With the paradigm shift in computing where businesses and end-users can access infocomm services via cloud computing, IMDA has since 2007 increased its focus from seeding cloud service providers and sharpening Singapore overall competitiveness through adoption of cloud services to enhancing the vibrancy and growth of infocomm sector through development of a cloud ecosystem. With the recent launch of IMDA Services 4.0 in Nov 2018, cloud has become naturally the de facto platform that catalyses and supports the delivery of seamless digital Services enabled by emerging technologies.
Cloud security has always been the key impediments to the adoption of cloud services since its inception. Much concerted effort was put in to secure its delivery and at the same time, build trust through transparency as cloud grows in importance. Several standards related to cloud computing security were developed. A technical reference (TR30) for Virtualisation Security for Servers was introduced in 2012 followed closely by the launch of the world’s first cloud security standard that covers multiple tiers of cloud security (MTCS SS 584) in Oct 2013. An accredited certification scheme was subsequently introduced in 2014. It is now the de facto standards for the cloud industry in Singapore. The TR30 was later contributed to international standard body (ISO/IEC JTC1) and enhanced as an international standard (ISO/IEC 21878:2018).
SS 584 : 2015+C1:2016 Specification for multi-tiered cloud computing security
The Singapore Standard, commonly known as MTCS, is the world’s first cloud security standard that covers multiple tiers of cloud security developed under the Information Technology Standards Committee (ITSC) for Cloud Service Providers (CSPs) in Singapore. The MTCS standard specifies 3 different tiers of security certification qualified with types of services (e.g. Infrastructure-as-a-Service).
- Multi-Tier Cloud Security (MTCS) Certification Scheme
In conjunction with the MTCS standard, the MTCS Certification Scheme has been established to a) encourage adoption of sound risk management and security practices by CSPs through MTCS certification; and b) promote the adoption of MTCS standard. CSPs can participate through the certification scheme provided. For more information on this scheme and the certification process, click here.
- MTCS Certified Cloud Services
MTCS are adopted by many Cloud Service Providers (CSPs) to meet different cloud user needs for data sensitivity and business criticality. As of 24 October 2018, a total of 127 cloud services are MTCS certified. Of these, 108 are IaaS/PaaS and 19 are SaaS. Click here for a list of MTCS-certified cloud services and the associated providers.
TR 62 : 2018 Guidelines for cloud outage incident response (COIR)
This Technical Reference continues Singapore’s strong commitment to Business Continuity Management and Disaster Recovery (DR) Plans by bringing clarity on how to respond to outages in the cloud. This will strengthen transparency, trust and resilience of cloud service providers (CSPs) in a Smart Nation.
The main objective is to reduce damages and losses caused by cloud outages by providing a COIR framework for Cloud Service Customers (CSCs) to choose the appropriate outage protection measures to complement their own business continuity/IT DR capabilities through:
- a set of common parameters and guidelines for CSCs for identification, evaluation, and negotiation of protection needs with CSPs to incorporate into the SLAs;
- sharing of COIR practices by CSPs via the same set of common parameters to facilitate comparison and matching of outage protection needs with provisions.
The guidelines focus on cloud outage directly associated with operational mistakes, infrastructure or system failure and environmental issues (e.g. flooding, fire) but exclude cyber security, and malicious act. The guidelines are industry agnostic and primarily meant to serve the needs of all types cloud users. It is applicable to all types of cloud service models as well as cloud deployment models.
- Adoption and Self-Disclosure
Adoption of the COIR guidelines is entirely voluntary. However, CSPs are encouraged to share their service support capabilities with respect to cloud outage using the COIR self-disclosure form (18.96KB) and email the first two pages (disclosed COIR practices information) of the duly completed, stamped and signed e-form to firstname.lastname@example.org for listing here.
- Below is a list of CSPs who have made their self-disclosure available here.
All enquiries regarding COIR Guidelines can be addressed to email@example.com
SS ISO/IEC 21878:2019 Security Guidelines for Design and Implementation of Virtualised Servers
The intended goal of this standard is to facilitate informed decisions with respect to architecting virtualised server’s configurations from the security perspective. Such design and implementation guidance is expected to assure the appropriate protection for all virtual machines (VMs) and the application workloads running in them in the entire virtualised infrastructure of the organisation. This standard is an identical adoption of ISO/IEC 21878:2018.
Where to Buy
The cloud standards are available for purchase from the Singapore Standards eShop.
- Download MTCS Self-Disclosure Form (269.00KB)
- Download MTCS Factsheet (116.79KB)
- Download a Self-Assessment Tool to find out which right MTCS Level to subscribe to/procure
- Alignment of MTCS to Healthcare IT Security Policy & Standards
- Harmonization of MTCS SS with IS027018:2014
- MTCS to ISO27001:2013 Cross Certification
- MTCS to CSA STAR Cross Certification
- CSA STAR to MTCS Cross Certification