TWO new sets of advisory guidelines to boost resilience and security for cloud service providers (CSPs) and data centre operators were launched on Tuesday (Feb 25) by the Infocomm Media Development Authority (IMDA).
These will eventually become part of the upcoming Digital Infrastructure Act, the draft for which is expected to be tabled in Parliament this year. Both large and small CSPs and data centre operators are encouraged to adopt the guidelines, which cover areas ranging from cloud infrastructure security to business continuity management.
Minister for Digital Development and Information Josephine Teo said: “These advisory guidelines are timely, and will give us better assurance that even if we are not able to prevent all disruptions, preventive measures are up to the mark.”
Recent outages have led to disruptions to businesses and society, with the October 2023 DBS and Citibank outages and the July 2024 CrowdStrike one coming to mind.
The guidelines have drawn lessons from those incidents and from consultations with CSPs and data centre operators, and list the best practices for operators outside the sectoral regulations, such as the Monetary Authority of Singapore, which has drawn up guidelines on business continuity management.
The guidelines therefore provide a baseline for the industry, where there are currently no legal or regulatory requirements for security and resilience for CSPs and data centre operators; there is now also no added support for small players looking to adopt these guidelines.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
Teo said: “We want to raise the baseline standards and over time, bring it to a higher level, and that’s the intention of being able to put this into practice through advisory guidelines in the first instance, and subsequently through legislative and regulatory requirements.”
The advisory guidelines for CSPs cover:
-
Cloud governance
-
Cloud infrastructure security
-
Cloud operations management
-
Cloud services administration
-
Cloud service customer access
-
Tenancy and customer isolation
-
Cloud resilience
These guidelines set out what CSPs should do in their daily operations, as well as how they should respond to incidents and handle security.
In the area of tenancy and customer isolation, for example, CSPs are advised to implement controls to restrict user access within the property, and to segregate network and systems environments. These controls should be in place to ensure that customers do not pose risks of data loss, misuse and privacy violations to each other.
CSPs are urged to reference ISO 27001, Cloud Security Alliance’s Cloud Controls Matrix and IMDA’s Multi-Tier Cloud Security standard.
For data centre operators, the advisory lists the key risks as infrastructure governance and cyber risks. Operators are advised to follow the “plan-do-check-act” or PDCA cycle, in managing the resilience and security risks of their data centres.
Planning and reviewing business continuity management systems for data centre operators are part of the guidelines. Operators are also encouraged to have additional measures to mitigate cyber risks, such as ensuring that employees are suitable for their roles, with suitability assessed through background checks.
Both CSPs and data centre operators are urged to appoint a senior representative as a designated officer to lead the effort to follow the guidelines.
