Executive summary
A journey of thousands of miles must start from the first step. Cloud computing security has been on the agenda for more than a decade, yet there are critical steps that demand urgent attention and focus.
In this research, we comprehensively reconsider and survey cloud adoption in the Middle East, discuss better cloud solutions, and explore a collaborative approach to secure this future-ready digital infrastructure.
The results of our survey and insights from the roundtable events suggest the following key findings:
Sovereign cloud is trending due to rapid deglobalisation and new barriers of entry as a result of geopolitical tensions. These have motivated the need to be self-sufficient and for data to be kept within geographical boundaries of nation states. It provides local industry support and safeguards the growth and development of fledgling local (cloud) companies in order to nurture more tech unicorns and evolve the region into a global digital hub.
Sovereign cloud benefits development to deliver long term self-sufficiency of the local ICT ecosystem and applications in search of a new killer mega app.
Hybrid cloud is featured prominently, driven by rapid digital transformation needs. Increased maturity in cloud usage allows flexibility of choice of on-premise, off-premise, public or private cloud options based on the data, its classification and usage patterns – thereby reducing costs, minimising risk and better assimilation to support the demands of digital transformation.
Cybersecurity is the key concern when choosing a cloud provider. From another perspective, organisations on the cloud are experiencing regular and accelerated cyber attacks as we pivot towards the case that cyberspace is cloud computing and cybersecurity is cloud security, paving the way for a new era of the Metaverse.
Cloud computing adoption driven by a cloud-first strategy is gaining traction fast in the Middle East, with the United Arab Emirates and Saudi Arabia leading the way. These nations are also the most matured entities when it comes to leveraging the cloud to meet digital transformation demands.
The study discovered a direct relationship between cloud adoption rate and the availability of cloud security professionals, where organisations are finding it hard to find talent to fill their open positions. This indicates that capacity building in the area of cloud security is extremely challenging today and should be tackled by creating local pipelines of talent to arrest this in the long run.
Cloud Adoption in the Middle East – a future-ready infrastructure
Cloud adoption in the Middle East has experienced rapid growth, and it is almost impossible to see ‘non-cloud’ environments recently. With the benefits of computing and storage efficiency, cost-effectiveness and access flexibility of cloud computing, it has been an obvious choice for the government, enterprise, education, healthcare, and many other social sectors that are using one or more cloud services in their daily business.
It is still not all about what “cloud as a service” unleashes for the whole market and industry. Cloud service growth is the reason for the spread of other advanced digital technologies, such as artificial intelligence, machine learning, and internet of things (IoT).
More specifically, cloud computing is facilitating the digital transformation and digital economy development in the Middle East. And many ME countries have released their own initiatives to adopt digital technologies to achieve national transformation goals.
For example, UAE Vision 2021, Dubai Smart City, and Abu Dhabi Vision 2030 are focused on accelerating the demand for real-time operations for the transformation of public services and experience. All these initiatives are boosting and will boost the usage of cloud computing in the region.
Bahrain’s cloud-first policy aims to encourage the deployment of advanced technologies and systems in the IT sector to enhance the public’s quality of life by providing highly efficient services. Bahrain will continue implementing this policy on a wider scale and to further improve government processes.
Saudi Arabia’s National Transformation Program aims to develop necessary infrastructure and create an environment that enables the public, private and non-profit sectors to achieve Vision 2030 – accomplished by achieving governmental operational excellence, supporting digital transformation, enabling the private sector, developing economic partnerships, and promoting social development, in addition to ensuring the sustainability of vital resources.
Those initiatives and other policies promote the tremendous investments for those digital infrastructure and technologies deployment in GCC countries. An increasing number of sectors have been making their services and processes online to improve efficiency and quality.
According to Blueweave Consulting, the regional cloud market is growing at a CAGR of 21%, and will reach US$9.8 billion by 2027, up from US$2.7 billion in 2020. UAE organisations have made strong progress in the transition to the cloud, ranking as the second-highest adopter of public cloud services globally.
Additionally, KSA has witnessed a 16% increase in cloud services from 2019 with its cloud first policy to facilitate cloud adoption in both public and private sectors. And cloud is forecasted to reach a market opportunity of up to US$10 billion dollars by 2030.
During the global tech event LEAP23 in Riyadh in February, His Excellency Eng. Abdullah bin Amer Alswaha, the Minister of Communications and IT, said investments from tech giants like Microsoft, Oracle, Huawei and Zoom would support future technologies, digital entrepreneurship and tech startups.
Q. How would you rate cloud adoption in your company?
Excellent 18%
Good 47%
Average 30%
Poor 5%
Q. How would you rate cloud security in your company?
Excellent 16%
Good 48%
Average 29%
Poor 7%
Bearing in mind we are speaking to cloud security decision-makers and leaders, it is concerning to see that 35% say cloud adoption at their own organisation is average or poor, and 36% state that cloud security at their company is also average or poor.
This suggests that although great leaps forward have been made in the region, there is still work to do – and also opportunity.
Cloud adoption clearly shows scope for further growth, but it is also vital that cloud security keeps pace with that increased adoption. The similarity between the two sets of figures from the survey suggests that this is the case, with the data almost mirroring each other.
It would have been more of a concern had adoption been outpacing security, but that does not appear to be the case. That said, even organisations with average levels of cloud adoption could (and arguably should) have excellent cloud security.
Sovereign and hybrid cloud – unleash stronger digital transformation power with multiple cloud strategy
With the growth of highly sensitive and economy-critical data stored and processed on the cloud – such as national and state government data, finance and healthcare data – it is essential to distinguish them from other data according to dedicated cloud infrastructure to ensure a nation’s data sovereignty.
Currently, the so-called sovereign cloud is about protection and taking advantage of those highly sensitive or critical data in terms of public and private sectors. Practically, the sovereign cloud could provide a trusted and controllable physical place for data storage and process under one national jurisdiction and sovereignty.
Clearly, the sovereign cloud would prevent data access from outside of the nation in any circumstances. Because of this, all cloud operations and service deliveries are visible, accessible and controllable for regulatory authorities, so that it is guaranteed to comply with all applicable local laws and regulations for cloud compliance purposes.
Practically, sovereign cloud is a good measure and deployment trend to defend against rapid deglobalisation and new barriers of entry as a result of increasing or even jeopardised geopolitical tensions.
Due to sovereign cloud being within geographical boundaries of the nation state, it can provide real time support and safeguard for local industry to develop fledgling local cloud companies to nurture more tech unicorns – helping to create a global digital transformation hub. As a critical foundation of digital transformation, sovereign cloud could guarantee the long-term self-sufficiency of local digital ecosystems and applications in search of new killer mega apps.
Hybrid cloud, to empower the future cloud performance
To further unleash the stronger data power at scale for various organisations, such as SMEs and the private sector, the hybrid cloud is a more practical and efficient option. Hybrid cloud mixes computing environments so that services could be delivered by running a combination in different public clouds and private clouds with on-premises data centres or even edge locations.
By comparison, hybrid cloud would be an increasingly common solution to migrate and manage cloud workloads and services for different kinds of users based on specific business needs. With the hybrid cloud, the advantages of both private and public cloud would be taken, while their disadvantages could also be effectively avoided.
For example, the scalability of cloud resources and reliability of public cloud and great flexibility and security could be merged together. And the high cost, data security issues might be also eliminated. In summary, hybrid cloud is versatile. It can provide dynamic or frequently changing workloads, separate critical workloads from less-sensitive workloads, process big data, locally move to cloud incrementally, support real-time process capability and so on.
For instance, it has been seen that several industries are moving to hybrid cloud in the Middle East region. The main driver is business expansion, resource mobility, and application migration. In the UAE, it has been predicated that the hybrid cloud segment is expected to grow at higher CAGR from 2020 to 2027 with increasing adoption of hybrid cloud in industries, especially in SMEs by those previously mentioned remarkable technologies.
Hybrid cloud features prominently, driven by rapid digital transformation needs, where increased maturity in usage of the cloud allows flexibility of the choice of on-premise, off-premise, public or private cloud options based on the data and its classification and usage patterns – thereby reducing costs, minimising risk and better assimilation to support the demands of digital transformation.
In summary, cloud solutions have different value propositions and organisations should apply cloud based on their preference case by case. Therefore, both sovereign and hybrid cloud should be involved in national or regional multi-cloud strategy to unleash stronger digital power.
Cloud security – the key concern
Cybersecurity is the key concern when choosing a cloud provider. Organisations on the cloud are experiencing regular and accelerated cyber attacks as we pivot towards the case that cyberspace is cloud computing and cybersecurity is cloud security, paving the way for the coming of a new era of the Metaverse.
The rise of cloud attacks
Cloud attacks are becoming increasingly common as organisations adopt cloud computing, especially when forced to accelerate a shift to the cloud due to the COVID-19 pandemic, and the Middle East is no exception.
According to a report by cybersecurity firm Kaspersky, the number of ransomware attacks in the Middle East increased by 57% in the first quarter of 2021 compared to the same period in 2020. Another survey by Cybereason said cyberattacks rose 71% in the UAE in 2021, with 84% of UAE companies paying a ransom – a figure that is 20% higher than the global average. Financial fraud has also increased, with attacks on banks and financial institutions. According to a report by cybersecurity firm Group-IB, the Middle East saw a 25% increase in financial cyberattacks in 2020, at a cost of US$18.5 billion. According to Group-IB analysis, the credentials of more than 690,000 users in MEA were stolen by malware in 2022.
Some of the most common types of cloud cyber attacks include:
Data breaches
Data breaches occur when unauthorised individuals gain access to sensitive data stored in the cloud. This can occur due to weak passwords, misconfigured cloud services, or other security lapses.
Ransomware attacks
Ransomware attacks occur when an attacker encrypts an organisation's sensitive data and demands a ransom payment in exchange for the decryption key. In the cloud, ransomware attacks can be especially damaging because they can spread quickly to other cloud services and systems.
Account hijacking
Account hijacking occurs when an attacker gains access to a cloud service account. This can occur due to weak passwords, phishing attacks, or other security lapses.
DDoS attacks
DDoS attacks occur when an attacker overloads a cloud service with traffic, making it unavailable to users. In the cloud, DDoS attacks can be especially damaging because they can impact multiple systems and services simultaneously.
Man-in-the-middle attacks
Man-in-the-middle attacks occur when an attacker intercepts and alters communications between two systems or users. In the cloud, man-in-the-middle attacks can be especially damaging because they can compromise sensitive data in transit.
Malware attacks
Malware attacks occur when an attacker infects a cloud service or system with malicious software. These can be especially damaging as they can spread quickly to other cloud services and systems.
Insider threats
Insider threats are a significant security risk in the cloud. For example, employees with privileged access to sensitive data may intentionally or unintentionally cause harm to an organisation.
Industry insights on cloud security
Q. What is your organisation most concerned about when it comes to cloud security?
Data exposure 35%
Downtime 30%
Reputation 21%
Financial loss 10%
Legal / Compliance 4%
It could be argued that many of the options outlined above are intrinsically linked – data exposure could lead to reputational damage, legal issues, and financial loss as a result. It is somewhat logical, therefore, to see that data exposure is the primary concern, but also reassuring, as it highlights the importance of data security and potential impact to the organisation.
Q. What are the most important security standards/regulations to your organisation?
ISO27001 65%
ISO27017 52%
NIST 45%
CSA 31%
PCI-DSS 30%
Other: SAMA, PDPL, Dubai ISR V2, Central Bank of UAE,
Q. Are you happy with your vulnerability management and your cloud provider’s service-level agreement (SLA) for vulnerability remediation?
YES 82%
NO 18%
It is reassuring to see such a high figure who are happy with their cloud provider’s SLA. However, as with any contract between a customer and service provider, you would expect that the customer would be happy with the terms and conditions they have signed up for, and the fact that almost 1 in 5 are not happy suggests that there may be more to this than meets the eye.
While customers are able to change cloud provider, such a migration can be time consuming, expensive, and risky – especially if your organisation is large and complicated.
Q. Has increased government regulation improved the quality of cloud security provision?
YES 68%
NO 32%
More than two thirds of cloud professionals in the Middle East believe that government regulation has improved the quality of cloud provision, but the fact that a third say it has not means there is clearly more work to be done as the challenges increase.
Governments – especially in the UAE and Saudi Arabia – have enforced regulation on cloud and continue to add layers of protection for their citizens and their sovereign data.
It is important to point out that organisations need to consider compliance beyond who their cloud provider may be and ultimately it is they who are responsible for their own data in their organisation.
RAJESH: “The cloud was invented for a global world but I'm thinking that's not going to happen. You will have your own cloud service provider within each country and already countries are adopting that culture – be it in the UAE or Saudi Arabia or any other country in the region. The reason is to make sure that the cloud service providers are compliant with all these regulations.”
SULTAN: “I think we're taking something for granted, which is data sovereignty. What actual benefit, other than complying with regulation, do I gain by having the data resident in my country – physically within my country but with a private company? I know there are good answers. “
Q. When it comes to choosing a cloud provider, what is the most important factor in your decision making?
Security 43%
Cost 19%
Reliability 12%
Data security 10%
Data storage location 6%
Customer service 4%
Reputation 4%
SHIVANI: “This leads me to believe that this region is very security focused. They have a maturity and acceptance towards security. When it comes to security versus cost – in this region – security comes first.”
Q. What cloud security practices have you already implemented?
Multi-factor authentication 74%
Access control 58%
Encryption 61%
Secure deletion 22%
Data recovery 44%
Blockchain 8%
Private Cloud 25%
Endpoint security 47%
Password strategy 48%
Penetration testing 47%
Data backup 51%
Multicloud 18%
Staff training 45%
Q. Plan to implement more?
Multi-factor authentication 45%
Access control 26%
Encryption 32%
Secure deletion 25%
Data recovery 22%
Blockchain 27%
Private Cloud 22%
Endpoint security 21%
Password strategy 16%
Penetration testing 23%
Data backup 21%
Multicloud 25%
Staff training 32%
Blockchain, secure deletion, and multicloud are the only security practices listed in our survey that respondents plan to invest more in.
Blockchain shows the largest increase, from 8% to 27% – a considerable shift with more than three times as many leaders planning to invest in the technology.
SULTAN: “Blockchain is a solution to a few issues. It's also not a silver bullet. Many of the use cases where people suggest blockchain assume that it will fix something. What I would have wanted to hear in the answer to that question is simplicity. Our problem is that it is horrendously complex today and therefore has a lot of dark corners that are difficult to secure. It has to become much simpler if it's going to be securable.”
DRAGAN: “If you're referring to the current layers and the open source projects and everything else, I think there's a lot of hype. What blockchain really brings to the table is zero trust, and I think this is very important as a security professional – knowing how reliable are your controls and how verifiable those things are at the level that there is irrefutable evidence. So blockchain can certainly help.
The bottom line is the preservation of integrity – the three properties of data integrity, confidentiality, and availability.
Q. What are your top cloud security priorities for the next 12-18 months?
Zero trust 56%
Data & Privacy 43%
Regulatory compliance 42%
Cloud security certification 29%
Supplier risk 28%
IT Modernisation 25%
Human Capital 21%
Devsecops 18%
SHIVANI: “With the movement towards AI, security is going to be one step behind technology. Cloud was meant to be something else. Change, like geopolitical issues, have changed the way we now think of cloud. I think we need some form of standard global approach towards cloud security but it will never happen as the technology keeps changing. So I think our focus is on catching up with the technology and securing those – that is where a lot of our energy will go.”
DRAGAN: “I see attracting and retaining good talent, when it comes to managing security and looking after security for an enterprise, as being very difficult. Leadership needs to invest in fully understanding the security of the organisation. When it comes to security, we need to be more sharply focussed on what is relevant. We need to see security through the lens of a business rather than as a security professional because ultimately we serve the business.”
Q. Do you rely on the security capabilities of your cloud providers, such as infrastructure suppliers, operation suppliers, service providers?
YES 77%
NO 23%
ALOYSIUS: “It’s high time we reviewed the shared responsibility model. This model was born more than 10 years ago, tagged to the SaaS, PaaS, and IaaS story. The story for Saas is agility, instant on/off capability, being able to scale up and down to achieve economies of scale. That was the original story – cost reduction. Cloud was supposed to be the quick-fix to the CapEx and OpEx story that we faced in the last recession, but now we are facing a different situation.”
Q. Do you require cloud security standards from your suppliers?
YES 73%
NO 27%
The need to ensure cloud security standards of suppliers will vary depending on the nature of the industry, but the relatively high figure of 27% not requiring such standards is a concern.
Q. What technologies will you be investing in or upgrading in the next 12-18 months?
Identity and Access Management 52%
Security Information and Event Management 51%
Business Continuity and Disaster Recovery 50%
Data Loss Protection 47%
ALOYSIUS: “We need to go back to basics. When putting our heads in the cloud, we need to keep our feet firmly on the ground. We need to focus on the low-hanging fruit that we can accomplish together.
When looking ahead, it is essential to talk in weeks and months rather than months and years. In cloud, change comes every 6 to 8 months.”
Q. Do you feel that your cloud security budget for the next 12-18 months is adequate?
YES 65%
NO 35%
More than a third say they do not have sufficient budget, which could be attributed to cost cutting in tough economic times, or a lack of understanding of the importance of cloud security – until it is too late.
A new survey from NISC says that globally less than half (49%) of organisations have sufficient budgets to tackle their cybersecurity needs, which suggests that budgets in the Middle East may be more generous than average. This is clearly welcome news as inadequate budgets would see organisations exposing themselves to risks that could potentially be avoided.
Cloud security talent
The study also discovered a direct relationship between cloud adoption rate and the availability of cloud security professionals, where organisations are finding it extremely hard to find talent to fill their open positions. This indicates that capacity building in the area of cloud security is extremely challenging. This problem should be tackled by creating local pipelines of talents to arrest the problem in the long run.
Q. Is it hard to fill your vacant cloud security professionals' positions such as cloud security analysts and cloud security architect?
YES 83%
NO 17%
There are an estimated 4.5 million vacant cyber security roles globally as organisations struggle to fill positions with skilled, qualified security professionals – and that is certainly made clear in our survey.
Q. Do you feel you have an increased voice in the boardroom?
YES 66%
NO 34%
Q. Is cloud security taken seriously enough at your company?
YES 73%
NO 27%
Q. Are you included in strategic decision-making at your organisation?
YES 74%
NO 26%
Traditionally, the CISO has always been seen as a back-office role or one filled only when there was an audit issue or a need to find IT support. They were seen and not heard, and rarely featured within the executive management team, let alone as a permanent agenda item in the boardroom.
As the cloud and cyber threat landscape becomes even more disruptive, cloud security professionals are clearly being listened to, and heard.
Two third of those surveyed say they have an increased voice in the boardroom, almost three quarters say cloud security is taken seriously enough, and a similar number say they are included in strategic decision making at their organisation.
This is welcome news for security professionals and suggests a change in perception for a role that was seen as functional rather than strategic – and integral to the sustainability and success of the organisation.
ALOYSIUS: “We need to usher in the new Golden Age of the CISO. In order that we appear among the other members of the board, you really have to talk business, and security as a business enabler. The only way out of troubled waters is with the CISO as the captain of the ship.”
Secure the future-ready infrastructure in a collaborative manner
With rapidly growing migration of business, computation and data into the cloud, cloud security is no longer a new topic and is increasingly playing a more critical role in digital transformation. However, with increasing severe cloud security incidents grabbing the headlines, it has become imperative to reconsider how to secure the cloud more effectively based on principles about secure-by-design, and zero trust. In particular, cloud security should not only be treated as a technical problem for both cloud service providers and users. But rather, all corresponding stakeholders need to be involved holistically, particularly regulatory authorities.
Cloud security is a global requirement. However, each region has its own culture and customised requirements that must take into consideration the local business model. The main objective of developing a working group is to work in a collaborative manner to release the cloud security framework through leveraging their knowledge and expertise in addressing cloud security requirements and data sovereignty in terms of data locality and 360-degree control and ownership.
OIC-CERT Cloud Security WG has been established and co-chaired by UAE aeCERT and Egypt egCERT at Annual Conference. This working group is to provide requirements for establishing, implementing, maintaining and continually improving a cloud security framework. The adoption of such a framework is a strategic decision for any member of the working group. The proposed framework addresses end-to-end security requirements, considering the guidelines listed in this paper are mainly business interests, needs and objectives.
The UAE is willing to contribute its UAE Cloud Security Framework towards this effort. An overview of this cloud security framework is illustrated below:
The framework considers compliance requirements at different levels, starting with the organisation level, local, regional, and standard best practices. The framework considers the identity as a new perimeter and an entry point to the cloud that requires a new way of protection and security controls.
Device classifications, along with endpoint protection, play a vital role in the new framework to assure data security and access control to the network domain, different segments and zones. Networks, according to the zero trust model, shall be secured and equipped with different and multiple layers of defence, inspection, and traffic filtering – ensuring a managed fault domain, availability, resiliency, and segmentation in a secure means according to business applications.
Business offerings and services that are presented in terms of applications shall be secure and safe across the workload stack, considering the adequate controls and counter measures. Data lifecycle requires a profound governance model along with technical countermeasures considering data protection in all stages – such as in motion, at rest, and in use along with data retirement as well.
One of the most important pillars of the proposed framework is the visibility of all businesses and identifying any form of adversary and illegitimate traffic and to efficiently respond to those potential security threats.