Opening Address by IDA Assistant Chief Executive & Chief Data Officer, Mr Khoong Hock Yun at SCS Business Continuity Management Conference 2016

26 February 2016 - Opening Address by IDA Assistant Chief Executive & Chief Data Officer, Mr Khoong Hock Yun at SCS Business Continuity Management Conference 2016 at Novotel Singapore @ Clarke Quay, Friday, 26 February 2016, 9.10am – 9.35am.

Opening Address by IDA Assistant Chief Executive & Chief Data Officer, Mr Khoong Hock Yun at SCS Business Continuity Management Conference 2016 at Novotel Singapore @ Clarke Quay, Friday, 26 February 2016, 9.10am – 9.35am.

Mr Howie Lau, President of the Singapore Computer Society

Ladies and Gentlemen

Good morning

1. Welcome once again to another year of the Singapore Computer Society’s Business Continuity Management Conference. After the festive season of Chinese New Year, it is the perfect time for us to stop and take stock of continually evolving trends and how to manage these with business continuity in mind.

Singapore, Smart Nation

2. We are at about the year and a half mark since Singapore officially announced its intent with Smart Nation. We are seeing more ministries and agencies unveil their plans and trials to take us on that journey to be a Smart Nation.

3. We need these potential solutions to tackle megatrends which will occur; challenges such as transport crunch, urban density, healthcare, housing and more. And we are approaching these Smart solutions with the same zeal and thoroughness to ensure the best for the nation; business opportunities for enterprises, and an anticipatory government utilizing data and analytics to deliver better services and solutions for industry.

4. What does this mean for you, the enterprise? As we transition to being a Smart Nation, more services will become intrinsically tied to future technologies such as the cloud, the Internet of Things, Big Data and more. These emerging and highly disruptive technologies will be key sources of great opportunity to leverage on new approaches and drive continued market growth.

5. To assist in this, IDA has continually taken the lead in providing clarity, stability and adoption through such methods as standards and guidelines. Worked on together with industry, some include our Multi-Tier Cloud Security Singapore Standard (MTCS SS) or our various dataset guidelines.

6. Singapore also ensures that such standards are all-encompassing, inclusive of preparing for the worst. To that end, we were early starters in the BCM sphere. In 2002, we unveiled the first BCM Singapore Standard in the SS507 “Information and Communication Technology Disaster Recovery Services” which was subsequently adopted by the ISO. More generically, we also have had the SS540 for general industry adoption since 2005. Such standards must continually be updated to ensure relevancy in a changing landscape.

Driving BCM & DR through Cloud

7. Major cloud outages across the globe have driven home the need for clear guidelines and contingency plans on the part of both enterprise user and CSPs, even as the world moves towards a cloud-based system. It is thus no surprise that the bulk of enterprise hesitations in migrating to the cloud are based on concerns such as sudden downtime of critical services, shown in a compiled report by Data Centre Knowledge in 2015. This despite a January 2015 study by the Cloud Security Alliance which showed 74% of enterprises are ready or hopeful to migrate to the cloud, or realize the need for a move to this new business model.

8. Over the last few years, the cloud ecosystem has taken off in a big way both here and globally. This brings in new considerations on how best to manage the balance between cost-savings, business-specific requirements and continuity.

9. Prior to the advent of the cloud, BCM and DR plans could be clear and simple purely based on the fact that hardware was usually on-premise. As such, the old joke goes, if the server acts up, one could simply “turn it off and on again.” Such a simplistic answer would be unfathomable in today’s environment, where we regularly demand real-time, instant solutions provided globally. This has led to a radical shift in how we procure for services and solutions, but also opened us up to when cloud outages occur beyond an enterprise’s hands.

10. Put simply, there are three phases which must be planned for during any BCM and DR on the cloud: Before, During and After. Cloud has changed greatly what one can directly do “during” and “after” a cloud outage has hit. There is thus a greater need to understand the changes required for enterprise BCM and DR’s in these two phases. To that end, let me tell you about the humble coconut.

11. The sweet, cooling drink with the hard shell is readily available at our kopi tiam’s. But it has already been processed and the outer husk, removed. That husk is called the coir, and is the tough, fibrous material used for ropes. Why am I saying this? Because today I am glad to announce the Cloud Outage Incident Response Guidelines – aka COIR. This set of guidelines is akin to the husk that protects the coconut fruit on its seabound journey. It is now available as a set of guidelines on our IDA website. Let me share some highlights.

COIR Guidelines

12. IDA, together with the representatives of DSTA, ACCA, ITMA, SCS, and SITF, formed a working group in September 2013 to address the challenges I just mentioned.

13. After two years of discussion, scoping and development, the guidelines are completed. The Working Group also received and incorporated feedback from focus groups comprising representatives from CSPs, cloud users and regulatory bodies. We will now be working with the IT Standards Committee to turn the guidelines into a Singapore Standard.

14. The COIR Guidelines are to be used to map, and therefore prepare for, how resilient CSPs can be. Enterprises will then be able to gauge the relevant CSPs to them and procure according to their own BCM needs.

15. COIR is divided into four tiers of responses based on projected impact of outages. Let me share what these are, from most to least severe:

16. Tier A - Systemic / Life-Threatening Impact is suitable for cloud services hosting functions which directly affect human safety or stability of economy, market or industry at large. One possible example would be for aircraft traffic controls. Currently, there is a little-known system called “RVSM”, Reduced Vertical Separation Minima. This essentially lets us pack more airplanes into the air by utilizing data, computers and autopilots to safely steer and maintain airplanes within 1000 feet of each other. Such systems would require immediate restoration should the worst occur.

17. The second tier, Tier B - Business Critical Impact, is designed for cloud services hosting functions that are critical to an organization’s operations and which impacts business severely. One easy example would be payment gateways for an online e-shop. Every minute with its payment system down could be lost sales or a customer who permanently leaves. These should ideally be restored within four hours.

18. The third tier, Tier C - Operational Impact, is meant for cloud services hosting functions that are essential to an organization’s operations but which can stand a longer outage. Perhaps for some people, if their email goes down for a few hours, they may complain but life goes on. In fact, with fewer interruptions, some may actually get more useful work done. For those who need to attend to urgent communications, they would likely have alternative options such as chat apps and perhaps calling another person the old fashioned way. But it may be totally unacceptable for the email to remain out of service for the rest of the day. So CSPs adhering to Tier C would be expected to restore the cloud within eight hours or so.

19. The lowest tier, Tier D - Minimal Impact, is appropriate for cloud services hosting functions which can bear an outage for longer durations. For example, it may be acceptable to an enterprise for some infrequently used internal development/test environments or even corporate general information websites to have less stringent availability levels. CSPs adhering to Tier D would be expected be restore the services within two working days.

Conclusion

20. The COIR Guidelines complement IDA’s multi-prong approach towards a cohesive and conducive cloud ecosystem. It joins the world’s first Multi-Tier Cloud Security Standard, creating greater trust through transparency of the cloud.

21. While IDA will continue to take the lead in tackling such issues moving forward, I want to take this opportunity to reiterate that we cannot do so without the aid of industry’s partnership. I want to thank each and every one of the Working Group again for tirelessly coming up with these guidelines and working to turn them into standards for the benefit of Singapore and our Smart Nation. Without the great work from our friends in SCS, SITF, DSTA, SPRING, DSTA, ITSC and others too many to mention, Singapore would not be where it is today.

22. As I noted earlier, we will now be working on these guidelines further with ITSC to turn them into a Singapore Standard. We invite the public to download the COIR guidelines from IDA’s website and comment on the guidelines. IDA will be happy to collate these for ITSC’s considerations.

23. To conclude, BCM and DR planning is essential for any modern organisation to operate and function smoothly. The advantages are clear: ranging from better protection of data, hardware and software, preparedness of organisations and enterprises for potential disaster and to sustain productivity.

24. On this note, I wish you an enjoyable and fruitful time at the conference. Thank you.