Singapore launches new cloud security standard

Singapore’s Infocomm Development Authority (IDA) has launched a new cloud security standard: Multi-Tier Cloud Security (MTCS) Standard For Singapore (SS 584). The IDA explains that the objective of the standard is: “to provide businesses with greater clarity on the levels of security offered by different cloud service providers (CSPs).”

Objectives

The IDA’s fact sheet explains that: [Customer clarity is achieved] “through third-party certification and a self-disclosure requirement for CSPs covering service-oriented information normally captured in Service Level Agreements.”

Self-disclosure requirement

The disclosure covers areas generally addressed through contractual service levels including:

  • data retention;
  • data sovereignty;
  • data portability;
  • liability;
  • availability;
  • BCP/DR;
  • incident and problem management.

Tiered Security Levels

The standard defines three tiers of security, with tier 1 being the base level and tier 3 being the most stringent:

  • Tier 1: Designed for non-business critical data and system, with baseline security controls to address security risks and threats in potentially low impact information systems using cloud services (e.g.: Web site hosting public information)
  • Tier 2: Designed to address the need of most organizations running business critical data and systems through a set of more stringent security controls to address security risks and threats in potentially moderate impact information systems using cloud services to protect business and personal information (e.g.: Confidential business data, email, CRM – customer relation management systems)
  • Tier 3: Designed for regulated organizations with specific requirements and more stringent security requirements. Industry specific regulations may be applied in addition to these controls to supplement and address security risks and threats in high impact information systems using cloud services (e.g.: Highly confidential business data, financial records, medical records).

Certification bodies

The five certification bodies are the British Standard Institute, Certification International Pte Ltd, DNV Business Assurance, SGS International Certification and TUV SUD PSB Certification.

Cross-certification

The IDA explains that it will work to cross-certify the MTCS SS with other international standards or certification schemes – such as the International Standard Organization (ISO) 27001 Information Security Management System (ISMS) and Cloud Security Alliance (CSA) Open Certification Framework (OCF).

Commentary

In the wake of increasing global concern about data security, this initiative by Singapore is in line with its policy to promote Singapore as a data hub and is welcome. However, the small size of the Singapore domestic market and continued suspicion of cloud solutions by other regulatory bodies (notably the Monetary Authority of Singapore) means that this may have limited market impact without engagement by a wider range of regulators.

Meanwhile across the ASEAN region, current policy winds are increasingly blowing towards requiring data (especially financial data) to  either be kept out of the cloud, or in national clouds. To continue the weather metaphor, on the bright side it is possible that if and when it is concluded some provisions of the Trans-Pacific Partnership (TPP) may roll-back some of the more nationalistic requirements currently in force or being considered.