Cloud Security Audit in the UAE · Federal

UAE cloud-security audits sit under a layered regulatory stack that no global Big-4 cloud-audit template handles cleanly. UAE IAS (NESA) at the federal level via the UAE Cybersecurity Council and TDRA, with the Critical Information Infrastructure Protection (CIIP) overlay for designated sectors. Dubai Electronic Security Centre (DESC) Information Security Regulation v2 for any Dubai-government and semi-government workload, with the Smart Dubai cloud-first policy directing public-sector workloads to approved cloud regions. Abu Dhabi Health Information and Cyber Security (ADHICS) for any healthcare workload in Abu Dhabi (DOH-regulated hospitals, clinics, payers and the Malaffi health-information exchange). SIA / TDRA cloud-policy for licensed telecom and digital-government operators. DFSA / FSRA technology-risk modules for free-zone BFSI in DIFC and ADGM respectively. UAE Federal PDPL 2021 for personal-data-processing workloads with the UAE Data Office cross-border-transfer overlay. Audits have to evidence the right controls per workload, not a single relabelled global template — and the inspector will not accept a CIS-only scorecard.

We audit UAE cloud estates across the full set of regions that actually serve UAE workloads. AWS Bahrain (me-south-1) plus the AWS UAE Local Zone (Dubai) when available, with cross-region pairing to AWS Bahrain or AWS Frankfurt depending on the residency obligation; Microsoft Azure UAE North (Dubai) and UAE Central (Abu Dhabi) as the primary federal-residency-acceptable pairing; Oracle Cloud Infrastructure Abu Dhabi region used by several federal and semi-government workloads; Google Cloud Dammam (me-central-2) where UAE BFSI has chosen GCP as the analytics fabric and the Bahrain / KSA cross-region is the BCP design; and the G42 / Core42 sovereign-cloud regions (Khazna data centres, the Etisalat / e& enterprise cloud, the Bayanat-adjacent geospatial cloud) for the federal-ministry workloads that require sovereign hosting under the UAE Cybersecurity Council guidance. We also audit the hybrid links back to on-prem datacentres in Khazna (Abu Dhabi), Equinix DX1 / DX2 (Dubai), Etisalat / e&-operated colocation sites, and the operator-specific managed-services overlays.

Findings are mapped per workload to UAE IAS Tier-1 / Tier-3 control profiles, DESC ISR v2 cloud-specific controls (the v2 update introduced cloud-operations-specific evidence requirements absent from v1), ADHICS Section 4 (technical controls) for healthcare workloads, DFSA Technology Risk GEN 6 cloud annex for DIFC BFSI, FSRA cloud-risk expectations for ADGM, SIA / TDRA cloud-policy for licensed operators, ISO 27017 / 27018 for the cloud-baseline crosswalk, and the CIS AWS / Azure / OCI / GCP Foundations Benchmarks for the technical scorecard layer. UAE Federal PDPL Article 22 cross-border-transfer evidence is recorded per workload with the UAE Data Office submission template where in scope. Data residency, sovereignty (the distinction matters under UAE law — residency-in-region is not the same as sovereign-control-of-operations), and KMS / HSM key-custody arrangements are evidenced explicitly per workload.

Common scopes we deliver against: a federal-ministry workload on a G42 / Core42 sovereign-cloud region with the cross-region DR design and the UAE Cybersecurity Council CIIP applicability assessment; a Dubai-government / semi-government smart-services platform (the kind of workload that anchors Smart Dubai initiatives) with DigitalDubai / UAE PASS integration audit and the DESC ISR v2 cloud-controls pack; an ADHICS-regulated healthcare workload on Azure UAE North with the Malaffi HIE integration and the DOH-specific evidence; a DFSA-regulated BFSI workload in DIFC running on AWS Bahrain primary and Frankfurt DR with the GEN 6 cloud annex evidence; a FSRA-regulated ADGM asset-management workload on Azure UAE Central with the cross-region pairing to UAE North; a multinational regional-HQ workload spanning UAE and onward to KSA (SAMA CSF / NCA ECC-2 overlay), Egypt, Bahrain or Oman; and the federal-CIIP designated workload running across multiple emirates with the per-emirate audit reconciliation.

Engagements run 4-6 weeks for a single-cloud single-workload audit, 6-8 weeks for a multi-cloud landing zone, 8-10 weeks for a federal-CIIP designated workload audit with cross-emirate reconciliation, and 10-12 weeks for the largest multi-cloud + sovereign-cloud hybrid estates. Onsite kickoff is in Dubai (DIFC / Business Bay / Internet City), Abu Dhabi (Al Maryah Island / ADGM / Khalifa City) or Sharjah depending on the client. A UAE-resident lead consultant remains onsite throughout the engagement, with Mumbai BKC senior support flying in for the board reviews and the major regulator-pack walkthroughs. We coordinate directly with the hyperscaler's UAE / KSA / Bahrain account team — AWS MENA / EMEA, Microsoft Gulf, Oracle Cloud Gulf, Google Cloud MENA — and the on-prem / sovereign-cloud operator (Khazna Data Centres, Etisalat / e&, Du, G42 / Core42, Equinix Gulf) to evidence the shared-responsibility controls in one binder.

The technical audit toolset is the same regulator-grade set the Mumbai BFSI practice uses, with UAE-specific overlays. Prowler v3 + ScoutSuite + Pacu / CloudFox for AWS, with the Azure-equivalent (Azucar, PowerZure, Stormspotter) and OCI-equivalent (Cloud Guard policy review, IAM federation audit) and the GCP-equivalent (Forseti-style review, GCP IAM Recommender consumption). CrowdStrike Falcon Cloud Security or Wiz where the client already owns a CNAPP. UAE-specific add-ons: UAE PASS integration security review (OIDC / SAML federation, attribute-release minimisation, the federal-identity broker hop), DigitalDubai service-mesh attestation review, the Malaffi HIE integration audit for healthcare workloads, and the federal-CIIP applicability-determination workflow with the UAE Cybersecurity Council where the workload's CIIP status is unclear.

Reports include a federal-versus-emirate control crosswalk so a single workload running across Dubai and Abu Dhabi tenants does not get audited twice with conflicting findings — the most common pain point we see on UAE multi-emirate cloud estates, and the one that most often surfaces in CAG-equivalent UAE federal-audit-board reviews. Sovereign-cloud workloads on G42 / Core42 / Khazna get a separate sovereign-control attestation pack because the shared-responsibility model is different — the operator carries the operational-control disposition the hyperscalers do not, and the audit evidence has to reflect that. Arabic-language deliverables are produced where a UAE federal-ministry or Dubai-government entity requires them; the senior consultant on the engagement is the same person who signs both the English and the Arabic version.

Commercial terms are local. Billing in AED with the 5% UAE VAT line, invoiced from the regional billing entity. Engagement letter under UAE law (DIFC Courts jurisdiction for DIFC entities, ADGM Courts for ADGM, UAE federal courts otherwise) with explicit UAE PDPL Article 22 cross-border-transfer discipline for any evidence movement to consultant endpoints. Records-retention aligned to the strictest regulator on the engagement — typically DFSA 7 years for BFSI, DESC ISR v2 5 years for Dubai-government, ADHICS retention for healthcare, with the federal-CIIP retention overlaid where applicable. Re-testing of all critical and high findings is included in the base SoW with a 30-day window aligned to the strictest regulator's remediation SLA.