Pushing MTCS across the cloud hierarchy


9 June 2015

With 13 Cloud Service Providers (CSPs) certified under the world’s first multi-tier cloud security standard, the Infocomm Development Authority of Singapore (IDA) is now looking to encourage independent software vendors with Software-as-a-Service (SaaS) offerings to work towards MTCS as well.

The Multi-Tier Cloud Security (MTCS) Singapore Standard 584 is aimed at driving cloud adoption across industries by giving clarity around the security service levels of cloud providers, while also increasing the level of accountability and transparency from CSPs. It can be applied by CSPs to meet differing cloud user needs for data sensitivity and business criticality.

This first phase of MTCS certification targeted primarily Infrastructure-as-a-Service (IaaS) CSPs, which was seen as key as IaaS adoption was lagging behind that of SaaS. According to the 2013 Singapore Cloud Adoption survey commissioned by IDA, IaaS adoption rates among Singapore businesses was 14 per cent, compared with 26 per cent for SaaS.

According to IDA, 10 IaaS CSPs in Singapore are now certified, making up about a third of the Singapore-based market.

This sets the stage for driving vertical MTCS certification across the cloud services hierarchy. For the next phase for MTCS, IDA is working with MTSC-certified IaaS CSPs to encourage and support more ISVs with SaaS offerings to work towards the security certification.

Under a new programme dubbed SUCCESS (Support for Cloud- enabled Certified Secure SaaS), these ISVs can sign on to host their services on a SUCCESS partner for a range of incentives. In return, they must undertake MTCS certification for their SaaS. These incentives can include support for SaaS enablement, technical consultancy, and training and professional services, as well as discounted pricing for cloud services.

The programme kicked off in June with the participation of six Singapore-based IaaS CSPs: Acclivis Technologies & Solutions, Clearmanage, Microsoft Azure, Readyspace, Starhub and Telin Singapore.

MTCS security levels

MTCS SS has three different levels of security, Level 1 being the base and Level 3 being the most stringent.

Level 1: Designed for non-business critical data and systems, with baseline security controls to address security risks and threats in potentially low impact information systems using cloud services. Examples include web sites hosting public information.

Level 2: Designed to address the need of most organisations running business-critical data and systems to address security risks and threats in potentially moderate impact information systems. It requires a set of more stringent security controls to protect business and personal information such as confidential business data, email, and customer relation management data.

Level 3: Designed for regulated organisations with specific requirements and more stringent security requirements. Industry specific regulations may supplement these controls to address security risks and threats in high impact information systems. Examples include the use of cloud services for highly confidential business data, financial records, medical records.

While the adoption of MTCS SS is voluntary for CSPs, being certified under SS 584 is a requirement for CSPs participating in public cloud services bulk tenders for Government procurement of public cloud services.

Development of the MTCS SS584 commenced in April 2012 after a Working Group was formed under the IT Standard Committee. The standard was published in November 2013 and is now available from the standards publication website of SPRING Singapore.