Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013 1. - - PowerPoint PPT Presentation

singapore standard for multi tiered cloud security ss 584
SMART_READER_LITE
LIVE PREVIEW

Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013 1. - - PowerPoint PPT Presentation

Aug 29, 2022 282 likes •354 views

Agenda Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013 1. To provide an overview of Multi-Tier Cloud Security (MTCS SS584:2013) standard 2. To detail the deployment considerations and related initiatives Wong Onn Chee, Cloud

slide-1
SLIDE 1

Wong Onn Chee, Cloud Security Working Group Chair, SPSTC

Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013

Agenda

  • 1. To provide an overview of Multi-Tier Cloud Security (MTCS SS584:2013) standard
  • 2. To detail the deployment considerations and related initiatives

Outline

  • 1. Background
  • 2. Objectives
  • 3. The MTCS Working Group
  • 4. The MTCS Model & Framework
  • 5. MTCS Structure
  • 6. Major Control Areas/Domains
  • 7. Deployment Considerations & Related Initiatives
  • 8. Summary

Background

  • 1. Surveys have consistently confirmed that cloud security is Number 1 concern in

adoption

  • 2. Concern & tolerance of security differs from users to users
  • 3. We need a security standard to provide visibility & clarity of security provisions of

CSPs for better matching of users’ needs

slide-2
SLIDE 2

Objectives

  • 1. To provide a cloud security framework
  • Caters for different needs of cloud users from basic requirements to one with high

confidentiality, high integrity & high availability such as FSI

  • Expressed as a multi-tier model (similar to Uptime Institute’s DC tiers)
  • Highlights key security areas & associated controls for each tier
  • Complements existing security standards (e.g. ISO27001 & industry specific

standards/regulatory requirements)

  • 2. Standard seeks to foster adoption of sound risk management & security

practices for cloud computing while provide businesses with greater clarity

  • n the levels of security offered by different CSPs

MTCS Stds Development Model

*

Approved By: The Council, IT Standard Committee Endorsed By: Cloud Computing Standards Coordinating Taskforce Standards Development WG (Prof Bodies/ Assoc/ Regulators) & Consultants, IDA Pilot Deployment : CSPs, Auditors, Lead Users Consultation FGs*: Industry Players (CSPs, Cloud User Reps & Others) Work Groups

* Completed 2 rounds of 2- month public comment (~350 comments addressed)

MTCS Working Group

Industry led MTCS WG oversees development of cloud security standards

  • 1. Dr. Kang Meng Chow

Chairman ITSC

  • 2. Mr. Tao Yao Sing

Deputy Chairman IDA – NCCO

  • 3. Ms Kong Pei Wee

Secretariat ITSC

  • 4. Mr. Wong Onn Chee

Member ITSC-SPSTC

  • 5. Mr. John Yong

Member IDA – ISEC

  • 6. Mr. Hector Goh*

Member IDA – ISEC

  • 7. Dr. Lam Kwok Yan

Member AISP

  • 8. Mr. Alan Sinclair

Member MOHH

  • 9. Mr. Greg Malewski*

Member MOHH

Multi-Tier Model of Cloud Security

ISO 27001 (ISMS) – Base Standards Multi-tier Cloud Security Standards – Cloud Related Controls Industry Specific Standards (e.g. Govt, Finance & Healthcare industries) – More Specific Controls

slide-3
SLIDE 3

Framework of MTCS Standard

MTCS is based on a multi-level framework comprising 3 levels of IS requirements Level Overview Security Control Focus 1 Non-business critical data & systems Baseline security controls for potentially low-impact information systems 2 Most business critical data & systems A set of more stringent security controls for potentially moderate-impact information systems 3 Regulated organisations with specific requirements & more stringent security needs Additional set of security controls for potentially high-impact information systems

Structure of MTCS standard

The Standard

Core Information Security

Cloud Governance Cloud Infrastructure Security Cloud Operations Management

Cloud Specific Information Security

Cloud Services Administration Cloud User Access Tenancy and Customer Isolation

Structure of MTCS standard

  • 1. Consists of the following focus areas:
  • a. Cloud governance (Clauses 6-12)
  • b. Cloud infrastructure security (Clauses 13-17)
  • c. Cloud operations management (Clauses 18-21)
  • d. Cloud specific information security (Clauses 22-24)
  • i. Cloud services administration
  • ii. Cloud user access
  • iii. Tenancy and customer isolation

Structure of MTCS standard

  • 2. Consists of the following Clauses:
  • 6. Information security management
  • 19. Operations
  • 7. Human resources
  • 20. Change management
  • 8. Risk management
  • 21. BCP and DR
  • 9. Third-party
  • 22. Cloud services administration
  • 10. Legal and compliance
  • 23. Cloud User access
  • 11. Incident management
  • 24. Tenancy and customer isolation
  • 12. Data governance
  • 13. Audit logging and monitoring
  • 14. Secure configuration
  • 15. Security testing and monitoring
  • 16. System acquisitions and development
  • 17. Encryption
  • 18. Physical and environmental
slide-4
SLIDE 4

CSP Self-Disclosure Checklist

Criteria Measures / Disclosure Requirements Right to audit Ability to conduct own reviews (e.g., site assessment, penetration test) & costs Compliance List of compliance statuses Data ownership Data ownership limitations Data retention Periods for user data, user log data, and infrastructure log data Data sovereignty Data locations, capability to restrict geographies, and DR locations Information non-disclosure What if any information may be disclosed Availability Mean time between failures; service availability BCP / DR Recovery point objective; Recovery time objective Liability Limits in-case of incidents/failure to meet service commitment Change Management Comms plan and procedures for managing changes On-demand self-service* Users can unilaterally provision computing capabilities as needed automatically without requiring human interaction with CSPs

* Five essential characteristics of Cloud Computing as defined by NIST

CSP Self-Disclosure Checklist

Criteria Measures / Disclosure Requirements Incident & problem management Support provided (e.g., notification, cooperation with outside parties) Billing (Measured Svc) Metrics & accuracy Data portability Mechanisms supported including media and format upon termination Access to CSP’s network Methods to access the provider (e.g., Internet IPV4/6, site-to-site VPN, frame relay) User management Options for integrating with customer IDM, 2-factor solutions Lifecycle Automatic or customisable service upgrades and changes Security configuration enforcement checks Mechanism to enforce check on security configuration Multi-tenancy Tenancy options Capacity elasticity Peak load handling capabilities for capacity Network resiliency & elasticity Peak load handling capabilities for network Storage redundancy & elasticity Peak load handling capabilities for storage

Deployment Considerations

  • 1. Deployment
  • Incorporate MTCS as a requirement into Public Cloud Services bulk tender

3 rounds of training sessions for CSPs, CBs and SaaS ISVs have been conducted

  • 2. Cross-Certification schemes with other standards (ISO 27001) to

facilitate easy migration to MTCS SS - WIP

  • 3. Working with Singapore Accreditation Council (SAC) to provide

accreditation services to Certification Bodies

  • 4. Establishment of a website to capture CSP certification & self-

disclosure info to promote TRUST building through TRANSPARENCY MTCS Certification Scheme (1/2)

  • 1. URL: http://www.ida.gov.sg/collaboration-and-initiatives/initiatives/for-infocomm-

enterprises/MTCS-Certification-Scheme

  • 2. Scope
  • 3 different levels of security certification (tiers 1, 2 & 3) & further qualified with types
  • f services (IaaS, PaaS & SaaS)

Example: “Company X is certified to supply Infrastructure-as-a-Service at Tier level 2 according to MTCS standard (SS584 : 2013)”

  • 3. Validity
  • Certification will be valid for 3 years with a yearly surveillance audit to be conducted.
slide-5
SLIDE 5

MTCS Certification Scheme (2/2)

  • 4. Qualified Assessors for MTCS Certification
  • CSPs shall identify & source Certification Bodies (CBs) to undertake certification.
  • 5. Prerequisite
  • All applicants must complete CSP self-disclosure and Statement of Applicability

(SoA).

List of Participating Certification Bodies

Certification Body Certification Body

DNV Business Assurance Pte Ltd 81 Science Park Drive, #02-03 Chadwick, Singapore 118257 Certification International (Singapore) Pte Ltd 60 Albert Street, #13-03 OG Albert Complex, Singapore 189969 SGS International Certification Services Singapore Pte. Ltd. 3 Toh Tuck Link, #01-02/03, Singapore 596228 TUV SUD PSB Cert 1 Science Park Drive, Singapore 118221 BSI Group Singapore Pte Ltd 1 Robinson Road, #15-01 AIA Tower, Singapore 048542 TUV Rheinland Singapore Pte Ltd 25 International Business Park, #05-105, German Centre, Singapore 609916 Singapore ISC Pte Ltd 2 Kim Yam Road, #12-03, Singapore 239320

Cross-Certification with Other Standards

  • 1. Objective: To target:
  • a. Local CSPs with regional businesses
  • b. Foreign CSPs with plans to provide cloud services in Singapore
  • 2. MTCS-ISO27001 Cross-Certification in 1Q 2014
  • a. To address CSPs in process of attaining or already ISO27001 certified
  • b. Gaps Analysis report (ISO27001:2005->MTCS SS) has been

published @IDA website

MTCS Certification (Accredited) Framework

Certification Scheme

3 different levels of security certification & further qualified with types of services Certification will be valid for 3 years with a yearly surveillance audit to be conducted

Qualified Assessors for MTCS Certification

Audit skill and cloud computing security knowledge Relevant audit experience

Prerequisites

All applicants must complete CSP self-disclosure

slide-6
SLIDE 6

Summary – Accreditation Scheme

Accredited certification for MTCS available from SPRING/Singapore Accreditation Council (SAC) Accreditation criteria: ISO/IEC 17021:2011 Conformity assessment - Requirements for bodies providing audit and certification of management systems and SAC CT 14:2014 SAC Criteria for Certification Bodies (multi-tiered cloud computing security) (SAC CT 14 can be downloaded at http://www.sac- accreditation.gov.sg/Resources/sac_documents/Documents/Management_System_And_Products_Certificato n/Related_Documents/CT%2014%2c%20Oct%2014.pdf) Accreditation shows that CBs are impartial, competent and globally recognized for Conformity Assessment. Assurance to CSPs and ultimately Cloud Users that CB’s certification is continually reviewed, improved and meeting internally recognised standards. Estimate fee to be around $10K including application, doc review, on-site and witness assessments, lower of CBs already accredited by SAC for another certification scheme. Time needed to obtain accreditation is about 3-6 months depending if CBs have already been accredited by SAC for another certification scheme.

Summary – Certification Support Support available from SPRING’s Capability Development Grant (CDG) Eligibility & conditions of CDG

Available to all SMEs Up to 70% of qualifying costs, one-time and 1st year implementation costs only Accredited certificate issued by internationally/SAC accredited Certification Body and to hold for minimum period of 3 years

Contact SPRING for initial discussion & download an application e- form @ www.spring.gov.sg/CDG Summary – CSP Registry

Purpose

To promote TRUST and CONFIDENCE in cloud adoption through openness and transparency

Platform available for public access to pertinent information about CSPs when sourcing for cloud services

Key Sourcing Information Certification CSP Self-Disclosure Service Benchmarks Availability Performance

The End

Wong Onn Chee

  • nnchee@infotectsecurity.com