© 2011 IDA Singapore. All Rights Reserved. Presented to (Arial Bold 18pt) By (Arial Bold 18pt) 04...
-
Upload
brian-parker -
Category
Documents
-
view
223 -
download
5
Transcript of © 2011 IDA Singapore. All Rights Reserved. Presented to (Arial Bold 18pt) By (Arial Bold 18pt) 04...
© 2011 IDA Singapore. All Rights Reserved.
Presented to <name/s> (Arial Bold 18pt)By <name/s> (Arial Bold 18pt)04 April 2011 (Arial Bold 14pt)
Singapore: Benefits from Secure Clouds
Lee Hing Yan (Dr.)National Cloud Computing Office
Presented to: 4th International Conference of the Asia Forum
12 June 2015
© 2011 IDA Singapore. All Rights Reserved. 2
Key Thrusts for Cloud Computing
Sharpen competitiveness through adoption of cloud computing
Support Flagship Users of
Cloud Services
Attract Cloud
Players
Develop Manpower & Competency for Industry
Forge R&D Relationships
and Build Knowledge
Capital Assets
Provide Enabling
Infrastructure
Build a Trusted
Environment
Enhance vibrancy & growth of infocomm sector through cloud ecosystem development
© 2011 IDA Singapore. All Rights Reserved. 3
Cloud Security Technical References & Standards Development
Infocomm Standards Committee (ITSC) Formed Cloud Computing Standards Coordinating Task Force in Feb 2011
Comprises industry reps
Cloud Security Deliverables
Technical references (published in May 2012) Best Practices for Virtualisation Security (TR30) Guidelines on Security & Service Level for Users of Public Clouds (TR31)
Singapore standards (published in Oct 2013) Multi-Tiered Model on Cloud Security (MTCS) as SS584
© 2011 IDA Singapore. All Rights Reserved. 4
A Multi-Tier Model
ISO 27001 (ISMS) – Base Standards
Multi-tier Cloud Security Standards – Cloud Related Controls
Industry Specific Standards (e.g. Govt, Finance & Healthcare industries) – More Specific Controls
© 2011 IDA Singapore. All Rights Reserved.
•Completed development in mid 2013•Work commenced in 2011
•Completed 2 rounds of 2-month public comment of draft
standard ~300 comments addressed in 1st round ~48 comments addressed in 2nd round Comments received from CSPs like SFDC, AWS, …
•Approved as Singapore Standard by ITSC & SPRING in
Aug 2013•Launched in Nov 2013•Revised in May 2015
Status of MTCS
© 2011 IDA Singapore. All Rights Reserved. 6
Its Objective
To provide a cloud security framework
• Caters for different needs of cloud users
from basic requirements to one with high
confidentiality, high integrity & high
availability such as FSI
• Highlights key security areas &
associated controls for each tier
• Complements existing security standards
• e.g. ISO27001 & industry specific
standards/regulatory requirements
© 2011 IDA Singapore. All Rights Reserved. 7
MTCS LevelsLevel Overview Security Control Focus Typical Usage
1 Designed to be low cost with a minimum of required controls
Baseline security controls – “security 101”
• Hosting web site• Test &
Development• Simulation• Non-critical biz
apps
2 Address the needs of most organizations that are concerned about data security
A set of more stringent security controls required to address security risks & threats to data
• The majority of cloud usages.
• More critical biz apps
3 Designed for regulated organizations with specific requirements & are willing to pay for more stringent security requirements
Additional set of security controls are necessary to supplement & address security risks & threats in high-impact information systems using cloud services
• Hosting applications & systems with sensitive information & regulated systems
© 2011 IDA Singapore. All Rights Reserved.
MTCS Certification
•Approved as Singapore Standard by ITSC Council on 26 Aug 2013•Launched at CloudAsia in Nov 2013•7 established certification bodies participated to provide MTCS
certification services
•More than 170 copies sold (as at end Dec 2014)
•Accreditation scheme by Singapore Accreditation Council was launched in
Oct 2014
•Currently more than 10 CSP have been MTCS certified
© 2011 IDA Singapore. All Rights Reserved. 9
MTCS Certification – Status
As of 5 June 2015
© 2011 IDA Singapore. All Rights Reserved. 10
Singapore Government Cloud Strategy
Acknowledge each cloud computing model provides its own level of assurance & benefits
Leverage on appropriate cloud for appropriate need
•Use public cloud offerings for appropriate needs so as to benefit from lower cost of computing resources
•Implement a private (community) cloud for whole-of-government use where security & governance requirements cannot be met by public clouds
© 2011 IDA Singapore. All Rights Reserved. 11
Public Cloud Services Bulk Tenders
• 3 Public Cloud Services bulk tenders have been awarded• T0831 awarded in Mar 2010 to 4 CSPs• T1050 awarded in Apr 2012 to 6 CSPs• T1242 awarded in Nov 2014 to 8 CSPs
• Based on demand aggregation on WOG basis
• Consumption• Oversubscribed in 1st two bulk tenders resulting in early call
• MTCS certification is a mandatory requirements of CSPs
seeking to sell cloud services to government agencies
© 2011 IDA Singapore. All Rights Reserved. 12
MTCS – Harmonisation with other Frameworks
For each direction,• Gap Analysis report• Implementation Guide report• Audit Checklist report
© 2011 IDA Singapore. All Rights Reserved. 13
Other MTCS Related Efforts (on-going)
1. Revision of MTCS
2. Aligning MTCS with ISO 27001:2013
3. Aligning MTCS with ISO 27018
4. Aligning MTCS with ISO27017 (when published)
5. Aligning MTCS with FGH sectors
Others
a) Cloud Outage Incident Response
© 2011 IDA Singapore. All Rights Reserved. 14
Singapore - CSA Collaboration
MOU signed with Cloud Security
Alliance in June 2013
Developed joint whitepaper• Based on TR30 & CSA Domain 13• Available for release in Apr 2015
Submitted NWI on Study Period on
Server Virtualization Security• Approved at ISO/IEC WG4 SC27 in May
2015
© 2011 IDA Singapore. All Rights Reserved. 15
Summary
Adopts open approach
Aligns with international norms
Welcomes collaboration with industry
© 2011 IDA Singapore. All Rights Reserved.
National Cloud Computing OfficeInfocomm Development Authority of Singapore
10 Pasir Panjang Road#10-01 Mapletree Business City
Singapore 117438