The national cloud security policy adopted in the UAE can serve as “a detailed checklist” for businesses seeking to take advantage of new technologies made available by cloud service providers (CSPs), a Dubai-based expert in technology and cybersecurity law has said.
Martin Hayward of Pinsent Masons said the policy, issued by the UAE’s Cyber Security Council, reflects the UAE government's continued focus on developing a UAE cloud computing industry, of moving the government’s own IT estate, securely, to the cloud, and of making the UAE a global leader in cybersecurity. He added that it acts as another important building block in the UAE’s National Cyber Security Governance Framework and, more broadly, demonstrates the UAE’s continued focus on emerging technologies like AI and IoT, all of which require cloud computing as a platform.
“The national cloud security policy provides a detailed checklist for cloud customers on what they need in place with a cloud services provider – as well as what they need in their contracts with their cloud services providers and what due diligence they need to undertake on cloud services providers,” said Hayward.
“The policy addresses a series of issues, including governance, supply chain risk, data location, interoperability, IT and data centre security and resilience. UAE government and critical infrastructure entities must adhere to the policy when buying and using cloud services in the UAE. It is also mandatory for cloud service providers. Whilst not mandated for other cloud customers, the policy will act as an important set of best practice guidelines for cloud computing adoption,” he said.
An example of the governance requirements outlined in the policy is the expectation that senior leaders in cloud customers take responsibility for establishing a “cloud security program” within their organisation and ensure there is “apparent oversight and direction” to the program and that budget, people and technology are assigned to it to ensure it is successfully implemented.
Cloud customers are also expected to “perform legal due diligence and review all contractual obligations in detail prior to engaging” cloud service providers (CSPs) to ensure that their use of the cloud services “will be commensurate with the organisation’s risk profile”.
To address security risks in the supply chain, cloud customers are expected to “identify the security risks of using supply chain resources” and work with cloud service providers “to understand third party suppliers’ compliance with the cloud security requirements”. They must engage adequately skilled third parties to “conduct independent security control implementation testing” so that they “reduce reliance on supplier assertions”.
As well as having policies and processes in place around data classification and handling, cloud customers must also know the location of their data “at all stages”. When negotiating cloud contracts, customers must further “ensure that [cloud service providers] operate within acceptable legal jurisdiction(s)”.
Interoperability and portability provisions in the policy are designed to ensure that cloud customers “can select various diverse CSPs that can cooperate and interoperate with each other”, that vendor lock-in is avoided, and mobility between CSPs secured. The expectations on cloud customers in this regard include that they “perform a comprehensive assessment on their needs and requirements for interoperability of their services and respective CSPs” if they plan to or already use multiple cloud services. They must also insist that “industry standards and available APIs are consistently utilised and applied across their data and cloud services to support interoperability”.
Under the policy, cloud customers are also expected to “validate the effectiveness of the physical security controls” that cloud service providers put in place at data centres. They must also establish, and regularly test, incident management, response and reporting processes for the cloud services they use, and put measures in place to ensure they can access backed-up information securely in the event an incident arises that locks them out of their main systems and data.
To further promote resilience, the policy requires cloud customers to give thought to their “requirements for operational continuity”, building in resilience through back-ups and the development of formal business continuity and recovery plans, as well as set thresholds including the maximum period for which they can tolerate disruption.
The policy sets out a similar set of detailed requirements that cloud service providers must meet in order to operate in the UAE.
The policy also sets out requirements, for both cloud customers and CSPs, for compliance self-assessments against the policy requirements and annual reporting.