The Infocomm Media Development Authority (IMDA) in Singapore has introduced advisory guidelines (AGs) for cloud services and data centres. The AGs list measures that all cloud service providers (CSPs) and data centre operators in Singapore are encouraged to adopt to enhance the resilience and security of their services.
According to IMDA, digital services such as online banking, ride-hailing, and e-commerce are dependent on the continued availability of infrastructure such as cloud services and data centres. With the right practices, such disruptive occurrences can be minimised, and services can be restored quickly when a disruption occurs, the agency said.
The AGs set out best practices to address risks to cloud services and data centres which range from misconfigurations in technical architecture to physical hazards such as fires, water leaks and cooling system failures, as well as cyberattacks. The key measures which the AGs recommend CSPs and data centre operators to implement include risk assessments, business impact analyses, business continuity planning, and cybersecurity measures.
The guidelines are an additional step to enhance the resilience and security of cloud services and data centres, following the amendments to the Cybersecurity Act last year to address the cybersecurity risks of such digital infrastructure. Additionally, the AGs complement the upcoming introduction of a new Digital Infrastructure Act (DIA), which will regulate systemically important digital infrastructure such as major CSPs and data centre operators.
The AGs reference existing international and industry standards*, incorporate lessons from past incidents, and were developed in consultation with key CSPs and data centre operators in Singapore:
- For cloud services, the AGs cover seven categories of measures to uplift the security and resilience of cloud services. Measures that CSPs are encouraged to implement relate to areas such as security testing, user access controls, proper data governance, and planning for disaster recovery. Specifically:
1. Cloud governance: information security management, human resources, risk management, data governance, etc.
2. Cloud infrastructure security: audit logging and monitoring, secure configuration, security testing, system development and encryption etc.
3. Cloud operations management: operations and change management
4. Cloud services administration: management of privileged accounts
5. Cloud service customer access: user access controls
6. Tenancy and customer isolation: segregation in network and system environments
7. Cloud resilience: Physical and environmental security, business continuity planning, and disaster recovery
- For data centres, the AGs provide a framework for operators to put in place a robust business continuity management system to minimise service disruptions and ensure high availability for their customers. This includes guidance on implementing business continuity policies, controls and processes, and continuously reviewing and improving them. The AGs also set out measures to address cybersecurity risks in data centres.
The AGs outline a four-step plan to manage business continuity involving:
- Data centre infrastructure: power, cooling, fire suppression, access control, etc.
- Governance: change management, incident management, etc.
- Cyber issues: malware attacks, ransomware, etc.
Additional measures to manage the risks and cyberthreats in the data centre's network and systems effectively are also a consideration.
The AGs will be continuously updated to incorporate technological developments, learning points from incidents, and industry feedback. In addition to the AGs, a whole-of-ecosystem approach is required to ensure that the Singapore economy and society continue to reap the benefits of digitalisation while being prepared to manage digital disruptions, IMDA said. In particular, companies that provide digital services are advised to conduct risk assessments and put in place business continuity plans to mitigate the impact of disruptions on their customers.
The AGs are part of the work of the inter-agency Taskforce on the Resilience and Security of Digital Infrastructure and Services’2 (Taskforce) to develop measures to uplift digital resilience and security***. To develop the AGs, the Taskforce consulted CSPs and data centre operators, as well as end-user enterprises (e.g., banks, healthcare providers, and digital platforms) that rely on such digital infrastructure. Operators recognised that they need to provide resilient and secure compute facilities and services as part of their value proposition, and largely supported the AGs. End-user enterprises also expressed their support for the AGs.
“As we plan to expand our cloud infrastructure footprint and double our investment in Singapore by 2028, we look forward to collaborating even more closely with IMDA to raise the bar on digital security and resilience in the industry,” said Annabel Lee, Director of Public Policy, Amazon Web Services (AWS). According to Lee, security and resilience have always been top priorities for AWS.
“Keppel supports the launch of the Advisory Guidelines for Resilience and Security of Cloud Services and Data Centres by the Infocomm Media Development Authority. As a leading global asset manager and operator, and a strategic ecosystem player for digital infrastructure, Keppel is committed to building a sustainable digital future. We believe that the advisory guidelines will play a crucial role in uplifting the entire industry, and look forward to collaborating with IMDA and other industry stakeholders to create a more secure and reliable digital environment for businesses and consumers,” said Wong Wai Meng, CEO, Data Centres, Keppel.
Alvin Heng, GM, APAC, Cloud Operations & Innovation, Microsoft stated: “Microsoft is committed to upholding trust and confidence in the tech ecosystem, including the digital infrastructure that underpins it. We appreciate the strong partnership with the Singapore government in ensuring that the new advisory guidelines are fit for purpose and aligned with international standards. We look forward to our continued collaboration on digital resilience and security in Singapore.”
Bill Chang, CEO of Nxera shared: “Singtel and Nxera welcome the IMDA’s introduction of advisory guidelines which set out the resilience and security standards for data centre operators to uplift the overall industry in Singapore. We recognise the critical role that data centres play in supporting Singapore’s digital economy and AI ambitions, and have always incorporated resilience and security by design in building and operating our state-of-the-art data centres not just in Singapore but also in the region. We will continue to do so to meet the evolving needs of our government, customers and regulator.”
Chua Kim Chuan, Group Chief Information Security Officer, SingHealth, provided an end-user perspective: "As a major healthcare service provider, a robust digital infrastructure provided by our IT partners and suppliers is critically important to SingHealth. We welcome the advisory guidelines and the DIA as they align with our commitment to enhancing cybersecurity and digital resilience, further safeguarding our systems and patients' interests."
Details
The AGs can be accessed at https://www.imda.gov.sg/regulations-and-licences/regulations/codes-of-practice/advisory-guidelines-of-cloud-services-and-data-centres
*For example, the Multi-Tier Cloud Security (MTCS) Standard, Cloud Security Alliance Cloud Controls Matrix (CSA CCM), ISO 27001 and ISO 22301.
**The Taskforce is led by the Ministry of Digital Development and Information (MDDI), and comprises members from the Infocomm Media Development Authority (IMDA), Cyber Security Agency (CSA), and Government Technology Agency (GovTech). Relevant sector agencies are also consulted.
***This builds on existing regulations such as the Telecommunications Act (through which IMDA regulates broadband and mobile operators), sectoral regulations for digital services such as MAS’ requirements for financial institutions, and CSA’s Advisory on Building Digital Resilience in Organisations.
No comments:
Post a Comment