Critical Infrastructure in the Multi-Cloud Strategy: Use of Cloud Computing in SMEs

Cloud computing enables cost-effective on-demand network access to a shared pool of configurable computing resources. The purpose of this paper is to examine and identifying the use of Cloud computing in the critical infrastructure domain among small and medium sized enterprises (SMEs). The data for this study were gathered from a survey of different academic, industry, governmental and online literature related to the use of Cloud computing in SMEs. The result revealed that there are risks involved in the use of Cloud computing, SMEs are deploying Cloud computing using different deployment models and reaching a high level of deployment within the critical infrastructure. The research findings are useful for SMEs that are planning or are in the use of Cloud computing, as well as for SMEs policymakers and business support community that engaged with Cloud computing initiatives.

💡 Research Summary

This paper presents a comprehensive analysis of the adoption and use of cloud computing by Small and Medium-sized Enterprises (SMEs), with a specific focus on applications within critical infrastructure sectors. The research is based on a survey of existing academic, industry, governmental, and online literature.

The introduction establishes cloud computing as a cost-effective, scalable, and on-demand service model that offers significant advantages for SMEs, which typically operate with constrained IT budgets and limited in-house expertise. By leveraging cloud services, SMEs can access advanced computing resources, convert capital expenditure to operational expenditure, and enhance business agility. However, the paper notes that security and privacy concerns remain primary barriers to widespread adoption.

The body of the paper is structured around three core themes. First, it defines critical infrastructure as interconnected systems (e.g., energy, water, telecommunications) essential for societal function, which are vulnerable to cascading failures from both physical and cyber threats. Second, it characterizes SMEs by their resource limitations and operational flexibility, highlighting how the cloud’s pay-as-you-go model and scalability align perfectly with their needs. Third, and most critically, it conducts a detailed examination of security issues. The analysis distinguishes between traditional IT security threats (e.g., DDoS, phishing) and cloud-specific threats (e.g., VM escape, cloud malware injection, account hijacking). A compelling case study details how a small Australian company linked to national security projects was compromised over a long period, underscoring the real-world consequences when SMEs managing sensitive infrastructure are targeted.

The findings reveal a clear trend: SMEs are actively deploying cloud computing using various deployment models (public, private, hybrid) for critical infrastructure operations, driven by compelling benefits like cost reduction and improved efficiency. Nevertheless, this migration introduces profound risks. The confluence of cloud environments and critical infrastructure creates a potent attack surface, potentially making SMEs a new battlefield in cyber warfare.

The conclusion emphasizes that the central question for SMEs is no longer whether to adopt the cloud, but how to manage the associated risks. Key security requirements for critical infrastructure providers in the cloud include robust, sophisticated access control mechanisms capable of handling heterogeneous and dynamic resources. The paper identifies “technology development risks” and “outsourcing opportunism risks” as key categories requiring management. It ultimately calls for future research to develop and propose effective risk mitigation strategies, moving beyond identifying problems to offering practical solutions. This study serves as a crucial resource for SMEs, policymakers, and the business support community, framing cloud adoption in the critical infrastructure context as a strategic decision with significant security and national resilience implications.