SS584 explained

SS 584 (also known as Multi-Tier Cloud Security (MTCS)) is an information security standard, published by Singapore Standards.[1] The standard was last revised in 2020.

SS 584 specifies a Management system for Cloud Security, to three levels. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.

Rationale

Although most Cloud Service Providers are certified to ISO 27000, the ISO standard does not focus on the unique risks arising from provisioning via the Cloud. Smaller customers also have difficulty assessing if a CSP's ISMS is sufficient for their needs, as ISO 27001 is risk-based, and may vary significantly between implementations. This may be a barrier to adoption by SMEs, who would like a simpler way to decide if a CSP meets their needs.

To encourage adoption of Cloud Services, the then IDA established a series of groups in 2012 to produce a standard that CSPs could certify to. The standard would have multiple levels of security assurance:[2]

Note that the standard interchangeably uses the terms "tiers" and "levels".

History of SS 584

SS584:2013 was issued in 2013, and the program was initially administered by IDA.[3]

In 2015, the standard was revised (SS 584:2015). At this time, Accreditation was handed over to the Singapore Accreditation Council, a division of Enterprise Singapore, in line with other Singapore Standards.

As of late 2019, the standard is being revised again, with inputs from industry, and a new version will be issued in Oct 2020.

Certification

CSPs that wish to have their services certified must classify each into IaaS, PaaS, or SaaS. They also decide to which level they wish to demonstrate compliance (Tier 1, 2, or 3).

For compliance to Level 3, the CSP must be certified to ISO/IEC 27001.

CSPs must obtain the services of an Accredited Certification Body, who will audit the management system of the CSP for compliance to SS 584. The CB will then issue a Certificate attesting to this, usually valid for three years. Annual Surveillance Audits are required.

A list of Services and CSPs certified is available.[4] Examples of Certified CSPs include IBM[5] and AWS.[6]

Overseas Acceptance

Although the standard is not an International standard, as the first national standard to address Cloud Security, it has seen acceptance outside Singapore. In particular, the Korean RSEFT regulations recognise SS 584 as meeting most of the requirements for CSPs.[7]

Documents from Datamation[8] and CloudwatchHUB[9] describe the international use and impact of this standard.

See also

Notes and References

  1. Book: Tao. Yao-Sing. Lee. Hing-Yan. 2017 International Conference on Cloud Computing Research and Innovation (ICCCRI) . MTCS for Healthcare . April 2017. https://ieeexplore.ieee.org/document/7999635. Singapore, Singapore. IEEE. 14–17. 10.1109/ICCCRI.2017.10. 978-1-5386-1075-6. 28858337 .
  2. Web site: Fact Sheet . imda.gov.sg . IDA . 9 October 2019.
  3. Web site: New Multi-Tier Cloud Security (MTCS) Standard Launched in Singapore . Infocomm Media Development Authority . 9 October 2019 . en.
  4. Web site: Compliance and Certification . Infocomm Media Development Authority . 7 December 2019 . en.
  5. Web site: MTCS Certificate for IBM Cloud Services . IMDA . 7 December 2019.
  6. Web site: MTCS Certificate issued by ISC Singapore to AWS . IMDA . 7 December 2019.
  7. Web site: With the MTCS, FSI customers in Korea can accelerate cloud adoption by no longer having to validate 109 controls, as required in the relevant regulations (Financial Security Institute's Guideline on Use of Cloud Computing Services in Financial Industry and the Regulation on Supervision on Electronic Financial Transactions (RSEFT). . AWS . 16 May 2019 . Amazon . 9 October 2019.
  8. Web site: Morgan . Lisa . How to Ensure Cloud Compliance . Datamation . 12 July 2019 . 29 March 2020.
  9. Web site: Multi-Tier Cloud Security (MTCS) - Singapore . CloudwatchHUB . 29 March 2020.