© 2011 IDA Singapore. All Rights Reserved. Presented to (Arial Bold 18pt) By (Arial Bold 18pt) 04...

© 2011 IDA Singapore. All Rights Reserved.

Presented to <name/s> (Arial Bold 18pt)By <name/s> (Arial Bold 18pt)04 April 2011 (Arial Bold 14pt)

Singapore: Benefits from Secure Clouds

Lee Hing Yan (Dr.)National Cloud Computing Office

Presented to: 4th International Conference of the Asia Forum

12 June 2015

© 2011 IDA Singapore. All Rights Reserved. 2

Key Thrusts for Cloud Computing

Sharpen competitiveness through adoption of cloud computing

Support Flagship Users of

Cloud Services

Attract Cloud

Players

Develop Manpower & Competency for Industry

Forge R&D Relationships

and Build Knowledge

Capital Assets

Provide Enabling

Infrastructure

Build a Trusted

Environment

Enhance vibrancy & growth of infocomm sector through cloud ecosystem development


Cloud Security Technical References & Standards Development

Infocomm Standards Committee (ITSC) Formed Cloud Computing Standards Coordinating Task Force in Feb 2011

Comprises industry reps

Cloud Security Deliverables

Technical references (published in May 2012) Best Practices for Virtualisation Security (TR30) Guidelines on Security & Service Level for Users of Public Clouds (TR31)

Singapore standards (published in Oct 2013) Multi-Tiered Model on Cloud Security (MTCS) as SS584


A Multi-Tier Model

ISO 27001 (ISMS) – Base Standards

Multi-tier Cloud Security Standards – Cloud Related Controls

Industry Specific Standards (e.g. Govt, Finance & Healthcare industries) – More Specific Controls


•Completed development in mid 2013•Work commenced in 2011

•Completed 2 rounds of 2-month public comment of draft

standard ~300 comments addressed in 1st round ~48 comments addressed in 2nd round Comments received from CSPs like SFDC, AWS, …

•Approved as Singapore Standard by ITSC & SPRING in

Aug 2013•Launched in Nov 2013•Revised in May 2015

Status of MTCS


Its Objective

To provide a cloud security framework

• Caters for different needs of cloud users

from basic requirements to one with high

confidentiality, high integrity & high

availability such as FSI

• Highlights key security areas &

associated controls for each tier

• Complements existing security standards

• e.g. ISO27001 & industry specific

standards/regulatory requirements


MTCS LevelsLevel Overview Security Control Focus Typical Usage

1 Designed to be low cost with a minimum of required controls

Baseline security controls – “security 101”

• Hosting web site• Test &

Development• Simulation• Non-critical biz

apps

2 Address the needs of most organizations that are concerned about data security

A set of more stringent security controls required to address security risks & threats to data

• The majority of cloud usages.

• More critical biz apps

3 Designed for regulated organizations with specific requirements & are willing to pay for more stringent security requirements

Additional set of security controls are necessary to supplement & address security risks & threats in high-impact information systems using cloud services

• Hosting applications & systems with sensitive information & regulated systems


MTCS Certification

•Approved as Singapore Standard by ITSC Council on 26 Aug 2013•Launched at CloudAsia in Nov 2013•7 established certification bodies participated to provide MTCS

certification services

•More than 170 copies sold (as at end Dec 2014)

•Accreditation scheme by Singapore Accreditation Council was launched in

Oct 2014

•Currently more than 10 CSP have been MTCS certified


MTCS Certification – Status

As of 5 June 2015


Singapore Government Cloud Strategy

Acknowledge each cloud computing model provides its own level of assurance & benefits

Leverage on appropriate cloud for appropriate need

•Use public cloud offerings for appropriate needs so as to benefit from lower cost of computing resources

•Implement a private (community) cloud for whole-of-government use where security & governance requirements cannot be met by public clouds


Public Cloud Services Bulk Tenders

• 3 Public Cloud Services bulk tenders have been awarded• T0831 awarded in Mar 2010 to 4 CSPs• T1050 awarded in Apr 2012 to 6 CSPs• T1242 awarded in Nov 2014 to 8 CSPs

• Based on demand aggregation on WOG basis

• Consumption• Oversubscribed in 1st two bulk tenders resulting in early call

• MTCS certification is a mandatory requirements of CSPs

seeking to sell cloud services to government agencies


MTCS – Harmonisation with other Frameworks

For each direction,• Gap Analysis report• Implementation Guide report• Audit Checklist report


Other MTCS Related Efforts (on-going)

1. Revision of MTCS

2. Aligning MTCS with ISO 27001:2013

3. Aligning MTCS with ISO 27018

4. Aligning MTCS with ISO27017 (when published)

5. Aligning MTCS with FGH sectors

Others

a) Cloud Outage Incident Response


Singapore - CSA Collaboration

MOU signed with Cloud Security

Alliance in June 2013

Developed joint whitepaper• Based on TR30 & CSA Domain 13• Available for release in Apr 2015

Submitted NWI on Study Period on

Server Virtualization Security• Approved at ISO/IEC WG4 SC27 in May

2015


Summary

Adopts open approach

Aligns with international norms

Welcomes collaboration with industry


National Cloud Computing OfficeInfocomm Development Authority of Singapore

10 Pasir Panjang Road#10-01 Mapletree Business City

Singapore 117438

© 2011 IDA Singapore. All Rights Reserved. Presented to (Arial Bold 18pt) By (Arial Bold 18pt) 04...

Documents

Transcript of © 2011 IDA Singapore. All Rights Reserved. Presented to (Arial Bold 18pt) By (Arial Bold 18pt) 04...