The Future of Cloud Security in the Middle East

The Future of Cloud Security in the Middle East

METHODOLOGY

This report has been produced using a two-part methodology. A survey was conducted of 584 cloud security professionals in the Middle East, written by the editorial team of Cyber magazine, in conjunction with regional cloud security experts.

For the purposes of this research report, we surveyed cyber security and cloud security business leaders and experts from the following countries:

• United Arab Emirates

• Saudi Arabia

• Qatar

• Bahrain

• Kuwait

• Oman

• Jordan

• Lebanon

• Iraq

• Pakistan

The results of the survey were then analysed and discussed at roundtable events in Dubai and Abu Dhabi in the United Arab Emirates, with expert speakers and an invited, select audience of leading cloud security professionals.

The findings of the survey, and the insights and analysis of the experts, are presented throughout this report.

CONTRIBUTORS

Sultan Al-Owais

Digital Lead, Prime Minister’s Office

UAE

Sultan is an experienced Information Security and Information Technology professional with a track record across different industries and transformation programs. Prior to joining the Prime Minister’s Office, he was Information and Cyber Security Director at Emirates Nuclear Energy Corporation. Sultan holds a computer engineering degree from Khalifa University and a Masters in International Business from the University of Wollongong. He is also a former member of the World Economic Forum’s Global Future Council on Cybersecurity.

Dr Aloysius Cheang

Chief Security Officer Huawei Middle East and Central Asia

Huawei

Aloysius is responsible for driving Huawei’s cybersecurity vision of building a safe and secure intelligent connected digital world in the UAE and Islamic nations globally. He is also a Board Director for US-based (ISC)², as well as UK-based cyber leadership think tank, the Centre for Strategic Cyberspace + International Studies (CSCIS). In his career spanning more than 20 years, Aloysius has delivered direct business values in strategic, complex, multi-year and multi-million-dollar technology and cyber program for Global 500 organisations worldwide while managing teams spread across 5 continents.

Dragan Pendić Director - Cloud Security

G42

Dragan has more than 28 years of experience in digital security, consulting and business enablement through technology innovation. He joined G42 as a Head of Information Security and Privacy in 2020. Prior to G42, Dragan led Security for Accenture’s Technology arm for UK and Ireland. He was also a VP of Consulting at Guardtime, a blockchain company and held senior leadership roles at drinks giant Diageo, Verizon, KPMG and Capgemini. On a personal note, Dragan is a passionate runner and skier – and Junior triple jump record holder (Serbia U13) with 11.74m since 1983.

Rajesh Yadla

Director Head of Information Security, Al Hilal Bank

Rajesh has 15 years of experience in information security and technology risk management, 10 of those here in the UAE. Currently working as Head of InfoSec in Al Hilal, he worked in Group42, FAB, and Etisalat in information security related roles. He holds a dual EMBA degree from the University of California Los Angeles & the National University of Singapore and carries several industry-recognised certifications on cyber and information security.

Shivani Jariwala

Director – Cloud Services, CPX and President Cloud Security Alliance UAE Chapter

Shivani is a trusted advisor for cyber security, and has helped develop and deliver trust, leadership and overall cybersecurity maturity for organisations around the world.

She is a dynamic leader with a successful track record of working with various C-level executives and with state, national and multilateral bodies across various industry verticals.

As well as being Director - Cloud Security Services at CPX, Shivani is the President of Cloud Security Alliance - UAE Chapter. Shivani earned a Master of Science Degree in Information Systems from New York University and a Bachelor’s Degree in Computer Science from Mumbai University.

EXECUTIVE SUMMARY

Cloud computing as a new computing paradigm has been around more than a decade, However, things have changed since compute as a utility has been introduced.

In this research, we attempt to relook into the nature of cloud computing demand today through a comprehensive survey of cloud adoption in the Middle East where we hope to define better cloud solutions and initiate a collaborative manner to secure this future-ready digital infrastructure.

Below are the key takeaways from our survey:

1. Sovereign cloud is trending due to rapid deglobalisation and new barriers of entry as a result of geopolitical tensions. These have motivated the need to be self-sufficient and for data to be kept within geographical boundaries of nation states. It provides local industry support and safeguards the growth and development of fledgling local (cloud) companies in order to nurture more tech unicorns and evolve the region into a global digital hub. Sovereign cloud benefits development to deliver long term self-sufficiency of the local ICT ecosystem and applications in search of a new killer mega app.

2. Hybrid cloud is featured prominently, driven by rapid digital transformation needs. Increased maturity in cloud usage allows flexibility of choice of on-premise, off-premise, public or private cloud options based on the data, its classification and usage patterns – thereby reducing costs, minimising risk and better assimilation to support the demands of digital transformation.

3. Cybersecurity is the key concern when choosing a cloud provider. From another perspective, organisations on the cloud are experiencing regular and accelerated cyber attacks as we pivot towards the case that cyberspace is cloud computing and cybersecurity is cloud security, paving the way for a new era of the Metaverse.

4. Cloud computing adoption driven by a cloud-first strategy is gaining traction fast in the Middle East, with the United Arab Emirates and Saudi Arabia leading the way. These nations are also the most matured entities when it comes to leveraging the cloud to meet digital transformation demands.

5. The study discovered a direct relationship between cloud adoption rate and the availability of cloud security professionals, where organisations are finding it hard to find talent to fill their open positions. This indicates that capacity building in the area of cloud security is extremely challenging today and should be tackled by creating local pipelines of talent to arrest this in the long run.

“The study discovered a direct relationship between cloud adoption rate and the availability of cloud security professionals”

BACKGROUND

CLOUD ADOPTION IN THE MIDDLE EAST – A FUTURE-READY INFRASTRUCTURE

Cloud adoption in the Middle East has experienced rapid growth, and it is almost impossible to see ‘non-cloud’ environments recently. With the benefits of computing and storage efficiency, cost-effectiveness and access flexibility of cloud computing, it has been an obvious choice for the government, enterprise, education, healthcare, and many other social sectors that are using one or more cloud services in their daily business.

It is still not all about what “cloud as a service1 & 2” unleashes for the whole market and industry. Cloud service growth is the reason for the spread of other advanced digital technologies, such as artificial intelligence, machine learning, and internet of things (IoT).

More specifically, cloud computing is facilitating the digital transformation and digital economy development in the Middle East. And many ME countries have released their own initiatives to adopt digital technologies to achieve national transformation goals.

For example, UAE Vision 2021, Dubai Smart City, and Abu Dhabi Vision 2030 are focused on accelerating the demand for real-time operations for the transformation of public services and experience. All these initiatives are boosting and will boost the usage of cloud computing in the region3

Bahrain’s cloud-first policy aims to encourage the deployment of advanced technologies and systems in the IT sector to enhance the public’s quality of life by providing highly efficient services. Bahrain will continue implementing this policy on a wider scale and to further improve government processes4

Saudi Arabia’s National Transformation Program5 aims to develop necessary infrastructure and create an environment that enables the public, private and nonprofit sectors to achieve Vision 2030 – accomplished by achieving governmental operational excellence, supporting digital transformation, enabling the private sector, developing economic partnerships, and promoting social development, in addition to ensuring the sustainability of vital resources.

Those initiatives and other policies promote the tremendous investments for those digital infrastructure and technologies deployment in GCC countries. An increasing number of sectors have been making their services and processes online to improve efficiency and quality.

(1) https://www.dell.com/en-us/dt/learn/cloud/cloud-as-a-service.htm

(2) https://www.vmware.com/topics/glossary/content/cloud-as-a-service.html#:~:text=Cloud%20as%20a%20Service%20 (CaaS,pay%2Dper%2Duse%20basis.

(3) https://logicera.net/the-rise-of-cloud-computing-in-the-uae/

(4) https://www.bna.bh/en/iGACEOBahraingovernmenthassuccessfullyadoptedCloudFirstpolicy. aspx?cms=q8FmFJgiscL2fwIzON1%2BDsza1Y%2Fkue9jMtMR3lk55ms%3D#:~:text=Al%20Qaed%20said%20that%20the,to%20further%20 improve%20government%20processes.

(5) https://www.vision2030.gov.sa/v2030/vrps/ntp/

“Cloud computing is facilitating the digital transformation and digital economy development in the Middle East”

The Future of Cloud Security in the Middle East | Research Report

According to BlueWeave Consulting, the regional cloud market is growing at a CAGR of 21%, and will reach US$9.8 billion by 2027, up from US$2.7 billion in 2020. UAE organisations have made strong progress in the transition to the cloud, ranking as the secondhighest adopter of public cloud services globally6

Additionally, KSA has witnessed a 16% increase in cloud services from 2019 with its cloud first policy to facilitate cloud adoption in both public and private sectors. And cloud is forecasted to reach a market opportunity of up to US$10 billion dollars by 20307

During the global tech event LEAP23 in Riyadh in February, His Excellency Eng. Abdullah bin Amer Alswaha, the Minister of Communications and IT, said investments from tech giants like Microsoft, Oracle, Huawei and Zoom would support future technologies, digital entrepreneurship and tech startups.

How would you rate cloud adoption in your company?

How would you rate cloud security in your company?

Bearing in mind we are speaking to cloud security decision-makers and leaders, it is concerning to see that 35% say cloud adoption at their own organisation is average or poor, and 36% state that cloud security at their company is also average or poor.

This suggests that although great leaps forward have been made in the region, there is still work to do –and also opportunity.

Cloud adoption clearly shows scope for further growth, but it is also vital that cloud security keeps pace with that increased adoption. The similarity between the two sets of figures from the survey suggests that this is the case, with the data almost mirroring each other.

It would have been more of a concern had adoption been outpacing security, but that does not appear to be the case. That said, even organisations with average levels of cloud adoption could (and arguably should) have excellent cloud security.

(6) https://economymiddleeast.com/news/uae-ranks-second-globally-in-public-cloud-adoption/ (7) https://datatechvibe.com/data/cloud-computing-impacting-middle-easts-transformation-goals/

With the growth of highly sensitive and economy-critical data stored and processed on the cloud – such as national and state government data, finance and healthcare data –it is essential to distinguish them from other data according to dedicated cloud infrastructure to ensure a nation’s data sovereignty.

Currently, the so-called sovereign cloud is about protection and taking advantage of those highly sensitive or critical data in terms of public and private sectors. Practically, the sovereign cloud could provide a trusted and controllable physical place for data storage and process under one national jurisdiction and sovereignty8

Clearly, the sovereign cloud would prevent data access from outside of the nation in any circumstances. Because of this, all cloud operations and service deliveries are visible, accessible and controllable for regulatory authorities, so that it is guaranteed to comply with all applicable local laws and regulations for cloud compliance purposes.

Practically, sovereign cloud is a good measure and deployment trend to defend against rapid deglobalisation and new barriers of entry as a result of increasing or even jeopardised geopolitical tensions.

Due to sovereign cloud being within geographical boundaries of the nation state, it can provide real time support and safeguard for local industry to develop fledgling local cloud companies to nurture more tech unicorns – helping to create a global digital transformation hub. As a critical foundation of digital transformation, sovereign cloud could guarantee the long-term self-sufficiency of local digital ecosystems and applications in search of new killer mega apps.

Hybrid cloud, to empower the future cloud performance

To further unleash the stronger data power at scale for various organisations, such as SMEs and the private sector, the hybrid cloud is a more practical and efficient option. Hybrid cloud mixes computing environments so that services could be delivered by running a combination in different public clouds and private clouds with on-premises data centres or even edge locations9

By comparison, hybrid cloud would be an increasingly common solution to migrate and manage cloud workloads and services for different kinds of users based on specific business needs. With the hybrid cloud, the advantages of both private and public cloud would be taken, while their disadvantages could also be effectively avoided.

For example, the scalability of cloud resources and reliability of public cloud and great flexibility and security could be merged together. And the high cost, data security issues might be also eliminated. In summary, hybrid cloud is versatile. It can provide dynamic or frequently changing workloads, separate critical workloads from less-sensitive workloads, process big data, locally move to cloud incrementally, support real-time process capability and so on10

(8) https://www.cio.com/article/308751/why-sovereign-cloud-is-a-hot-topic-5-tips-and-the-background.html

(9) https://cloud.google.com/learn/what-is-hybrid-cloud#:~:text=A%20hybrid%20cloud%20is%20a,centers%20or%20 %E2%80%9Cedge%E2%80%9D%20locations.

(10) https://www.netapp.com/hybrid-cloud/what-is-hybrid-cloud/

SOVEREIGN AND HYBRID CLOUD – UNLEASH STRONGER DIGITAL TRANSFORMATION POWER WITH MULTI-CLOUD CLOUD STRATEGY

“Clearly, the sovereign cloud would prevent data access from outside of the nation in any circumstances”

For instance, it has been seen that several industries are moving to hybrid cloud in the Middle East region. The main driver is business expansion, resource mobility, and application migration. In the UAE, it has been predicated that the hybrid cloud segment is expected to grow at higher CAGR from 2020 to 2027 with increasing adoption of hybrid cloud in industries, especially in SMEs by those previously mentioned remarkable technologies11

Hybrid cloud features prominently, driven by rapid digital transformation needs, where increased maturity in usage of the cloud allows flexibility of the choice of on-premise, off-premise, public or private cloud options based on the data and its classification and usage patterns – thereby reducing costs, minimising risk and better assimilation to support the demands of digital transformation.

In summary, cloud solutions have different value propositions and organisations should apply cloud based on their preference case by case. Therefore, both sovereign and hybrid cloud should be involved in national or regional multi-cloud strategy to unleash stronger digital power.

CLOUD SECURITY – THE KEY CONCERN

Cybersecurity is the key concern when choosing a cloud provider.

Organisations on the cloud are experiencing regular and accelerated cyber attacks as we pivot towards the case that cyberspace is cloud computing and cybersecurity is cloud security, paving the way for the coming of a new era of the Metaverse.

(11) https://www.gmiresearch.com/report/uae-cloud-computing-market/

“The main driver is business expansion, resource mobility, and application migration”

THE RISE OF CLOUD ATTACKS

Cloud attacks are becoming increasingly common as organisations adopt cloud computing, especially when forced to accelerate a shift to the cloud due to the COVID-19 pandemic, and the Middle East is no exception.

According to a report by cybersecurity firm Kaspersky12, the number of ransomware attacks in the Middle East increased by 57% in the first quarter of 2021 compared to the same period in 2020. Another survey by Cybereason13 said cyberattacks rose 71% in the UAE in 2021, with 84% of UAE companies paying a ransom – a figure that is 20% higher than the global average. Financial fraud has also increased, with attacks on banks and financial institutions. According to a report by cybersecurity firm Group-IB14, the Middle East saw a 25% increase in financial cyberattacks in 2020, at a cost of US$18.5 billion

According to Group-IB analysis, the credentials of more than 690,000 users in MEA were stolen by malware in 2022.

Some of the most common types of cloud cyber attacks include:

Data breaches

Data breaches occur when unauthorised individuals gain access to sensitive data stored in the cloud. This can occur due to weak passwords, misconfigured cloud services, or other security lapses.

Ransomware attacks

Ransomware attacks occur when an attacker encrypts an organisation’s sensitive data and demands a ransom payment in exchange for the decryption key. In the cloud, ransomware attacks can be especially damaging because they can spread quickly to other cloud services and systems.

Account hijacking

Account hijacking occurs when an attacker gains access to a cloud service account. This can occur due to weak passwords, phishing attacks, or other security lapses.

DDoS attacks

DDoS attacks occur when an attacker overloads a cloud service with traffic, making it unavailable to users. In the cloud, DDoS attacks can be especially damaging because they can impact multiple systems and services simultaneously.

Man-in-the-middle attacks

Man-in-the-middle attacks occur when an attacker intercepts and alters communications between two systems or users. In the cloud, man-in-the-middle attacks can be especially damaging because they can compromise sensitive data in transit.

Malware attacks

Malware attacks occur when an attacker infects a cloud service or system with malicious software. These can be especially damaging as they can spread quickly to other cloud services and systems.

Insider threats

Insider threats are a significant security risk in the cloud. For example, employees with privileged access to sensitive data may intentionally or unintentionally cause harm to an organisation.

(12) https://go.kaspersky.com/rs/802-IJN-240/images/The%20nature%20of%20cyber%20incidents. pdf?aliId=eyJpIjoiNmhFVUdZb0dsekpDd3NiUiIsInQiOiIxdEhudXVzRmVlSFFUXC9sd0M0OTBKZz09In0%253D

(13) https://www.cybereason.com/ebook-ransomware-the-true-cost-to-business

(14) https://www.group-ib.com/

The Future of Cloud Security in the Middle East | Research Report

What is your organisation most concerned about when it comes to cloud security?

30

25

DETAILED FINDINGS 5

INSIGHTS ON CLOUD SECURITY 10

20

15

35 Data exposure Downtime Reputation Financial loss Legal / Compliance

It could be argued that many of the options outlined above are intrinsically linked – data exposure could lead to reputational damage, legal issues, and financial loss as a result. It is somewhat logical, therefore, to see that data exposure is the primary concern, but also reassuring, as it highlights the importance of data security and potential impact to the organisation.

70

60

50

40

30

20

30% 35% 21% 10% 4% 0

80 ISO27001 ISO27017 NIST CSA PCI-DSS

52% 65% 45% 31% 30% Page 14

10

Are you happy with your vulnerability management and your cloud provider’s service-level agreement (SLA) for vulnerability remediation?

It is reassuring to see such a high figure who are happy with their cloud provider’s SLA. However, as with any contract between a customer and service provider, you would expect that the customer would be happy with the terms and conditions they have signed up for, and the fact that almost 1 in 5 are not happy suggests that there may be more to this than meets the eye.

While customers are able to change cloud provider, such a migration can be time consuming, expensive, and risky – especially if your organisation is large and complicated.

Has increased government regulation improved the quality of cloud security provision?

More than two thirds of cloud professionals in the Middle East believe that government regulation has improved the quality of cloud provision, but the fact that a third say it has not means there is clearly more work to be done as the challenges increase.

Governments – especially in the UAE and Saudi Arabia – have enforced regulation on cloud and continue to add layers of protection for their citizens and their sovereign data.

It is important to point out that organisations need to consider compliance beyond who their cloud provider may be and ultimately it is they who are responsible for their own data in their organisation.

ROUNDTABLE COMMENT

RAJESH: “The cloud was invented for a global world but I’m thinking that’s not going to happen. You will have your own cloud service provider within each country and already countries are adopting that culture – be it in the UAE or Saudi Arabia or any other country in the region. The reason is to make sure that the cloud service providers are compliant with all these regulations.”

SULTAN: “I think we’re taking something for granted, which is data sovereignty. What actual benefit, other than complying with regulation, do I gain by having the data resident in my country – physically within my country but with a private company? I know there are good answers. “

When it comes to choosing a cloud provider, what is the most important factor in your decision making?

ROUNDTABLE COMMENT

SHIVANI: “This leads me to believe that this region is very security focused. They have a maturity and acceptance towards security. When it comes to security versus cost – in this region – security comes first.”

What cloud security practices have you already implemented?

Plan to implement more?

Blockchain, secure deletion, and multicloud are the only security practices listed in our survey that respondents plan to invest more in.

Blockchain shows the largest increase, from 8% to 27% – a considerable shift with more than three times as many leaders planning to invest in the technology.

ROUNDTABLE COMMENT

SULTAN: “Blockchain is a solution to a few issues. It’s also not a silver bullet. Many of the use cases where people suggest blockchain assume that it will fix something. What I would have wanted to hear in the answer to that question is simplicity. Our problem is that it is horrendously complex today and therefore has a lot of dark corners that are difficult to secure. It has to become much simpler if it’s going to be securable.”

DRAGAN: “If you’re referring to the current layers and the open source projects and everything else, I think there’s a lot of hype. What blockchain really brings to the table is zero trust, and I think this is very important as a security professional – knowing how reliable are your controls and how verifiable those things are at the level that there is irrefutable evidence. So blockchain can certainly help.

The bottom line is the preservation of integrity – the three properties of data integrity, confidentiality, and availability.

What are your top cloud security priorities for the next 12-18 months?

ROUNDTABLE COMMENT

SHIVANI: “With the movement towards AI, security is going to be one step behind technology. Cloud was meant to be something else. Change, like geopolitical issues, have changed the way we now think of cloud. I think we need some form of standard global approach towards cloud security but it will never happen as the technology keeps changing. So I think our focus is on catching up with the technology and securing those – that is where a lot of our energy will go.”

DRAGAN: “I see attracting and retaining good talent, when it comes to managing security and looking after security for an enterprise, as being very difficult. Leadership needs to invest in fully understanding the security of the organisation. When it comes to security, we need to be more sharply focussed on what is relevant. We need to see security through the lens of a business rather than as a security professional because ultimately we serve the business.”

Do you rely on the security capabilities of your cloud providers, such as infrastructure suppliers, operation suppliers, service providers?

ROUNDTABLE COMMENT

ALOYSIUS: “It’s high time we reviewed the shared responsibility model. This model was born more than 10 years ago, tagged to the SaaS, PaaS, and IaaS story. The story for Saas is agility, instant on/off capability, being able to scale up and down to achieve economies of scale. That was the original story – cost reduction. Cloud was supposed to be the quick-fix to the CapEx and OpEx story that we faced in the last recession, but now we are facing a different situation.”

Do you require cloud security standards from your suppliers?

The need to ensure cloud security standards of suppliers will vary depending on the nature of the industry, but the relatively high figure of 27% not requiring such standards is a concern.

What technologies will you be investing in or upgrading in the next 12-18 months?

ROUNDTABLE COMMENT

ALOYSIUS: “We need to go back to basics. When putting our heads in the cloud, we need to keep our feet firmly on the ground. We need to focus on the low-hanging fruit that we can accomplish together. When looking ahead, it is essential to talk in weeks and months rather than months and years. In cloud, change comes every 6 to 8 months.”

Do you feel that your cloud security budget for the next 12-18 months is adequate?

More than a third say they do not have sufficient budget, which could be attributed to cost cutting in tough economic times, or a lack of understanding of the importance of cloud security – until it is too late.

A new survey from NISC15 says that globally less than half (49%) of organisations have sufficient budgets to tackle their cybersecurity needs, which suggests that budgets in the Middle East may be more generous than average. This is clearly welcome news as inadequate budgets would see organisations exposing themselves to risks that could potentially be avoided.

(15) https://www.nisc.neustar/nisc-survey-results/

CLOUD SECURITY TALENT

The study also discovered a direct relationship between cloud adoption rate and the availability of cloud security professionals, where organisations are finding it extremely hard to find talent to fill their open positions. This indicates that capacity building in the area of cloud security is extremely challenging. This problem should be tackled by creating local pipelines of talents to arrest the problem in the long run.

Is it hard to fill your vacant cloud security professionals’ positions such as cloud security analysts and cloud security architect?

There are an estimated 4.5 million vacant cyber security roles globally as organisations struggle to fill positions with skilled, qualified security professionals – and that is certainly made clear in our survey.

Do you feel you have an increased voice in the boardroom?

Is cloud security taken seriously enough at your company?

Are you included in strategic decision-making at your organisation?

Traditionally, the CISO has always been seen as a back-office role or one filled only when there was an audit issue or a need to find IT support. They were seen and not heard, and rarely featured within the executive management team, let alone as a permanent agenda item in the boardroom.

As the cloud and cyber threat landscape becomes even more disruptive, cloud security professionals are clearly being listened to, and heard.

Two third of those surveyed say they have an increased voice in the boardroom, almost three quarters say cloud security is taken seriously enough, and a similar number say they are included in strategic decision making at their organisation.

This is welcome news for security professionals and suggests a change in perception for a role that was seen as functional rather than strategic – and integral to the sustainability and success of the organisation.

ROUNDTABLE COMMENT

ALOYSIUS: “We need to usher in the new Golden Age of the CISO. In order that we appear among the other members of the board, you really have to talk business, and security as a business enabler. The only way out of troubled waters is with the CISO as the captain of the ship.”

SECURE THE FUTURE-READY INFRASTRUCTURE IN A COLLABORATIVE MANNER

With rapidly growing migration of business, computation and data into the cloud, cloud security is no longer a new topic and is increasingly playing a more critical role in digital transformation. However, with increasing severe cloud security incidents grabbing the headlines, it has become imperative to reconsider how to secure the cloud more effectively based on principles about secure-by-design, and zero trust. In particular, cloud security should not only be treated as a technical problem for both cloud service providers and users. But rather, all corresponding stakeholders need to be involved holistically, particularly regulatory authorities.

Cloud security is a global requirement. However, each region has its own culture and customised requirements that must take into consideration the local business model. The main objective of developing a working group is to work in a collaborative manner to release the cloud security framework through leveraging their knowledge and

expertise in addressing cloud security requirements and data sovereignty in terms of data locality and 360-degree control and ownership.

By now OIC-CERT Cloud Security WG has been established and co-chaired by UAE aeCERT and Egypt egCERT at the 2022 OIC-CERT Annual Conference16 This working group aim to provide requirements for establishing, implementing, maintaining and continually improving a cloud security framework. The adoption of such framework is a strategic decision for any member of the working group. The proposed framework which is attached here addressing end-to-end security requirements considering the guidelines listed in this paper are mainly business interests, needs and objectives.

The UAE will becontributing its UAE Cloud Security Framework towards this effort to encourage the development of cloud-security-as-a-service. An overview of this cloud security framework is illustrated below:

• Developed in 3 parts covering guidance and policies and culminating in a Cloud security standard document ready for implementation.

• Enables rapid adoption of Cloud strategies by the UAE government. Establishes the UAE government as the leader in Cloud security strategies and also enables interaction for international alliances and partnership.

• Zero Trust Security by Design

• Team Sport

Covering 13 Domains

Guidance

Policies

Standards

• For consumers/users and cloud service providers

• Strategic guidance document for government agencies to adopt cloud strategies

• For consumers/users

• Operational policies for immediate white labelling by UAE government agencies

• For consumers/users and cloud service providers

• For UAE government agencies to use as procurement requirement/checklist

Normative References

Strategic (Long Term)

Operational (Short Term)

• ISO/IEC 27001 :2013 Information Security Management Systems (ISMS)

• Multi-Tiered Cloud Security (MTCS) Singapore Standard SS584

• Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

ISO/IEC 31000:2018 Risk Management

• ISO/IEC 22301 :2019 Security and Resilience - Business Continuity

Management Systems

• UAE Smart Data Framework v2.0

UAE Information Assurance (IA) Regulation v1 .1

(16) https://www.oic-cert.org/en/events/conference/2022.html#.ZA8CBezP2rN

The framework considers compliance requirements at different levels, starting with the organisation level, local, regional, and standard best practices. The framework considers the identity as a new perimeter and an entry point to the cloud that requires a new way of protection and security controls.

Device classifications, along with endpoint protection, play a vital role in the new framework to assure data security and access control to the network domain, different segments and zones. Networks, according to the zero trust model, shall be secured and equipped with different and multiple layers of defence, inspection, and traffic filtering – ensuring a managed fault domain, availability, resiliency, and segmentation in a secure means according to business applications.

Business offerings and services that are presented in terms of applications shall be secure and safe across the workload stack, considering the adequate controls and counter measures. Data lifecycle requires a profound governance model along with technical countermeasures considering data protection in all stages – such as in motion, at rest, and in use along with data retirement as well.

One of the most important pillars of the proposed framework is the visibility of all businesses and identifying any form of adversary and illegitimate traffic and to efficiently respond to those potential security threats.

“One of the most important pillars of the proposed framework is the visibility of all businesses”

RESPONDENTRESPONDENTDEMOGRAPHICSDEMOGRAPHICS

Industries Split

BizClik Media Limited

Jumeirah Lakes Towers

Dubai

United Arab Emirates

bizclikmedia.com

© Copyright 2023 BizClik Media Group