IMDA introduces Advisory Guidelines to enhance the resilience and security of Cloud Services and Data Centres

1. The Infocomm Media Development Authority (IMDA) today introduced Advisory Guidelines (AGs) for Cloud Services and Data Centres. The AGs recommend measures that all Cloud Service Providers (CSPs) and Data Centre (DS) operators in Singapore are encouraged to adopt to enhance the resilience and security of their services, to minimise the occurrence of disruptions to these services and impact on our economy and society.

2. Digital services, such as online banking, ride-hailing, e-commerce, and digital identity, are all dependent on the continued availability and good functioning of infrastructure such as Cloud Services and DCs. Disruptions to Cloud Services and DCs can lead to significant inconveniences to our daily lives, and adversely impact our economy and society. With the right practices, such disruptive occurrences can be minimised, and services can be restored quickly when a disruption occurs.

Overview of the Advisory Guidelines

3. The AGs set out best practices to address risks to Cloud Services and DCs which range from misconfigurations in technical architecture to physical hazards such as fires, water leaks and cooling system failures, as well as cyber-attacks. The key measures which the AGs recommend CSPs and DC operators to implement include risks assessment, business impact analysis, business continuity planning, and cybersecurity measures. The AGs reference existing international and industry standards¹, incorporate lessons from past incidents and were developed in consultation with key CSPs and DC operators in Singapore.

• For Cloud Services, the AGs cover seven categories of measures to uplift the security and resilience of Cloud Services. Measures that CSPs are encouraged to implement relate to areas such as security testing, user access controls, proper data governance, and planning for disaster recovery. (Please refer to Annex A (123.18KB) for more information).
• For DCs, the AGs provide a framework for operators to put in place a robust business continuity management system to minimise service disruptions and ensure high availability for their customers. This includes guidance on implementing business continuity policies, controls and processes, and continuously reviewing and improving them. The AGs also set out measures to address cybersecurity risks in DCs. (Please refer to Annex B (131.66KB) for more information).

Uplifting Singapore’s Digital Resilience and Security

4. The AGs are part of the work of the inter-agency Taskforce on the Resilience and Security of Digital Infrastructure and Services² (Taskforce) to develop measures to uplift digital resilience and security³. The AGs are an additional step to enhance the resilience and security of Cloud Services and DCs, following the amendments to the Cybersecurity Act last year to address the cybersecurity risks of such digital infrastructure. Additionally, the AGs complement the upcoming introduction of a new Digital Infrastructure Act (DIA), which will regulate systemically important digital infrastructure such as major CSPs and DC operators.

5. In developing the AGs, the Taskforce consulted CSPs and DC operators, as well as end-user enterprises (e.g., banks, healthcare providers, and digital platforms) that rely on such digital infrastructure. Operators recognised that they need to provide resilient and secure compute facilities and services as part of their value proposition, and largely supported the AGs. End-user enterprises also expressed their support for the AGs.

6. The AGs will continuously be updated to incorporate technological developments, learning points from incidents, and industry feedback. In addition to the AGs, a whole-of-ecosystem approach is required to ensure that our economy and society continues to reap the benefits of digitalisation while being prepared to manage digital disruptions. In particular, companies that provide digital services are advised to conduct risk assessments and put in place business continuity plans to mitigate the impact of disruptions on their customers.

7. The AGs can be accessed at Advisory Guidelines for resilience and security of Cloud Services and Data Centres.

Resources:

• Annex A: Measures to address and manage key risks for the resilience and security of Cloud Services (123.18KB)
• Annex B: Measures to address and manage key risks for the resilience and security of DCs (131.66KB)
• Annex C: Quotes from Cloud Service Providers and Data Centre Operators (133.40KB)