Saudi Arabia’s Cloud Computing Regulatory Framework v3

How We Can Help Customers Along a Secure Cloud Journey

On December 3, 2020, version 3 of the Kingdom of Saudi Arabia (KSA)’s Cloud Computing Regulatory Framework (CCRF v3) came into force. Issued by the Communication and Information Technology Commission (CITC), CCRF v3 makes only limited changes to the prior version (CCRF v2) and reaffirms KSA’s commitment to encouraging the use of cloud computing services in KSA. The framework clarifies the expectations for both cloud service providers (third-party companies offering a cloud-based platform, infrastructure, application or storage service) and their cloud computing subscribers (paying customers of cloud solutions).

Palo Alto Networks, the global cybersecurity leader, supports countries’ secure digital transformations, including their transitions to the cloud. In fact, we are shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our company has transformed over the years from our beginning as a leader in next-generation firewalls (NGFW) to now being an industry leader protecting tens of thousands of organizations across clouds, networks and mobile devices. We recognize that many organizations around the world are extending their networks to the cloud, including public, private and hybrid cloud models, to improve their productivity and efficiency. It is imperative that these organizations have a consistent approach to securing their data, whether it is on premise or in the cloud. Since 2018, Palo Alto Networks has developed technical partnerships with leading global cloud infrastructure providers to extend our security platform into the cloud. This has enabled us to be the cybersecurity partner of choice, protecting networks, clouds and endpoints, regardless of customer size, industry or geography.

As data requires protection while in motion or at rest, our efforts focus on securing both instances for cloud usage, whether it’s for data stored in the cloud or in motion between clouds. We are continually innovating our products and services to deliver cloud based cybersecurity to our customers in nearly every imaginable vertical, including public sector, utilities, oil and gas, financial institutions, health care, service providers, manufacturers and many others.

Quick Facts about the CCRF v3

Our cloud-delivered security solutions enable updated controls to be delivered at the speed of innovation, leveraging our integrated A.I. and machine learning capability to proactively prevent cyber attacks. We can scale up and down based on computational needs, both of which are necessary to counter sophisticated, automated cyberattacks. We also offer localized security for those customers who prefer to keep all of their data in private data centers. Our hardware-based NGFWs, as well as our virtual next-generation firewalls (VM-Series NGFWs), secure applications and data within data centers. Our hardware and virtual NGFWs provide our customers with visibility, control and protection to all of their cloud-based applications, regardless of where users access them.

CCRF v3 applies to any cloud service provided to customers having a residence or customer address in KSA. “Cloud service” applies to software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS).

Palo Alto Networks and the CCRF v3

Below are some key provisions of CCRF v3 that may apply to organizations in KSA as they seek to leverage the benefits of the cloud, as well as a brief description of how Palo Alto Networks can assist with that journey.

Subscriber Data Classification Responsibility (Section 3.3.4)

Cloud computing subscribers are required to select the appropriate classification for their data that conforms with their security requirements, specific needs, obligations and duties that reflect the required level of security for the data’s confidentiality, integrity and availability. The levels are shown in section 3.3.1:

• Data of Saudi Government Agencies:
  • Extremely Confidential: national interests and privacy of officials and agencies.
  • Confidential: national interests or which could cause financial loss, or harm, etc.
  • Restricted: limited negative impact or damage to an entity’s assets, if disclosed.
  • Public: such that it will not harm national interest, entity activity, interests of individuals or environmental resources, if disclosed.
• Non-Government Data, broken into “Data Received from Saudi Government Entities,” which is classified as received from the government agency based on the levels specified above, and “Other Data.”

Palo Alto Networks Approach to Section 3.3.4

Palo Alto Networks supports organizations by performing deep, application-level visibility inspection, as well as Data Loss Prevention (DLP) classification to classify and protect applications and data moving to the cloud. After the data is classified, we help protect local and cloud deployed data using a set of tools that provide deep visibility, control and compliance into who is accessing the data and what they are doing with that data. Our hardware NGFWs and VM-Series NGFWs have tools, including DLP licenses, that can help classify and prevent the loss of sensitive information from an organization’s network or cloud.

Shared Responsibility Model (Section 3.3.5)

Cloud computing subscribers shall be responsible for implementing all cybersecurity requirements that apply to any part of their content.

Palo Alto Networks Approach to Section 3.3.5

Palo Alto Networks views this provision to reflect the shared responsibility model of cloud security, specifically cloud infrastructure providers holding responsibility for securing their infrastructure, with the data owner ultimately responsible for securing their data in the cloud. Organizations using the cloud must have the right tools in place to manage and secure risks effectively. These tools can vary:

• Visibility into activity within SaaS applications.
• Detailed analytics on usage to prevent data risk and compliance violations.
• Context-aware policy controls to drive enforcement and quarantine if violations occur.
• Real time threat intelligence on known threats and detection of unknown threats to prevent new malware insertion points.

Our Prisma cloud platform enables customers to detect, prevent and control SaaS applications while ensuring compliance and policy controls are applied to cloud instances. Prisma cloud also monitors workload changes and keeps track of the entire data lifecycle.

Reporting Cybersecurity Incidents (Sections 3.3.11 - 3.3.14)

The cloud computing service provider is required to notify its subscribers, without delay, of any cybersecurity incidents that it becomes aware of that affects or is likely to affect subscriber content, data, or any cloud computing services provided to cloud computing subscribers.

Palo Alto Networks Approach to Section 3.3.11-3.3.14

Palo Alto Networks Unit 42 Team offers cloud computing service providers, enterprise customers and commercial businesses many abilities:

• Assess and test security controls against the right threats with Proactive Assessments and Incident Simulation Services.
• Transform security strategy with a threat-informed approach.
• Respond in record time with Incident Response and Digital Forensics Services.

Our Unit 42 Retainer service gives customers the ability to continuously test and plan for new threat actors and techniques while maintaining a focused and proactive approach to detecting cyber threats.

Our Commitment to KSA

Palo Alto Networks is committed to supporting organizations within KSA adhere to the CCRF. We have solutions, practices and people who work closely with our local strategic channel partners to ensure customer data is protected and in compliance with local policies. For any questions, please reach out to your local Palo Alto Networks team in Saudi Arabia or across the globe.