Introduction
Cloud computing in recent times has brought in rapid advances in the delivery of digital services. It is also a key driving force in future technology breakthroughs, big data analytics, Artificial Intelligence (AI) and the Internet of Things (IoT). While its adoption has seen dramatic changes in providing cost-effective, agile, scalable, on-demand technology services to customers, like any emerging technology, cloud computing has also introduced unique complexities and cyber security challenges. The increased adoption of cloud services locally and globally, naturally entails an increase in the threat landscape. Ensuring the security of the UAE’s digital transformation requires a holistic approach, which addresses risks and enables innovation.
The Council has established this policy to enhance cloud security, aligned with the UAE’s national priority to be a global leader in cyber security; and enhance the security posture of organizations and individuals within the UAE using cloud services.
Cloud Consumers
The following section outlines the policy domains and sub-domains applicable to cloud consumers in the UAE. The policy sub-domains further elaborate on the objectives and policy statements.
Cloud Governance
Requirements to establish leadership and governance for cloud security. It focuses on promptly identifying and addressing risks, ensuring that all personnel are aware of their responsibilities, and reducing the chances of supply chain compromise through effective security measures.
Contractual Agreements
Requirements to protect the confidentiality of cloud consumer data and proactively safeguard the rights of both consumers and CSPs through well-defined contractual obligations.
Data Security and Lifecycle Management
Requirements to ensure the protection of data through proper classification and robust security measures for data at rest, in transit, and during processing.
Data Location and Sovereignty
Requirements to ensure that cloud consumers are aware about the location at which data is stored, processed, and managed from.
Interoperability and Portability
Requirements to ensures that the cloud consumer can select various diverse CSPs that can cooperate and interoperate with each other and to protect the cloud consumers from vendor lock-in.
Cloud Architecture, Infrastructure & Virtualization
Requirements to ensures that changes are managed in cloud infrastructure, ensuring data center security, and asset management, application security and device hardening.
Identity and Access Management
Requirements to prevent unauthorized access to infrastructure, applications, and data.
Security Incident Management, E-Discovery, and Cloud Forensics
Requirements to ensures minimization of the impact of security incidents, ensuring timely reporting, and supporting thorough investigations and legal proceedings.
Cloud Resilience
Requirements to ensures high availability of information and resources to minimize the impacts of regulatory non-compliance and data loss incidents.
Cloud Service Providers
This section outlines the policy domains and sub-domains applicable to cloud service providers in the UAE.
Cloud Governance
Requirements to coordinate the overall management of the service and security of information, ensure integration of security and privacy into operational risk processes, mitigate risks of data compromise, strengthen supply chain security, and ensure the implementation of cloud security controls and objectives..
Contractual Agreements
Requirements to protect the confidentiality of consumer data and safeguard the rights of both consumers and CSPs through well-defined contractual agreements.
Data Security and Lifecycle Management
Requirements to protect data with encryption and best practices for key management throughout its lifecycle.
Data Location and Sovereignty
Requirements to Ensures transparency regarding data processing and storage locations to maintain consumer trust.
Interoperability and Portability
Requirements to maximize interoperability between different CSPs, allowing cloud consumers the flexibility to switch between providers with ease.
Cloud Architecture, Infrastructure & Virtualization
Requirements to Ensures that changes are managed in cloud infrastructure, ensuring data center security, and asset management, application security and device hardening.
Identity and Access Management
Requirements to prevent unauthorized access to infrastructure, applications, and data.
Security Incident Management, E-Discovery, and Cloud Forensics
Requirements on promptly reporting and containing security incidents, supporting legal processes, and maintaining overall system integrity.
Cloud Resilience
Requirements for the CSPs to meet consumer expectations for continuous service availability and operational continuity.
Cloud Operation and Maintenance
Requirements for CSPs to ensure operational sovereignty and maintain service reliability through effective cloud operations and maintenance practices, including on-site technical support for Sovereign Cloud environments.
Integration with UAE Initiatives
Requirements for CSPs to align with UAE national priorities by integrating with government cyber security initiatives, promoting Emiratization, supporting national workforce development, and fostering local innovation.
Read more:
Updated on:
23 Oct 2025
