Cloud Security in Dubai · DESC ISR, DIFC & PDPL Residency

Dubai’s cloud estate is dense and regulated in a way few markets are. Most DIFC-licensed fintechs run cloud-native on AWS (me-central-1) or Azure (UAE North, physically in Dubai); Smart Dubai and government-adjacent operators increasingly land on G42/Core42 sovereign cloud; and the free-zone SaaS cluster in Internet City and JLT runs multi-account AWS and multi-subscription Azure at scale. Macksofy’s cloud-security practice reviews these the way the regulator reads them — DESC ISR cloud controls at the emirate level, DIFC Data Protection Law for the financial free zone, and Federal PDPL data-residency expectations over the top.

The engagement starts at the landing zone, not the workload. We review the AWS Organizations / Azure management-group hierarchy, the account/subscription segmentation, the guardrail set (SCPs, Azure Policy, deny-by-default networking), the centralised logging and the break-glass path — because in cloud the blast radius is decided by identity and account structure long before any single misconfiguration. For Dubai entities the landing-zone review explicitly checks region pinning: that regulated workloads and their backups are constrained to UAE regions (AWS me-central-1, Azure UAE North/Central) and that no default-region drift or cross-region replication quietly exports PDPL-scoped or DIFC personal data outside the country.

Identity is the centre of the assessment. We map the full IAM blast radius — every role-assumption and privilege-escalation path from a low-trust principal to a tenant-admin or org-management account — using a graph of trust policies, permission boundaries, Azure RBAC role assignments and PIM eligibility. For DIFC fintechs running customer-facing apps this is where the real exposure sits: an over-broad CI/CD deployment role, a wildcard `sts:AssumeRole`, an Azure managed identity with Owner on the wrong scope, or a Key Vault access policy that a compromised function app can ride to the data plane.

CSPM is the floor, not the deliverable. We run continuous posture tooling (Prowler, ScoutSuite, the cloud-native Security Hub / Defender for Cloud feeds) to enumerate misconfiguration at breadth, then manually validate and prioritise against the DESC ISR cloud annex and the client’s data-classification. Public storage, unencrypted volumes, permissive security groups and exposed management planes are triaged by exploitability and by whether the affected data is DIFC-personal, PDPL-scoped or regulated-financial — so the bank’s CISO gets a risk-ranked list tied to the regulator, not a 4,000-line CSPM CSV.

Workload and data-plane testing follows. We review container and Kubernetes posture (EKS/AKS RBAC, pod-security, the node-to-control-plane trust, image provenance), serverless function permissions, and the secrets-management chain end to end. Data-layer review covers encryption at rest and in transit, KMS/Key Vault key custody and rotation, database authentication (IAM-auth vs static credentials), and — critically for Dubai — where customer data physically resides and how cross-border processing is documented for the DIFC commissioner and the UAE Data Office.

The deliverable is regulator-grade. Every finding carries a manually-validated proof, a CVSS-style severity, a business-impact score tied to the data class and the regulator, and remediation as deployable infrastructure-as-code where possible — a corrected SCP, a tightened Azure Policy, a least-privilege role definition — so the AppSec and platform teams can ship the fix, not just read about it. The executive summary maps findings to the DESC ISR cloud control set and the DIFC DP-Law obligations, and we attach the region-residency attestation that DESC and DFSA reviewers increasingly ask for.

Cadence matches Dubai procurement. Most cloud-security programmes run an initial deep-dive plus quarterly posture re-reviews tied to the client’s release velocity, with continuous CSPM in between. Senior consultants fly Mumbai BKC → DXB (3 hours) for kickoff, the landing-zone workshop and the exit readout — reaching DIFC, Internet City or Business Bay in 20-30 minutes from the airport — while the bulk of the assessment runs remotely against read-only audit roles scoped through a documented access request. For sustained programmes we maintain an embedded Dubai-resident tech lead.

For DIFC and DFSA-supervised clients the engagement also produces the cloud exhibits the regulator and the board expect: a shared-responsibility matrix per service, a cloud-concentration-risk view, an IAM blast-radius diagram for the audit committee, and a one-page cloud-residency attestation the Company Secretary can drop straight into the governance pack.