SS584

Last updated January 27, 2024

SS 584 (also known as Multi-Tier Cloud Security (MTCS)) is an information security standard, published by Singapore Standards.^[1] The standard was last revised in 2015.

Rationale

Although most Cloud Service Providers are certified to ISO 27000, the ISO standard does not focus on the unique risks arising from provisioning via the Cloud. Smaller customers also have difficulty assessing if a CSP's ISMS is sufficient for their needs, as ISO 27001 is risk-based, and may vary significantly between implementations. This may be a barrier to adoption by SMEs, who would like a simpler way to decide if a CSP meets their needs.

To encourage adoption of Cloud Services, the then IDA established a series of groups in 2012 to produce a standard that CSPs could certify to. The standard would have multiple levels of security assurance:^[2]

Tier 1: Designed for non-business critical data and system, with baseline security controls to address security risks and threats in potentially low impact information systems using cloud services (e.g.: Web site hosting public information)
Tier 2: Designed to address the need of most organizations running business critical data and systems through a set of more stringent security controls to address security risks and threats in potentially moderate impact information systems using cloud services to protect business and personal information (e.g.: Confidential business data, email, CRM – customer relation management systems)
Tier 3: Designed for regulated organizations with specific requirements and more stringent security requirements. Industry specific regulations may be applied in addition to these controls to supplement and address security risks and threats in high impact information systems using cloud services (e.g.: Highly confidential business data, financial records, medical records)

Note that the standard interchangeably uses the terms "tiers" and "levels".

History of SS 584

SS584:2013 was issued in 2013, and the program was initially administered by IDA.^[3]

In 2015, the standard was revised (SS 584:2015). At this time, Accreditation was handed over to the Singapore Accreditation Council, a division of Enterprise Singapore, in line with other Singapore Standards.

As of late 2019, the standard is being revised again, with inputs from industry, and a new version will be issued in Oct 2020.

Certification

CSPs that wish to have their services certified must classify each into IaaS, PaaS, or SaaS. They also decide to which level they wish to demonstrate compliance (Tier 1, 2, or 3).

For compliance to Level 3, the CSP must be certified to ISO/IEC 27001.

CSPs must obtain the services of an Accredited Certification Body, who will audit the management system of the CSP for compliance to SS 584. The CB will then issue a Certificate attesting to this, usually valid for three years. Annual Surveillance Audits are required.

A list of Services and CSPs certified is available.^[4] Examples of Certified CSPs include IBM ^[5] and AWS.^[6]

Overseas Acceptance

Although the standard is not an International standard, as the first national standard to address Cloud Security, it has seen acceptance outside Singapore. In particular, the Korean RSEFT regulations recognise SS 584 as meeting most of the requirements for CSPs.^[7]

Documents from Datamation^[8] and CloudwatchHUB^[9] describe the international use and impact of this standard.

Related Research Articles

The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It is currently in version 3.1 revision 5.

The Infocomm Media Development Authority (IMDA) is a statutory board under the Singapore Ministry of Communications and Information (MCI).

ISO/IEC 20000 is the international standard for IT service management. It was developed in 2005 by ISO/IEC JTC1/SC7 and revised in 2011 and 2018. It was originally based on the earlier BS 15000 that was developed by BSI Group.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Product certification or product qualification is the process of certifying that a certain product has passed performance tests and quality assurance tests, and meets qualification criteria stipulated in contracts, regulations, or specifications.

<span class="mw-page-title-main">Standard of Good Practice for Information Security</span>

The Standard of Good Practice for Information Security (SOGP), published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

The British Standards Institution (BSI) is the national standards body of the United Kingdom. BSI produces technical standards on a wide range of products and services and also supplies certification and standards-related services to businesses.

ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Part of the ISO/IEC 27000 series of ISO/IEC Information Security Management System (ISMS) standards, it is titled Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems.

ISO/IEC 27007 is a standard on Information security, cybersecurity and privacy protection that provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. This standard is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. It was published on November 14, 2011, and revised on January 21, 2020.

Certification and accreditation is a process for implementing any formal process. It is a systematic procedure for evaluating, describing, testing, and authorizing systems or activities prior to or after a system is in operation. The process is used extensively across the world.

The ISO/IEC 27001 Lead Auditor certification consists of a professional certification for auditors specializing in information security management systems (ISMS) based on the ISO/IEC 27001 standard and ISO 19011.

ISO/IEC 27001 Lead Implementer is a professional certification for professionals specializing in information security management systems (ISMS) based on the ISO/IEC 27001 standard. This professional certification is intended for information security professionals wanting to understand the steps required to implement the ISO/IEC 27001 standard.

IEC 62443 is an international series of standards that address cybersecurity for operational technology in automation and control systems. The standard is divided into different sections and describes both technical and process-related aspects of automation and control systems cybersecurity.

IASME Governance is an Information Assurance standard that is designed to be simple and affordable to help improve the cyber security of Small and medium-sized enterprises (SMEs).

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

eCOGRA is a London-based testing agency and standards organisation in the realm of online gambling. The company was established in 2003 in the United Kingdom at the behest of the online gaming industry as the first industry self-regulation system. eCOGRA is a testing laboratory, inspection body, and certification body, specializing in the certification of online gaming software and the audit of Information Security Management Systems.

Cyber Essentials is a United Kingdom certification scheme designed to show an organisation has a minimum level of protection in cyber security through annual assessments to maintain certification.

Amazon Neptune is a managed graph database product published by Amazon.com. It is used as a web service and is part of Amazon Web Services (AWS). It was announced on November 29, 2017. Amazon Neptune supports popular graph models property graph and W3C's RDF, and their respective query languages Apache TinkerPop's Gremlin, openCypher, and SPARQL, including other Amazon Web Services products.

ISO/IEC 27701:2019 is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.

References

↑ Tao, Yao-Sing; Lee, Hing-Yan (April 2017). "MTCS for Healthcare". 2017 International Conference on Cloud Computing Research and Innovation (ICCCRI). Singapore, Singapore: IEEE. pp. 14–17. doi:10.1109/ICCCRI.2017.10. ISBN 978-1-5386-1075-6. S2CID 28858337.
↑ "Fact Sheet" (PDF). imda.gov.sg. IDA. Retrieved 9 October 2019.
↑ "New Multi-Tier Cloud Security (MTCS) Standard Launched in Singapore". Infocomm Media Development Authority. Retrieved 9 October 2019.
↑ "Compliance and Certification". Infocomm Media Development Authority. Retrieved 7 December 2019.
↑ "MTCS Certificate for IBM Cloud Services" (PDF). IMDA. Retrieved 7 December 2019.
↑ "MTCS Certificate issued by ISC Singapore to AWS" (PDF). IMDA. Retrieved 7 December 2019.
↑ "With the MTCS, FSI customers in Korea can accelerate cloud adoption by no longer having to validate 109 controls, as required in the relevant regulations (Financial Security Institute's Guideline on Use of Cloud Computing Services in Financial Industry and the Regulation on Supervision on Electronic Financial Transactions (RSEFT)". AWS. Amazon. 16 May 2019. Retrieved 9 October 2019.
↑ Morgan, Lisa (12 July 2019). "How to Ensure Cloud Compliance". Datamation. Retrieved 29 March 2020.
↑ "Multi-Tier Cloud Security (MTCS) - Singapore". CloudwatchHUB. Retrieved 29 March 2020.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Tao, Yao-Sing; Lee, Hing-Yan (April 2017). "MTCS for Healthcare". 2017 International Conference on Cloud Computing Research and Innovation (ICCCRI). Singapore, Singapore: IEEE. pp. 14–17. doi:10.1109/ICCCRI.2017.10. ISBN 978-1-5386-1075-6. S2CID 28858337.

[2] "Fact Sheet" (PDF). imda.gov.sg. IDA. Retrieved 9 October 2019.

[3] "New Multi-Tier Cloud Security (MTCS) Standard Launched in Singapore". Infocomm Media Development Authority. Retrieved 9 October 2019.

[4] "Compliance and Certification". Infocomm Media Development Authority. Retrieved 7 December 2019.

[5] "MTCS Certificate for IBM Cloud Services" (PDF). IMDA. Retrieved 7 December 2019.

[6] "MTCS Certificate issued by ISC Singapore to AWS" (PDF). IMDA. Retrieved 7 December 2019.

[7] "With the MTCS, FSI customers in Korea can accelerate cloud adoption by no longer having to validate 109 controls, as required in the relevant regulations (Financial Security Institute's Guideline on Use of Cloud Computing Services in Financial Industry and the Regulation on Supervision on Electronic Financial Transactions (RSEFT)". AWS. Amazon. 16 May 2019. Retrieved 9 October 2019.

[8] Morgan, Lisa (12 July 2019). "How to Ensure Cloud Compliance". Datamation. Retrieved 29 March 2020.

[9] "Multi-Tier Cloud Security (MTCS) - Singapore". CloudwatchHUB. Retrieved 29 March 2020.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]