Fact Sheet May 2016 FACTSHEET Multi-Tier Cloud Security Singapore Standard Background The Multi-Tier Cloud Security (MTCS) Singapore Standard (SS584) is the world’s first cloud security standard that covers multiple tiers of cloud security. It can be applied by Cloud Service Providers (CSPs) to meet differing cloud user needs for data sensitivity and business criticality. In Singapore’s drive as a Smart Nation, such security clarity is a key part of building trust through transparency as cloud grows in importance. MTCS seeks to drive cloud adoption across industries by providing clarity around the security provisions of CSPs, while also increasing the level of accountability and transparency from CSPs. Certification of the CSP is carried out by accredited thirdparty Certification Bodies. Benefits of such clarity for enterprises include better assessment of security provisions to services offered, aligning enterprise needs for specific requirements or security; proper levels of procurement; and so forth. Alongside certification, a standardised self-disclosure document must be produced by CSPs. This document creates a consistent disclosure format on services offered. This enables users to discern services uniformly across various CSPs. The disclosure areas include but are not limited to: Data retention; data sovereignty; data portability; liability; availability; BCP/DR; incident and problem management. Key Updates May 2016 MTCS mapped to private healthcare sector In March 2014, IDA and the Ministry of Health began reviewing the suitability of MTCS requirements for the private healthcare sector and how it could benefit healthcare providers. To this end, a joint working group comprising IT security and infrastructure specialists from MOH, IDA and other public healthcare organizations was established. The working group has completed their study of MTCS and established a mapping table (see below) that provides guidance with regards to where different forms of healthcare information and/or data may be hosted on the different MTCS levels. Healthcare providers hosting their applications with MTCS-certified infrastructure providers will need to carry out due diligence and implement appropriate additional security and controls for their applications in line with their risk assessment and security policies.
Application/ System Types
Clinical and administrative systems
patient Patient electronic medical and health support records, including diagnosis, medication prescriptions, billing and admissions, patient-generated health information. IT enterprise support and Operational data including employee administration systems information, medication inventory and purchase management. Public Information systems Publicly available information including informational websites, clinical standards and terminology systems, healthcare practitioner registries. Mapping of MTCS and Healthcare Sector Application/System Types
MTCS seeing good takeup and meeting with SUCCESS MTCS has seen excellent takeup since its launch. In consultation and feedback with CSPs, IDA has updated the total number of services certified by the various CSPs to the MTCS certification. The total number is now 64 as of 4 May 2016. SUCCESS has seen good takeup since its launch in June 2015. In just under a year, a total of seven SaaS have been certified to MTCS as of 4 May 2016. About MTCS There are different service models offered in cloud computing. A summarized version would simplify it to three types: The base type is data centre infrastructure (Infrastructure-as-a-Service, or IaaS), the platform that sits on top of the infrastructure (Platform-as-a-Service, or PaaS) and finally the enterprise-facing application (Software-as-a-Service, or SaaS). Each of these “as-a-Service” can be certified to MTCS standard. A survey by AMI Partners shows that Singapore continues to lead in the ASEAN region, with cloud adoption rates growing to about 29 percent in 2015. Across matured markets, Singapore maintains its position as one of the leading countries in APAC, after Australia and Japan.
Fact Sheet Against this backdrop, the MTCS is a key pillar in building trust through transparency around cloud security and encourages a trusted cloud services ecosystem.
Security Level System MTCS has three levels of security, Level 1 being the base and Level 3 being the most stringent. Level 1 Designed for non-business critical data and system, with baseline security controls to address security risks and threats in potentially low impact information systems using cloud services (e.g. Web site hosting public information) Level 2 Designed to address the need of most organisations running business critical data and systems through a set of more stringent security controls to address security risks and threats in potentially moderate impact information systems using cloud services to protect business and personal information (e.g. Confidential business data, email, CRM – customer relation management systems) Level 3 Designed for regulated organisations with specific requirements and more stringent security requirements. Industry specific regulations may be applied in addition to these controls to supplement and address security risks and threats in high impact information systems using cloud services (e.g. Highly confidential business data, financial records, medical records) While the adoption of MTCS Singapore Standard (SS584) is voluntary for CSPs, SS584 is a requirement for CSPs participating in public cloud services bulk tenders for Government procurement of public cloud services. Development of the SS584 commenced in April 2012 after a Working Group was formed under the IT Standard Committee. The standard was published in November 2013. SUCCESS Programme To encourage vertical MTCS-certification across the cloud services hierarchy, IDA introduced a programme in June 2015 - Support for Cloud-Enabled Certified Secure SaaS’ (SUCCESS).
Fact Sheet Vertical certification of more than one CSP gives enterprises even greater security assurance for data sensitivity and business criticality. SUCCESS has MTCS-certified IaaS collaborate with Independent Software Vendors (ISVs) with SaaS offerings to obtain MTCS certification. In return, ISVs hosted on SUCCESS partners enjoy a range of incentives. Some of these incentives can include: SaaS Enablement Support, Training & Professional Services Support, Technical Consultancy Support and Discounted Pricing for Cloud Services. The SUCCESS programme has seven Singapore-based MTCS-certified IaaS working in collaboration with IDA. The IaaS offering this programme are:
• • •
Acclivis Technologies & Solutions Amazon Web Services Clearmanage
• • • •
For media clarification, please contact: Eugene NEUBRONNER (Mr) Manager, Corporate and Marketing Communication Tel: +65 6211 1182 Email: [email protected]
Microsoft Azure Readyspace Starhub Telin Singapore