A new cloud security standard has been launched to provide businesses with greater clarity on the levels of security offered by different cloud service providers (CSPs). It will also be a requirement for CSPs participating in future public cloud service bulk tenders from the Government.

Announcing the Multi-Tier Cloud Security Standard for Singapore (MTCS SS) at Cloud Asia 2013 on 13 November, Mr Steve Leonard (pictured above), Deputy Executive Chairman of the Infocomm Development Authority of Singapore (IDA), said Singapore aspires to be a smart nation, and cloud and data fit into that vision.

“Cloud computing is a very attractive way for companies of all sizes to consume technology,” he said. The new cloud security standard is aimed at spurring the adoption of cloud computing across industries by increasing clarity around the security service levels of CSPs, while also increasing the level of accountability and transparency from these companies.

MTCS SS (SS 584) is the world’s first cloud security standard that covers multiple tiers, and allows certified CSPs to spell out the levels of security that they can offer to their users. It has a self-disclosure requirement for CSPs covering service-oriented information that is normally included in Service Level Agreements. This covers areas such as data retention, data sovereignty, data portability, liability, availability, business continuity, disaster recovery, as well as incident and problem management.

Businesses that rely on cloud computing services will be able to use the MTCS SS to better understand and assess the cloud security they require. A low-risk, public-facing website could, for example, rely on a tier-1 certified CSP, while more sensitive business and personal data might require a tier-2.

While the MTCS is voluntary, its certification will be a requirement for CSPs participating in future public cloud service bulk tenders from the Government.

CSPs can certify themselves at any of the seven qualifying certification bodies – the British Standard Institute, Certification International Pte Ltd, DNV Business Assurance, SGS International Certification, Singapore ISC Pte Ltd, TUV Rheinland Singapore Pte Ltd and TUV SUD PSB Certification.

IDA will also be working to cross-certify the MTCS SS with other international certification schemes – such as the International Standard Organisation (ISO) 27001 Information Security Management System and Cloud Security Alliance Open Certification Framework – to help those CSPs already certified against them to meet SS 584.

IDA will also offer an early adoption grant scheme that will help defray specific costs in MTCS SS certification. The scheme will provide a grant up to 50 per cent or S$15,000, whichever is lower, for costs of certification and consultancy services.

The continued development of cloud security standards is being undertaken by ISO, with completion expected in two to three years. The IDA will be contributing parts of MTCS SS to various ISO/IEC cloud initiatives.

• The SS 584 document is now available on SPRING’s standards publication website for S$140.05 (excluding GST).