Introduction
As we become increasingly reliant on digital services, including online banking and e-commerce, the resilience and security of Cloud Services and Data Centres (“DCs“) become of vital importance. Such digital services are dependent on the continued availability and functioning of Cloud Services and DCs, and disruptions can lead to adverse impact.
To address this, the Infocomm Media Development Authority (“IMDA“) has introduced Advisory Guidelines (“AGs“) for Cloud Services and DCs. The AGs set out best practices to address risks to Cloud Service Providers (“CSPs“) and DCs, including risks assessment, business impact analysis, business continuity planning, and cybersecurity measures.
- For Cloud Services, the AGs cover seven categories of measures to uplift the security and resilience of Cloud Services.
- For DCs, the AGs provide a framework for a robust business continuity management system and measures to address cybersecurity risks.
While the AGs are voluntary, CSPs and DCs are encouraged to adopt the measures to uplift their own resilience and security posture and distinguish themselves in the competitive market. The AGs are also of relevance to AI service providers in Singapore, due to their heavy utilisation of DC operations and provision of cloud-based AI services.
This Update provides a summary of the key measures set out in the AGs.
Advisory Guidelines for Resilience and Security of Cloud Services
The AGs for Cloud Services set out guidance on how CSPs can manage resilience and security risks by planning for business continuity and adopting appropriate and proportionate mitigation measures. The measures are organised into seven categories:
Cloud Governance
- Information security management: CSPs should ensure that information security is managed within each CSP’s overall administrative structure.
- Information human resources: CSPs should ensure that all employees and third parties are suitable for their roles prior to employment or contract, and that they understand their responsibilities, employment and contract terms and conditions (including termination) to reduce the risk of theft, fraud or misuse of facilities.
- Risk management: CSPs should establish and maintain a cloud-specific risk management programme to identify, quantify, prioritise, and mitigate or resolve risks impacting cloud service operations and information assets.
- Third parties: CSPs should ensure that they have an effective control framework over their third-party service providers supporting the cloud environment.
- Legal and compliance: CSPs should ensure that they and their third-party service providers conform to the CSPs’ information security and risk management policies, standards, and procedures and contractual obligations.
- Incident management: CSPs should implement incident management controls to ensure that information security events and weaknesses impacting the information assets and systems in the cloud environment are communicated in a timely manner.
- Data governance: CSPs should ensure that only authorised users have access to the data stored in the cloud environment at all times.
Cloud Infrastructure Security
- Audit logging and monitoring: CSPs should ensure that activities performed and events that occurred in the cloud environment are being tracked and maintained for a period of time to detect any unauthorised activities and to facilitate investigation and resolution in the event of security incidents.
- Secure configuration: CSPs should ensure that the systems in the cloud infrastructure and the supporting networks are designed and configured securely.
- Security testing and monitoring: CSPs should conduct security testing and implement monitoring controls across the cloud infrastructure to detect vulnerabilities and malware in a proactive and timely manner.
- System acquisition and development: CSPs should implement system acquisitions and development security controls.
- Encryption: CSPs should implement encryption and secure cryptographic key management.
Cloud Operations Management
- Operations: CSPs should implement operations security controls to ensure that the operations of the cloud are documented, secure, reliable, resilient and recoverable.
- Change Management: CSPs should implement change management controls to ensure that changes to the cloud infrastructure are carried out in a planned and authorised manner.
Cloud Service Administration
- CSPs should implement cloud services administration controls to ensure the enforcement of policies, standards and procedures relating to the creation, maintenance and removal of privileged accounts used for managing cloud services and supporting networks.
Cloud Service Customer Access
- CSPs should implement cloud user access controls to ensure that policies, standards and procedures are established and implemented to govern the creation, maintenance and removal of user accounts to restrict access and safeguard user credentials to prevent unauthorised access to information and information systems.
Tenancy and Customer Isolation
- CSPs should implement tenancy and customer isolation controls to restrict user access within the same physical resource and segregate network and system environments.
Cloud Resilience
- Physical and environmental security: CSPs should implement physical and environmental security controls to prevent unauthorised physical access, damage or interference to the cloud environment and infrastructure.
- Business continuity and disaster recovery: CSPs should implement business continuity and disaster recovery controls to ensure timely resumption from, and the possible prevention of, interruptions to business activities and processes caused by failures of information systems and disasters.
Advisory Guidelines for Resilience and Security of Data Centres
The AGs for DCs set out guidance on best practices covering how DC operators (“DCOs“) can manage resilience and security risks of DCs by planning for business continuity and adopting appropriate and proportionate mitigation measures.
The AGs identify the following key risks for the resilience and security of DCs:
- Infrastructure Risks stemming from insufficient consideration of risk in the design of DCs;
- Governance Risks stemming from insufficient risk oversight of DC operations; and
- Cyber Risks arising from of cyberattacks on DC operating systems and controls.
The AGs recommend that DCOs adopt a continuous process loop of Plan, Do, Check and Act to implement, maintain and continuously improve resilience and security measures:
- Step 1: Plan. This step involves establishing the scope and policies of the Business Continuity Management System (“BCMS“), garnering top management support to be executive sponsors, and identifying the critical products and services that should be protected from business disruptions.
- Step 2: Do. This step entails implementing the business continuity policy, controls, processes and procedures. This includes steps to understand, plan and test for business continuity events.
- Step 3: Check. This step involves monitoring and reviewing performance against the established BCMS objectives. The results of the assessment should be presented to top management for review.
- Step 4: Act. This step ensures that operators maintain and improve the BCMS by taking preventive and corrective actions based on the results of management review, and updating it to align to management’s expectations.
In addition, the AGs recommends that DCOs prepare for and manage the risks of cyber threats (e.g., supply chain attacks, malware attacks, ransomware, etc.) effectively in the key risk areas based on each DC’s business and operational needs and ensure adequate cybersecurity control measures are in place for its network and system.
Concluding Words
IMDA has stated that the AGs will continuously be updated to incorporate technological developments, learning points from incidents, and industry feedback. Further, the AGs are intended to complement the upcoming introduction of a new Digital Infrastructure Act, which will regulate systemically important digital infrastructure such as major CSPs and DC operators. We will continue to monitor upcoming developments on this topic.
For further queries, please feel free to contact our team.