Cloud computing in recent times has brought in rapid advances in the delivery of digital services. It is also a key driving force in future technology breakthroughs, big data analytics, Artificial Intelligence (AI) and the Internet of Things (IoT). While its adoption has seen dramatic changes in providing cost-effective, agile, scalable, on-demand technology services to customers, like any emerging technology, cloud computing has also introduced unique complexities and cyber security challenges. The increased adoption of cloud services locally and globally, naturally entails an increase in the threat landscape. Ensuring the security of the UAE’s digital transformation requires a holistic approach, which addresses risks and enables innovation.

 

The Council has established this policy to enhance cloud security, aligned with the UAE’s national priority to be a global leader in cyber security; and enhance the security posture of organizations and individuals within the UAE using cloud services.

The following section outlines the policy domains and sub-domains applicable to cloud consumers in the UAE. The policy sub-domains further elaborate on the objectives and policy statements. 


Cloud Governance 

Requirements to establish leadership and governance for cloud security. It focuses on promptly identifying and addressing risks, ensuring that all personnel are aware of their responsibilities, and reducing the chances of supply chain compromise through effective security measures.


Contractual Agreements 

Requirements to protect the confidentiality of cloud consumer data and proactively safeguard the rights of both consumers and CSPs through well-defined contractual obligations.


Data Security and Lifecycle Management 

Requirements to ensure the protection of data through proper classification and robust security measures for data at rest, in transit, and during processing.


Data Location and Sovereignty

Requirements to ensure that cloud consumers are aware about the location at which data is stored, processed, and managed from.


Interoperability and Portability 

Requirements to ensures that the cloud consumer can select various diverse CSPs that can cooperate and interoperate with each other and to protect the cloud consumers from vendor lock-in.


Cloud Architecture, Infrastructure & Virtualization 

Requirements to ensures that changes are managed in cloud infrastructure, ensuring data center security, and asset management, application security and device hardening.


Identity and Access Management

Requirements to prevent unauthorized access to infrastructure, applications, and data.


Security Incident Management, E-Discovery, and Cloud Forensics

Requirements to ensures minimization of the impact of security incidents, ensuring timely reporting, and supporting thorough investigations and legal proceedings.


Cloud Resilience 

Requirements to ensures high availability of information and resources to minimize the impacts of regulatory non-compliance and data loss incidents.

This section outlines the policy domains and sub-domains applicable to cloud service providers in the UAE.
 

Cloud Governance
 

Requirements to coordinate the overall management of the service and security of information, ensure integration of security and privacy into operational risk processes, mitigate risks of data compromise, strengthen supply chain security, and ensure the implementation of cloud security controls and objectives..

 

Contractual Agreements
 

Requirements to protect the confidentiality of consumer data and safeguard the rights of both consumers and CSPs through well-defined contractual agreements.

Data Security and Lifecycle Management

Requirements to protect data with encryption and best practices for key management throughout its lifecycle.
 

Data Location and Sovereignty
 

Requirements to Ensures transparency regarding data processing and storage locations to maintain consumer trust.
 

Interoperability and Portability
 

Requirements to maximize interoperability between different CSPs, allowing cloud consumers the flexibility to switch between providers with ease.

 

Cloud Architecture, Infrastructure & Virtualization
 

Requirements to Ensures that changes are managed in cloud infrastructure, ensuring data center security, and asset management, application security and device hardening.

 

Identity and Access Management
 

Requirements to prevent unauthorized access to infrastructure, applications, and data.

 

Security Incident Management, E-Discovery, and Cloud Forensics
 

Requirements on promptly reporting and containing security incidents, supporting legal processes, and maintaining overall system integrity.

 

Cloud Resilience
 

Requirements for the CSPs to meet consumer expectations for continuous service availability and operational continuity.

 

Cloud Operation and Maintenance
 

Requirements for CSPs to ensure operational sovereignty and maintain service reliability through effective cloud operations and maintenance practices, including on-site technical support for Sovereign Cloud environments.

 

Integration with UAE Initiatives
 

Requirements for CSPs to align with UAE national priorities by integrating with government cyber security initiatives, promoting Emiratization, supporting national workforce development, and fostering local innovation.