In response to the paradigm shift in computing that enables businesses and end-users to access Infocomm services through cloud computing, IMDA has, since 2007, been increasingly focusing on fostering cloud service providers and enhancing Singapore's overall competitiveness through the adoption of cloud services in line with IMDA regulations. Their efforts have led to enhancing the vibrancy and growth of the Infocomm sector through the development of a cloud ecosystem. With the recent launch of IMDA Services 4.0 in Nov 2018, cloud has become naturally the de facto platform that catalyses and supports the delivery of seamless digital Services enabled by emerging technologies.
Cloud security has always been the key impediment to the adoption of cloud services since its inception. Much concerted effort was put in to secure its delivery and build trust through transparency as the cloud grows in importance, adhering to cloud security policies. Several standards related to cloud computing security were developed. A technical reference (TR30) for Virtualisation Security for Servers was introduced in 2012 followed closely by the launch of the world’s first cloud security standard that covers multiple tiers of cloud security (MTCS SS 584) in Oct 2013. An accredited cloud security certification scheme was subsequently introduced in 2014. It is now the de facto standards for the cloud industry in Singapore. The TR30 was later contributed to international standard body (ISO/IEC JTC1) and enhanced as an international standard (ISO/IEC 21878:2018).
SS584 : 2020 Specification for multi-tiered cloud computing security
The Singapore Standard, commonly known as MTCS, is the world’s first cloud security standard that covers multiple tiers of cloud security developed under the Information Technology Standards Committee (ITSC) for Cloud Service Providers (CSPs) in Singapore. The MTCS standard specifies 3 different tiers of cloud security certification qualified with types of services (e.g. Infrastructure-as-a-Service).
- Multi-Tier Cloud Security (MTCS) Certification Scheme
In conjunction with the MTCS standard, the MTCS Certification Scheme has been established to a) encourage adoption of sound risk management and security practices by CSPs through MTCS certification; and b) promote the adoption of MTCS standard. CSPs can participate through the certification scheme provided. Find out more information on this MTCS scheme and the certification process.
- MTCS Certified Cloud Services
MTCS are adopted by many Cloud Service Providers (CSPs) to meet different cloud user needs for data sensitivity and business criticality. Click here for a list of MTCS-certified cloud services and the associated providers.
TR 62 : 2018 Guidelines for cloud outage incident response (COIR)
This Technical Reference continues Singapore’s strong commitment to Business Continuity Management and Disaster Recovery (DR) Plans by bringing clarity on how to respond to outages in the cloud. This will strengthen transparency, trust and resilience of cloud service providers (CSPs) in a Smart Nation.
The main objective is to reduce damages and losses caused by cloud outages by providing a COIR framework for Cloud Service Customers (CSCs) to choose the appropriate outage protection measures to complement their own business continuity/IT DR capabilities through:
- a set of common parameters and guidelines for CSCs for identification, evaluation, and negotiation of protection needs with CSPs to incorporate into the SLAs;
- sharing of COIR practices by CSPs via the same set of common parameters to facilitate comparison and matching of outage protection needs with provisions.
The guidelines focus on cloud outage directly associated with operational mistakes, infrastructure or system failure and environmental issues (e.g. flooding, fire) but exclude cyber security, and malicious act. The guidelines are industry agnostic and primarily meant to serve the needs of all types cloud users. It is applicable to all types of cloud service models as well as cloud deployment models.
- Adoption and Self-Disclosure
Adoption of the COIR guidelines is entirely voluntary. However, CSPs are encouraged to share their service support capabilities with respect to cloud outage using the COIR self-disclosure form (18.96KB) and email the first two pages (disclosed COIR practices information) of the duly completed, stamped and signed e-form to email@example.com for listing here.
- Below is a list of CSPs who have made their self-disclosure available here.
- Alibaba Cloud (378.48KB)
- Huawei Cloud Computing Technologies Co. Ltd (2.84MB)
- NewMedia Express Pte Ltd (287.58KB)
- ReadySpace SG Pte Ltd (406.75KB)
- Ribose Group Inc (57.09KB)
- Tata Communications Ltd (683.87KB)
All enquiries regarding COIR Guidelines can be addressed to firstname.lastname@example.org
SS ISO/IEC 21878:2019 Security Guidelines for Design and Implementation of Virtualised Servers
The intended goal of this standard is to facilitate informed decisions with respect to architecting virtualised server’s configurations from the security perspective. Such design and implementation guidance is expected to assure the appropriate protection for all virtual machines (VMs) and the application workloads running in them in the entire virtualised infrastructure of the organisation. This standard is an identical adoption of ISO/IEC 21878:2018.
Where to buy
The cloud standards are available for purchase from the Singapore Standards eShop.
- Alignment of MTCS to Healthcare IT Security Policy & Standards
- Harmonization of MTCS SS with IS027018:2014
- MTCS to ISO27001:2013 Cross Certification
- ISO27001:2013 to MTCS Cross Certification
- MTCS to CSA STAR Cross Certification
- CSA STAR to MTCS Cross Certification