1.0 Introduction
Cloud computing has become a cornerstone of modern technology revolutionizing how data is stored, processed, and accessed worldwide. The global cloud computing market is projected to grow up to $1,429,672.6 million by 2030 from $798,843.9 million in 2024 [1]. Public institutions including government agencies have increasingly embraced cloud solutions to enhance efficiency, improve data management, and deliver services more effectively. National IT survey reports of 2022 indicates that 64.2% of Ministries, Departments and Agencies (MDAs) in Uganda have applications or databases hosted on the cloud provided by NITA-U [2]. However, the migration to cloud environments introduces significant security challenges such as data breaches, unauthorized access, insecure APIs, misconfigurations, insider threats, DDoS attacks and cyberattacks [3]. These threats can compromise sensitive information, disrupt public services, and erode public trust in digital transformation initiatives, making cloud security a critical concern in today’s technological landscape.
Public institutions are vulnerable to cloud-based security threats due to the sensitive nature of the data they handle and the complexities of cloud infrastructure. Institutions like bank of Uganda have suffered numerous cyberattacks and cloud data breaches with the recent attack leading to loss of $17 million NITA-U, as the primary body responsible for IT governance in Uganda, has faced numerous challenges in securing its cloud systems. For instance, reports of cyberattacks targeting government institutions in Uganda highlight the growing sophistication of threat actors and the inadequacy of existing security measures indicating that 40% of public institutions suffered loss of data as revealed in the National IT survey report of 2022 However, they did not seem to develop any tangible cloud security framework to support that claim. These incidents underscore the urgent need for developing a mitigation framework for cloud-based security threats for public institutions like NITA-U that manage sensitive public data.
While cloud computing security has been extensively studied in the private sector, there is a notable lack of research focused on public institutions, which face unique challenges due to regulatory and resource constraints nature of environment at which they operate. Furthermore, existing frameworks like NIST SP 800 – 210, CIS Controls Guide among others often fail to address the specific needs of public institutions in developing countries such as Uganda, where budgetary and technological limitations further exacerbate vulnerabilities and lastly, the dynamic nature of cloud-based threats necessitates adaptive and scalable security measures which may be currently lacking in the approaches employed by NITA-U. Therefore, this research aims to bridge this gap by developing a mitigation framework that fit the unique security needs of public institutions.
Addressing cloud-based security threats is essential for ensuring the integrity, confidentiality, and availability of data in public institutions. Effective mitigation framework will not only enhance the resilience of NITA-U’s cloud systems but also set a precedent for other public institutions in Uganda and beyond. By mitigating risks and threats emanating from the cloud, the study will contribute to the broader goal of strengthening public trust in e-governance and digital transformation initiatives. Moreover, it aligns with Uganda’s national objectives of enhancing cybersecurity and fostering innovation in the public sector, as outlined in the National Information and Communication Technology Policy.
1.1 Problem Statement
The rapid adoption of cloud computing in public institutions has brought about significant benefits, such as improved service delivery and operational efficiency. Cloud computing services that MDAs are using include; email and messaging, data storage and desktop/office software [2]. However, it has also introduced unique security challenges that pose severe risks to sensitive data and critical operations. Public institutions such as the National Information Technology Authority-Uganda (NITA-U) and other MDAs face increasing threats from cloud attacks including data breaches, unauthorized system access, ransomware and distributed denial of service attacks. For instance, an annual crime report of 2022 by Uganda police force revealed that over 286 cases of ransomware attacks and data breaches that led to loss of over Shs19.2 billion were reported
One of the key challenges is the inadequacy of existing security frameworks which often fail to address the unique operational and regulatory needs of public institutions in Uganda. Many public institutions rely on generic security frameworks that do not address the unique operational and regulatory contexts hence leaving systems vulnerable as evidenced by repeated data breaches targeting government agencies in Uganda [7]. Additionally, efforts to enhance cloud security are hindered by limited resources, reliance on external service providers, shortage of expertise and reactive rather than proactive strategies.
The consequences of cloud security breaches are severe, including exposure of citizen data, disruption of critical services, financial losses, and diminished public trust. This undermines national digital transformation initiatives emphasized by Ministry of ICT and National guidance
1.2 Aim of the Study
This study was to develop a mitigation framework for cloud-based security threats for public institutions in Uganda. The framework was developed to protect sensitive data such as financial data, health records, maintain service continuity, build trust and compliance with regulations.
1.3 Objective of the study
1.3.1 The main objective
The main objective of this study was to develop a mitigation framework for cloud-based Security threats in public institutions with a specific focus on NITA-Uganda.
- The specific objectives:
The specific objectives of this study included the following:
- To review and assess the existing literature on cloud-based security threats mitigation frameworks.
- To develop a mitigation framework that addresses the identified security threats at public institutions focusing on NITA-Uganda.
- To validate the effectiveness of the proposed framework through simulations.
1.4 Research Questions
The following questions were formulated and used to guide this study;
- What are the key findings and gaps in the existing literature regarding mitigation frameworks of cloud-based security threats faced by public institutions?
- How can a mitigation framework be developed to effectively address the identified cloud-based security threats faced by public institutions in Uganda?
- How effective is the proposed mitigation framework in addressing cloud-based security threats in public institutions when tested through simulations?
1.5 Scope
The scope of this study covered the following areas;
- Content Scope
The framework addressed cloud security threats, evaluated existing policies, and developed recommendations to enhance ability of public institutions to secure cloud environments. The key content areas included an analysis of specific cloud-based security threats such as data breaches,
distributed denial-of-service (DDoS) attacks, account hijacking, insecure interfaces and insider threats. NITA-U’s current cloud security policies, practices, and technologies were reviewed including examining how these measures aligned with industry best practices and their effectiveness in mitigating threats. In addition, insights from literature review and data analysis were used to develop a practical, context-sensitive mitigation framework for public institutions in Uganda. The proposed framework emphasizes governance and compliance, risk management, technical security assessment, incident response and recovery, and continuous monitoring and improvement.
- Spatial scope
The scope of this study was limited to cloud-based security threats affecting public institutions in Uganda, with a specific focus on NITA-U’s cloud infrastructure. It did not cover private cloud infrastructures or institutions outside the public sector.
- Time scope
The study analyzed NITA-Uganda’s cloud security landscape over the past five years, from 2021 to 2025. The research process from literature review, approval, data collection and analysis, framework development, validation and testing will take 12-months but in phases: Literature review and consultation of stakeholders in the first three months to identify gaps and requirements; data collection through interviews and surveys in 4th and 5th months, data analysis and framework development in months 6 to 8. Validation via simulations and stakeholder feedback will take place in months 9 and 10, followed by framework refinement, report writing, and submission in the final two months of 11 and 12.
1.6 Significance of the study
Chapter Two
Literature Review
2.1 Introduction
This chapter is organized chronologically beginning with the introduction, theoretical background and key concepts, previous studies on cloud-based security threats mitigation frameworks, identification of research gaps, comparative analysis and limitation, justification of research focus, and conceptual framework.
2.2 Theoretical Background and Key Concepts
2.2.2 Key concepts in cloud computing
2.2.2.1 Cloud Computing (CC)
Cloud Computing is a technology that enables data processing and storage on multiple computers through the Internet [11].
Cloud Computing is a technology that allows anybody to remotely access high computing equipment and computing services without having to purchase physical infrastructure [12].
2.2.2.2 Cloud Security (CS)
Cloud security is a discipline of cybersecurity that focuses on protecting cloud systems and data from internal and external threats, including best practices, policies, and technologies that help organizations prevent unauthorized access and data leaks [12].
2.2.2.3 Cloud Security Frameworks (CSF)
Cloud security frameworks provide organizations with the tools and guidelines to enhance security on cloud environment by identifying potential risks and recommending protective measures [12].
2.2.2.4 Cloud computing deployment model
Mohammed et al., (2020), Cloud computing deployment model refers to how cloud resources are deployed, how resources are managed and shared with the goal of determining the location of infrastructure and who has access to it. Cloud deployment model can be classified according to the ownership of cloud data centers or type of cloud combined for single or multiple cloud environments as below; A public cloud is when a third-party cloud provider runs or hosts the data centers of hardware and software and makes it available to the public. A private cloud is when a public institution/organization or company fully owns a cloud data center that is either located on its premises or hosted by a third party. Hybrid is a combination of private and public clouds which allows an organization or a company to run certain applications on public clouds and others on an internal infrastructure and Community cloud is a category of cloud deployment where public institutions/organizations or companies with common goals combine their efforts in a shared cloud infrastructure [13].
2.2.2.5 Cloud Computing Services Model
Cloud service model is a set of pre-packaged union of IT resources provided by cloud service providers [14]. Services model outline what features of computing infrastructure and functionality is managed by the cloud service provider and that which is managed by the client. Infrastructure as a Service model enables a cloud service provider to provide a set of virtualized computing resources such as processing power, storage, and network while allowing the cloud customer to take charge of other resources like the operating system, middleware, runtime, data, and application [14]. Platform as a Service is when the cloud service provider provides infrastructure like servers, network, operating system, runtime, and middleware while the client models, designs, develops & tests applications directly on the cloud and controls data and Software as a Service (SaaS) is where cloud service provider does everything right from offering the cloud infrastructure such as network, servers, storage, virtualization to providing and controlling software like operating system, runtime, middleware, data, and application. The clients only do the work of managing account access from the end point and data entered [14].
2.2.2.6 Cloud security-based threats
Cloud computing threats are potential risks or vulnerabilities that are meant to compromise the confidentiality, integrity, and availability of data, applications, and services in a cloud environment [15]. Threats such as data manipulation, service hijacking, data leakages, etcetera are among the common cloud computing security threats that Public Institutions in Uganda are facing.
2.2.2.7 Cloud Security Threats Mitigation
Cloud security threat mitigation is an approach to stopping and reducing the chances or effects of risks, threat actors, and vulnerabilities to cloud-based services and networks. [16]
Describe the different security threats and attacks encountered by cloud computing in public institutions here
2.3 Review of Previous Studies
Literature related to developing a mitigation framework for cloud-based security threats will be reviewed as below:
2.3.1 NIST Special Publication (SP) 800-210 Cloud Security Framework
Hu et al. developed the NIST Special Publication 800-210, a framework for implementing effective access control mechanisms in cloud environments, emphasizing role definition, privilege management, and authentication methods [17]. It applies adaptive and context-aware strategies, such as risk-based authentication and attribute-based access control (ABAC), to enhance security across cloud models. This framework uses least privilege theory, separation of duties, and continuous monitoring despite its flexibility, practical applicability, and alignment with global standards make it valuable for public institutions where protecting sensitive data is critical. However, it lacks integration with emerging technologies like AI for real-time threat detection and provides no localized guidance for compliance with local regulations, such as the Data Protection and Privacy Act 2019.
2.3.2 The CSA Cloud Controls Matrix (CCM) 3.0.1 framework
EMCS-Advanced plus developed the CSA Cloud Controls Matrix (CCM) 3.0.1 framework for securing cloud environments, ensuring compliance with standards like FedRAMP and ISO 27001 [18]. It covers domains such as application security, encryption, and governance, emphasizing automation, monitoring, and data protection. This framework relies on its extensive security coverage, strong regulatory alignment, and independent audits. However, it focuses specifically on the U.S policies and does not address emerging threats like quantum computing and adaptability for smaller institutions.
2.3.3 ISO/IEC 27002 Cloud Security Framework
Disterer developed the ISO/IEC 27002 cloud security framework that addresses cyber risks through controls like encryption, access management, and incident response [19]. The methods emphasize a risk-based approach to identify vulnerabilities and strengthen governance through policies, audits, and training. It aligns with international standards and regulatory requirements that can offer public institutions in Uganda a structured and compliant approach to mitigate cloud risks. However, its limited adaptability to rapidly changing technologies like multi-cloud environments, revealing gaps in its ability to address emerging cloud complexities.
2.3.4 CIS Controls Cloud Companion Guide Framework
Center for Internet Security developed the CIS controls cloud companion guide framework to address the unique security challenges of cloud environments including public, private, and hybrid clouds [20]. The framework is developed with a focus on risk prioritization and offers practical guidance on secure configurations, identity and access management, and continuous monitoring. It uses actionable steps such as managing account privileges, monitoring misconfigurations, and deploying automated compliance checks. Its continuous monitoring and scalability make it suitable for resource-limited institutions in Uganda. However, its general guidance may fall short in addressing rapidly evolving cloud environments, such as multi-cloud architectures, leaving a gap for further adaptation. [20].
Table 1: Summary of reviewed cloud security frameworks
| Author(s) | Title of the Paper | Objectives | Findings/Contributions | Limitations |
| Hu et al. [17] | NIST Special Publication (SP) 800-210 Cloud Security Framework | Develop a framework for access control in cloud environments | Introduces adaptive, risk-based authentication and role-based access control (RBAC). Emphasizes least privilege, separation of duties, and continuous monitoring | Lacks integration with AI for real-time threat detection. Does not provide localized compliance guidance for regulations such as Uganda’s Data Protection and Privacy Act 2019. |
| EMCS-Advanced plus [18] | Cloud Controls Matrix (CCM) 3.0.1 | Ensure compliance with cloud security best practices and standards like ISO 27001 and FedRAMP | Covers security domains such as encryption, application security, and governance. Supports automation and independent audits | Primarily focuses on U.S. policies. lacks adaptability for smaller institutions. |
| Disterer [19] | ISO/IEC 27002 Cloud Security Framework | Provide cybersecurity controls for risk management in cloud environments | Offers encryption, access control, and incident response mechanisms. Aligns with international compliance standards | Limited flexibility for evolving multi-cloud architectures. Lacks rapid adaptability to emerging technologies. |
| Center for Internet Security [20] | CIS Controls Cloud Companion Guide | Address security challenges across public, private, and hybrid cloud environments | Prioritizes risk management through identity access controls, continuous monitoring, and automated compliance checks | Lacks specific guidance for evolving cloud environments like multi-cloud architectures. Does not integrate AI for proactive threat detection. |
2.4 Identification of Gaps and Limitations
The cloud security frameworks reviewed highlights several critical gaps and limitations in addressing modern cloud security challenges. while frameworks like NIST SP 800-210 and the CSA Cloud Controls Matrix provide robust foundational guidance, they lack integration with emerging technologies such as AI and Zero Trust, which are vital for real-time threat detection. Furthermore, ISO/IEC 27002 and the CIS Cloud Companion Guide offer structured governance and practical security measures but struggle with adaptability to rapidly evolving multi-cloud architectures and localized compliance needs. These limitations necessitate developing a comprehensive, adaptive, and technology-integrated framework that addresses both technical and regulatory challenges for secure cloud use by public institutions in Uganda.
2.5 Comparative Analysis
Comparison of literature review studies on cloud security frameworks used are shown in the table below;
Table 2: Comparison of cloud security frameworks
| Reference | Objectives | Methodology | Key Findings | Strength | Limitation | Relevance to Framework |
| Hu et al. [17] | Implement access control mechanisms emphasizing role definition, privilege management, and authentication methods. | Framework-based analysis of access control strategies (e.g., ABAC, least privilege, separation of duties). | Adaptive, context-aware access control enhances cloud security; aligns with broader NIST standards. | Comprehensive, flexible, globally aligned access control strategies. | Limited integration with emerging technologies like AI; no localized compliance guidance. | Provides a strong baseline for role-based security and adaptive mechanisms for public institutions’ cloud environments. |
| EMCS-Advanced plus [18] | Provide security controls for cloud environments aligned with standards like FedRAMP and ISO 27001 | Comprehensive implementation of controls across domains like application security, encryption, and governance | Ensures data confidentiality, integrity, and availability; includes continuous monitoring and automation | Extensive domain coverage, regulatory compliance, strong encryption, independent audits | Depends on customers for some responsibilities, limited focus on emerging threats and U.S.-centric scope | Useful for developing mitigation frameworks addressing compliance, automation, encryption, and real-time monitoring. |
| Disterer [19] | To establish guidelines to address risks like unauthorized access and data breaches. | Risk-based approach emphasizing governance through policies, audits, and training. | Strong controls for encryption, access management, and incident response; aligns with international standards. | Structured and compliant approach to mitigating cloud risks. | Limited adaptability to multi-cloud and rapidly changing technologies. | Offers a robust compliance framework essential for public institutions handling sensitive data. |
| Center for Internet Security [20] | To address unique security challenges in cloud environments with a focus on scalability and continuous monitoring. | Risk-based prioritization with actionable steps like managing privileges, monitoring misconfigurations. | Enhances governance and compliance through practical, scalable measures; supports automated compliance checks. | Practical, scalable guidance tailored for resource-limited institutions. | Generalized guidance lacking specific customization for rapidly evolving threats. | Highlights the importance of continuous monitoring and practical solutions for resource-limited public institutions. |
2.6 Justification of Research Focus
Existing frameworks highlight significant limitations and gaps that hinder their ability to address the specific security needs of public institutions in dynamic cloud environments and inability to fit well with localized regulatory requirements like Uganda’s Data Protection and Privacy Act 2019. The above gaps therefore, demands developing a new framework for mitigating cloud security threats in public institutions in Uganda. This research therefore, aims to develop a mitigation framework for cloud security threats in public institutions by addressing challenges such as resource constraints, diverse user bases, and regulatory compliance by integrating adaptive technologies like AI for real-time threat detection and automated response, enhancing existing frameworks and incorporating empirical findings. The solution focuses on multi-cloud adaptability, advanced threat detection, and alignment with public sector needs so as to ensure both effectiveness and practicality.
2.7 Conceptual Framework
The mitigation framework for cloud-based security threats in public institutions includes; threats emanating from the cloud, targeting a public institution (NITA-U), application of the proposed mitigation framework and finally a secure cyber space at a public institution as seen below:
Conceptual diagram for cloud-based security threats mitigation in public institutions
| Mitigation Framework |
| Cloud-based security threats |
| NITA-U Network (Threat landscape) |
| Secure Cloud Environment |
Fig 1: Cloud-based security threats mitigation in public institutions.
Chapter Three
Methodology
3.1 Introduction
This chapter details the methodological approach that was employed in developing a mitigation framework for cloud-based security threats in public institutions, focusing on NITA-Uganda as a case study. It outlines the research design, target population, sampling strategy, data collection methods, framework development process, validation and testing procedures, resources required, ethical considerations, limitations, and the work plan. This structured approach ensured a rigorous and systematic investigation that led to the development of a practical and effective mitigation framework. The chosen methodology aligns with the Design Science Research (DSR) paradigm that emphasizes the creation and evaluation of an artifact (the mitigation framework) that will be used to address cloud security problem in Ugandan public institutions.
3.2 Research Design
The study adopted a design science research (DSR) methodology
Target Population
NITA-Uganda, being the national IT authority, plays a crucial role in guiding and regulating IT security practices across government institutions, making it an ideal case for developing and evaluating the mitigation framework.
Sample Size
The researcher employed a purposive sampling strategy. This approach is suitable for case study research where specific organizations or individuals are selected based on their relevance to the research topic. The sample included key personnel within NITA-Uganda’s cybersecurity, IT management, E gov, network, information security services and cloud services departments. The sample size used was 50 individuals that ensured representation from different roles and levels of expertise relevant the organization. The number was deemed sufficient for in-depth interviews and data analysis within a single case study context.
3.3 Data Collection Methods
3.4 Data Analysis Techniques
Qualitative data from interviews was analyzed using thematic analysis to identify key themes and patterns related to cloud security threats and mitigation strategies. Document review data was analyzed using content analysis to extract relevant information and support the findings from the interviews and finally quantitative data from questionnaire was analyzed. The combined analysis informed the development of the mitigation framework.
3.5 Framework Development
The development of the mitigation framework followed an iterative process, guided by the design science research methodology. The initial framework was designed and written based on the data collected from NITA-Uganda and relevant literature on cloud security best practices. The framework was then iteratively refined and validated through simulation, expert consultations and feedback from NITA-Uganda’s staff.
3.6 Validation and Testing
