
organization to legal consequences. The environment is so
dynamic that it creates new threat opportunities which a SME
needs to be educated about its mitigation. SMEs should be aware
that the hosting of a web application in cloud is very different
from the traditional approach of web hosting. Over here in the
cloud, SMEs will not have the direct access to the servers and the
hard-wares where their application is hosted. Proper
understanding should be there within SMEs that there are no
complete solution to the IT attacks on cloud and should also
know that migration to cloud will defmitely carry risk. But these
risks needs to be understood and measures should be applied to
mitigate these risks.
IV. SECURITY & PRIVACY ARCHITECTURE AS A SERVICE
FOR SMEs FOR WEB ApPLlCATIONS ( SP AAAS - W EB )
In this section we propose a framework design - a component
based architecture to be foUowed by security vendors for SMEs
offering web application security solutions. This architecture will
assist the SMEs in their evaluation of security implementation
for their requirement from a 3rd party who are offering SaaS.
It is seen that various security vendors find it very difficult to
identify the exact security solution to provide for SMEs for web
applications due to SMEs budget constraint and requirement.
Trust is the key component to your customers while providing
solutions/services online via the cloud. Users will not do
business until unless they are convinced they trust the hosted
web solution. Cloud Computing is a very new technology which
has evolved in the last few years which brings along new
threatsirisks/opportunities [27]. At times moving to Cloud re­
vamps the organization's existing applications and architecture
but at the same time it increases the risks of transforming the
sensitive data and services / applications to an upcoming
environment [27].
In few of the clouds services, SMEs should be aware that the
security responsibilities for both consumer and provider differ.
For E.g.: Amazon's AWS EC2 IaaS addressed physical security,
environmental and virtualization security. The consumers'
responsibilities will be towards applications, data and OS [27].
Figure 1 gives the entry points for Web Applications Attacks
18
 149741175: Security & Privacy Architecture as a Service for Small and Medium Enterprises

A A

Hacker

� [§
Homepage Form Mobile Devices

Figure 1. Entry points for Web Application Attacks

A: HTML, CSS, lavaScript, Ajax, lQuery, XML, Flash

B:Web Servers, Database Servers, Interfaces, Programming languages

The rise in programming technologies such as Ajax, PHP, DaM
offers businesses a rich VI application providing online services
to their customers [lO]. Over the few years, the trend in attacks
has been changed by the hackers. Coordinated web attacks are
taken places where automated bots are involved performing the
same task of a hacker in less time. The end result is the same I.e.,
the application is breached. We propose to bring the adaptation
of the six security plug-able components by a SME during their
deployment of a web application in cloud offering their
services/business solutions. This architecture will reduce the
risks in adapting cloud computing to host their web apps by
SMEs.
Our research is to help both the cloud providers and consumers
(SMEs) towards the implementation of web application security
in a cloud. Figure 2 gives the proposed design for Security &
Privacy Architecture as a Service for SMEs for Web Applications
( SPAaaS - Web ).

Proceedings of 2012 International Conference on Cloud Computing, Technologies, Applications & Management 19
 Nilaykumar Kiran Sangani, Velmurugan P, Tejas Vithani, M Madiajagan

AI Management Web Security Email Security

CRM Social Media Business Services

Cloud - Web Based Services / SaaS - Web Based

Business Solutions Mobility solutions

HR & Payroll Services

Intrusion Detection!
DLP Network Security
Prevention

Figure 2. Design - Security & Privacy Architecture as a Service for SMEs for Web Applications ( SPAaaS - Web )

Based on our research and experience in web application
security, the following security components needs to be
implemented for a web application to be hosted in a cloud for a
SME.
I) AI Management: Access & Identity Management controls the
identity and access to the cloud based web app. Service provided
(Authentication & Authorization). Right level of access is
granted once the identity is verified. Auditing and logging
mechanisms are implemented [28].
2) Web Security: Real time - hacking attacks prevention.
Handlers such as Web Filtering, Malware & Spy-ware Analyzer,
SSL, Anti Virus etc. should be implemented [28].
3) Email Security: Safeguarding the ingoingloutgoing emails.
This component implementation should secure the SME from
phishinglspam attacks. Mails should be encrypted based on case
basis. Digital Signatures needs to be implemented as a handler
which will assist in identifying if any modification has been done
to the e-mails [28].
4) Data Loss Prevention (DLP): Monitoring and verifying the
authenticity of the data in motion and in rest. The flow of data in
and out of the cloud should be monitored. SQL Regular
expression detection, signing of data, pattern matching, and data
matching should be implemented [28].
5) Intrusion / Detection prevention: With this component in
place, un-usual activity of packets are inspected and detected.
Also at the core TCP (Network) Level, data flow monitoring
system should be implemented [28].
6) Network Security: It is at the network leveL Full visibility of
the traffic is maintained at the network layer. Firewalls are
implemented to restrict / prevent attacks from different origins
and to permit only allowed IPS in the set perimeter. Prevents
DDOS attacks and also audits the inflowingloutgoing requests in
the cloud.
V. CONCLUSION & FUTURE WORK
Cloud Computing is highly an intense technology that has
great benefits. For SMEs, adaptation of cloud computing reduces
their IT costs and has a rise in their ROI. This paper being more
focused on the web applications hosted in cloud, the security
challenges exists in order to implement a mechanism to protect
these applications from the hackers around the world. Over the
last few years, demand for the services offered by SMEs via the
web application has been increased. Web applications are the
primary wheel in delivering the attacks/breaches. Web solutions
are hosted by the SMEs where large organizations are depended
by outsourcing their services making sure SMEs follow the equal
protection mechanisms.
In this paper, we have identified a design which can be
followed by the cloud providers/cloud security providers and
consumers (SMEs) pertaining to the web application in the

Proceedings 0[ 2012 International Conference on Cloud Computing, Technologies, Applications & Management 20
 149741175: Security & Privacy Architecture as a Service for Small and Medium Enterprises

cloud. SMEs do not have the knowledge to protect such [15] R.Bhadauria,R.Chaki,N.Chaki and S.Sanyal, "A Survey on Security
Issues in Cloud Computing",Arxiv.org,Sep 25 2011,Available at :
applications due to lack of security technical expertise or http://arxiv.org/abs/1109.5388
fmancial budgets. This paper identifies six security
[16] J.Hu and A.Klein, "A Benchmark of Transparent Data Encryption for
components which needs to be plugged during the deployment Migration of Web Applications in the Cloud", 2009 Eight IEEE
of the web applications in cloud. Once this design is plugged, International Conference on Dependable , Autonomic and Secure
it will assists the SMEs to mitigate the disrupt in the business Computing
caused by hackers and will give the knowledge to understand [17] R.Saleem, "Cloud computing's effect on enterprises", School of
Economics and Management Lund University,Jan 2011,Available at
such key security features which will help them to take better :http://lup.1 ub.1 u.se/luur/downIoad?func=downIoadFil e&recordOld=176
decisions and rise the company's business. Future work will 4306&fileOld=17643 II
include detailed security & privacy architecture design for [18] J.L.Kourik , "For Small and Medium Size Enterprises ( SME )
each of the six components with their features. Deliberating Cloud Computing:A Proposed Approach", ECC'II
Proceedings of the 5th European conference on European computing
conference,pp 216-221
[19] S.Ristov,M.Gusev and M.Kostoska, "Cloud Computing Security in
VI. REFERENCES Businesses Information Systems",lnternational Journal of Network
Security & Its Applications(UNSA),VoI.4,No.2,March 2012,pp 75-93
[20] M.Boisvert, "Real and perceived security threats of cloud computing",
[I] F.T.Neves, F.C.Marta, A.M.R.Correia & M.C.Neto, "The Adoption of
SearchCloudComputing,May 2012, Available at
Cloud Computing by SMEs: Identifying and Coping with Extenal
http://searchcloudcomputing.techtarget.com/feature/Real-and-perceived­
Factors", IIa Conferencia da Associacao Portuguesa de Sistemas de
security-threats-of-cloud-computing
Informacao ( CAPSI 201 I ).19-2Ith Oct 201 I.
[21] Check Point Software Technologies, "Defending Small and Medium
[2] L.R.Rewatkar and U.A.Lanjewar, "Implementation of Cloud Computing
Sized Businesses with Cloud - Managed Security",Available at :
on Web Application", International Journal of Computer
http://www.checkpoint.com/downloads/smb/cloud-white-paper.pdf
Applications(0975-8887),Volume 2 -No.8,June2012,pp 28-32
[22] D.Lacey,B.E.James, "Review of Availability of Advice on Security for
[3] M.Sharma,A.Mehra,H.Jola,A.Kumar,M.Misra and V. Tiwari, "Scope of
Small/Medium Sized Organizations",March 2012,Available at :
cloud computing for SMEsin India", Jounrnal of Computing,Volume
http://www.ico.gov.uk/upload/documents/Iibrary/corporate/research_and
2,lssue 5,May 2010,ISSN 2151-9617", pp 144-149
_reports/review_availability_oC%20securitLadvice_for_sme.pdf
[4] "Moving to the cloud?Take your application security with you",Cloud
[23] Florence, "Benefits of Cloud Computing to Growing Small
Security Alliance ,Jan 27,20II,Available at
Companies",CloudTweaks,March 5 2012,Available at
https://blog.cloudsecurityalliance.orgI2011/01/27 /moving-to-the-cloud­
http://www.cloudtweaks.com/20 I2/03 /benefits-of-cloud-compu ting-to­
take-your-application-security-with-you/
growing-small-companies/
[5] N.K.Sangani and B.Vijayakumar, "Cyber Security Scenarios and
[24] "Cloud Computing for Small and Medium - sized Enterprises : Privacy
Control for Small and Medium Enterprises", Informatica Economica
Responsibilities and Considerations", Office of the Privacy
voI.\6,n02/2012,pp 58-71
Commissioner of Canada,June 14 2012, Available at
[6] "The GFI Software SME Technology report",GFI Software, May 2010, :http://www.priv.gc.ca/information/pub/gd_cc_201206_e.asp#
Available at
[25] "Cloud Computing Security Benefits Dispel Adoption Barrier for Small
:www.gfi.comldocuments/SME_Technology_Report_web.pdf
to Midsize Businesses",Microsoft,May 14 2012,Available at :
[7] "Cloud computing adopted by more 5MBs",Microsoft business, Friday http://www.microsoft.com/en-us/news/press/20 I2/mayI2/05-
20 July 2012, Available at http://www.microsoft.comlen- 14SMBSecuritySurveyPR.aspx
gb/business/news/Cloud-computing-adopted-by-more-SMBs-
[26] "Assessing Cloud Node Security",Context Information Security
801411838.aspx
LTD.,March 2011,Available at
[8] "Small / Medium Business ( 5MB ) Cloud Study", Microsoft­ :http://www.contextis.comlresearch/white-papers/assessing-cloud-node­
Trustworthy Computing, May 2012, Available at security/Context-Assessing_Cloud_Node_Security-Whitepaper.pdf
www.microsoft.comlen-us/news/download/.../051412SMBCloud.pdf
[27] "Security Guidance for Critical Areas of Focus in Cloud Computing
[9] R.Ray and Smallbiztechnology Team ,"The Growing Cloud - V2.1 ",CSA,Dec 2009,Available at
Computing Market for 5MBs", Business Insider,July 18 201 I. Available :https://cloudsecurityalliance.org/csaguide.pdf
at http://articles.businessinsider.com/2011-07-
[28] "Defined Categories of Service 2011 ",CSA,Available at
I8/tech/2998I664_1_cloud-computing-cloud-services-smb-market
:https://cloudsecurityalliance.org/wp-
[10] Danny, "Web application security in the cloud", Software contentluploads/2011l09/SecaaS_V1_O.pdf
Associates,May 31 20 II.Available at
:http://www.slideshare.netldannyI50/web-application-security-in-the­
cloud
[II] J.Grisham, "The Benefits of Cloud Computing",TheSmallBusiness.org,
Available at : http://www.thesmallbusiness.org/sofiware/benefits-of­
cloud-computing.html
[12] G.Blackwell, "10 Cloud Computing Security Tips for Small
Businesses",Smallbusinesscomputing.com,March 08 2011.Available at :
http://www.smallbusinesscomputing.com/biztools/article. php/3927376/ I
O-Cloud-Computing-Security-Tips-for-Small-Businesses.htm
[13] "Top Threats to Cloud Computing VI.O",CSA,March 2010,Available at
:https://cloudsecurityalliance.org/topthreats/csathreats.vI.O.pdf
[14] dotDefender, "Web Application Security",AppliCure
Technologies,Available at
:http://www.applicure.com/downloads/documentsV4.20/Web_Applicati
on_Security_IOl.pdf

Proceedings of 2012 International Conference on Cloud Computing, Technologies, Applications & Management 21