by Mr. Raju Chellam, Deputy Chairman, COIR, ITSC, Enterprise Singapore, at NUS-ISS SkillsFuture Series Seminar: Secured IoTs and Secured Cloud – Partners in ensuring a Secured Smart Nation Seminar (3 Oct)
5. MTCS: Multi-Tiered
Cloud Security
It’s an SS
(Singapore Standard)
Applicable for CSPs
Overlays on top of
ISO27001 Base Std
MTCS is the base for
industry-specific stds
(BFSI, Healthcare,
Government, etc)
MTCS
ISO27001:
2005
What’s MTCS? SS584:2015
7. Why MTCS?
Level Overview Security Control Focus Typical User Typical Usage
1
Designed to be low cost
with min reqd controls
Baseline security controls:
“Security 101”
SMEs
• Hosting website
• T&D / Simulation
• Non-critical biz apps
2
Address needs of most
orgs for data security
More stringent security controls
required at this level
Enterprises
• Majority cloud users
• More critical biz apps
3
Regulated orgs.
Stringent security req.
Mission-critical
High-impact info systems
using cloud services
Regulated
Industries
• Hosting apps
• Sensitive info
• Regulated sectors
8. Why MTCS?
ISO/IEC27001:2005 has 11 control areas;
39 control objectives & 133 controls
ISO/IEC27001:2013 has 21 control areas;
35 control objectives & 254 controls
MTCS SS584 has 19 control areas;
117 control objectives &
296/449/535 controls for L1/L2/L3
9. Each MTCS tier builds upon lower tier either with additional security requirements or more stringent controls
Level 3
535 controls
Level 2
449 controls
Level 1
296 controls
• Data governance (24)
• Cloud services administration (16)
• Tenancy and customer isolation (16)
• Operations (16)
• Business continuity planning (BCP)
and disaster recovery (DR) (7)
• Tenancy and customer isolation (11)
How MTCS Works
Data Security &
Integrity on the
Cloud has been
a #1 concern
among users
ISO27001 offers
a good baseline
SS584:2015
goes deeper
with 3 levels of
requirements
10. Criteria Measures / Disclosure Requirements
Right to audit Ability to conduct own reviews (site assessment, penetration tests, etc) & costs
Compliance List of compliance statuses
Data ownership Data ownership limitations
Data retention Periods for user data, user log data, and infrastructure log data
Data sovereignty Data locations, capability to restrict geographies, and DR locations
Information non-disclosure What if any information may be disclosed
Availability Mean time between failures; service availability
BCP / DR Recovery point objective; Recovery time objective
Liability Limits in-case of incidents/failure to meet service commitment
Change Management Comms plan and procedures for managing changes
On-demand self-service Users can provision compute resources as needed automatically
How MTCS Works
MTCS Self-Disclosure Checklist 1 of 2
11. How MTCS Works
MTCS Self-Disclosure Checklist 2 of 2
Criteria Measures / Disclosure Requirements
Incident & problem mgt Support provided (notification, coop with outside parties, etc)
Billing (Measured Services) Metrics & accuracy
Data portability Mechanisms supported including media and format upon termination
Access to CSP’s network Access Methods (Internet IPV4/6, site-to-site VPN, frame relay, etc)
User management Options for integrating with customer IDM, 2-factor solutions
Lifecycle Automatic or customizable service upgrades and changes
Security config enforcement checks Mechanism to enforce check on security configuration
Multi-tenancy Tenancy options
Capacity elasticity Peak load handling capabilities for capacity
Network resiliency & elasticity Peak load handling capabilities for network
Storage redundancy & elasticity Peak load handling capabilities for storage
12. Who Certifies MTCS
MTCS Partial List of Certifying Bodies
Certification Body Certification Body
DNV Business Assurance Pte Ltd
81 Sc Park Dr, #02-03 Chadwick. S-118257
Certification International (Singapore) Pte Ltd
60 Albert S, #13-03 OG Albert Complex. S-189969
SGS International Certification Services S’pore Pte
3 Toh Tuck Link, #01-02/03. S-596228
TUV SUD PSB Cert
1 Science Park Drive. S-118221
BSI Group Singapore Pte Ltd
1 Robinson Rd, #15-01 AIA Tower. S-048542
TUV Rheinland Singapore Pte Ltd
25 Int’l Biz Park, #05-105, German Centre. S-609916
Singapore ISC Pte Ltd
2 Kim Yam Road, #12-03. S-239320
Full list on IMDA Website
15. COIR: Cloud Outage Incident
Response
It’s a TR (Technical
Reference) or Guideline
Applicable for
CSPs & CSCs
Confirms Singapore’s strong
commitment to:
BCM: Business Continuity
Mgt
DRM: Disaster Recovery
Mgt
Crisis Comms Mgt
What’s COIR? TR62:2018
16. In Scope:
Cloud Outages Due To:
Operational Errors
Infrastructure Errors
Infrastructure Failure
Systems Failure
Environmental Issues
Out of Scope:
o Cybersecurity Incidents
o Hackings & Malware
o Data Security Breaches
o MTCS SS584:2015
What’s COIR? TR62:2018
17. CSCs:
A set of common parameters &
guidelines for Identification,
Evaluation & Negotiation of
protection needs with CSPs to
incorporate into SLAs
CSPs:
Sharing of COIR practices by CSPs
via the same set of common
parameters to facilitate Comparison &
Matching of outage protection needs
with provisions
What’s COIR? TR62:2018
19. o Osaka-based server rental co
o Subsidiary of Yahoo! Japan
o June 2012, lost 5,698 co’s data
o During its system security upgrade
o Lost data could not be retrieved
No compensation for lost business
No lawsuit filed against company
Had BC/DR procedures on paper
Why COIR?
20. Cat A
Mission
Critical
Impact
Mission Critical to
human safety / stability
of mkt/econ/industry
Impact beyond
the org’s ops (ICU)
Cat B
Business
Critical
Impact
Business Critical to an
organisation’s
operations.
ERP, SCM, eCom
(example)
Cat C
Operational
Impact
Essential to an
organisation’s
operations.
CRM, Email,
etc (example)
Cat D
Minimal
Impact
Least critical to an
organisation’s
operations.
Mkg collateral,
etc (example)
How COIR Works: 4 Categories
21. Group 1
1. Service Availability (% uptime)
2. Historical record of availability
3. RTO: Recovery Time Objective
4. RPO: Recovery Point Objective
Group 2
5. Support Hours
6a. Notification Channel
for Planned Maintenance
6b. Notification Lead Time
for Planned Maintenance
Availability Planned Maintenance
How COIR Works: 5 Groups. 16 Parameters
22. Group 3
7. Frequency of Health Monitoring
of Cloud Service
8. Availability of Health Monitoring
Mechanisms for use by CSCs
Group 4
9. Sharing of CSP’s
COIR Plan
10. Exercise (Dry/Wet Runs)
of CSP’s COIR Plan
Health Monitoring Outage Response Plan
How COIR Works: 5 Groups. 16 Parameters
23. Group 5
11. Notification Time of Cloud
Outage Incident
12. Communication Channel/s
Used for Outage Incident.
13. Communication Channel/s
available for CSCs to report Outage
Group 5
14. Response Time by CSP
15. Frequency of Status Updt
of Reported Outage
16. Communication Channel/s
Used for Status Updates
Outage Handling Outage Handling
How COIR Works: 5 Groups. 16 Parameters
25. Be Aware
About MTCS & COIR
It’s a Guideline
Leverage in SLA
Beware
o You need BC/DR
o You need a Plan B
o PDPA is your baby
Final Slide 1 of 2: Aware & Beware
26. Compare
Cloud Offerings
Cloud Migration
Levels for specific apps
T&T: Trust, Transparency
Prepare
o COIR: Outage: TR62
o MTSC: Security: SS584
o DR: A/A or A/Passive
Final Slide 2 of 2: Compare & Prepare
27. How MTCS & COIR
Impact You
Raju Chellam
raju@cioacademyasia.org