Multi-Tier Cloud Security (MTCS) - Singapore


Name of the programme: SS584 - Multi-Tier Cloud Security (MTCS) .

Governing of the standard: Cloud Computing Standards Coordinating Task Force appointed by IT Standard Committee (ITSC).

Accreditation Body/Bodies: Five qualifying certification bodies – the British Standard Institute, Certification International Pte Ltd, DNV Business Assurance, SGS International Certification and TUV SUD PSB Certification .

IDA (Infocomm Development Authority of Singapore)  will be working to cross-certify the MTCS SS with other international standards or certification schemes – such as the International Standard Organization (ISO) 27001 Information Security Management System (ISMS)  and Cloud Security Alliance (CSA) Open Certification Framework (OCF) – to help those CSPs already certified against them to meet SS 584.

Scope: Sound risk management and security practices for Cloud Computing, Transparency and accountability in the cloud
Cloud-relevance: The SS 584 is the world’s first cloud security standard that covers multiple tiers and can be applied by Cloud Service Providers (CSPs) to meet differing cloud user needs for data sensitivity and business criticality.

Type of certifiable organisation: Cloud Service Providers (CSPs)

Type of trust models applicable: Third-party certification and a self-disclosure requirement.

Is the certification proprietary or open: Open

Programme, status (operational, in development): Operational

In April 2012, Infocomm Development Authority of Singapore initiated the formation of an industry working group under the purview of the Information Technology Standards Committee (ITSC) to undertake the development of multi-tier cloud security (MTCS) standard. This standard describes the relevant cloud computing security practices and controls for public cloud users, public cloud service providers, auditors and certifiers. Recognising security risk requirements differ from users to users, different control measures are specified for different levels of security requirements in this multi-tier model.

MTCS seeks to address needs such as transparency of cloud users. Transparency is a way to build trust between CSPs & cloud users.

With the new standard, certified CSPs will be able to better spell out the levels of security that they can offer to their users. This is done through third-party certification and a self-disclosure requirement for CSPs covering service-oriented information normally captured in Service Level Agreements. The disclosure covers areas including: Data retention; data sovereignty; data portability; liability; availability; BCP/DR; incident and problem management.

MTCS SS has three different tiers of security, Tier 1 being the base level and Tier 3 being the most stringent.

  • Tier 1 – Designed for non-business critical data and system, with baseline security controls to address security risks and threats in potentially low impact information systems using cloud services (e.g.: Web site hosting public information).
  • Tier 2 – Designed to address the need of most organizations running business critical data and systems through a set of more stringent security controls to address security risks and threats in potentially moderate impact information systems using cloud services to protect business and personal information (e.g.: Confidential business data, email, CRM – customer relation management systems).
  • Tier 3 – Designed for regulated organizations with specific requirements and more stringent security requirements. Industry specific regulations may be applied in addition to these controls to supplement and address security risks and threats in high impact information systems using cloud services (e.g. highly confidential business data, financial records, medical records).