Deploying Cloud Security Standards The MTCS Experience

Transcription

1 Deploying Cloud Security Standards The MTCS Experience Presented to ASEAN CSA Summit 2015 Tao Yao Sing Assistant Director, National Cloud Computing Office 12 June 2015

2 Background Cloud security is always topmost concern in adoption of cloud computing Quick survey in 2011 revealed that no applicable standards & guidelines can be directly adopted Completed development of MTCS standard in Nov 2013

3 MTCS Certification Framework Certification Scheme 3 different levels of certification & further qualified with types of services (IaaS/PaaS/SaaS) Certification will be valid for 3 years with a yearly surveillance audit to be conducted Qualified Assessors and CBs for MTCS Certification Audit skill and cloud computing security knowledge Relevant audit experience 7 Certification Bodies have been qualified to offer certification services Prerequisites All applicants must complete CSP self-disclosure

4 List of Participating Certification Bodies

5 Initial Deployment Early Adopters (1/2) Embarked on a Series of Awareness Activities CSPs and SaaS ISVs Industry & trade associations & users groups Professional bodies & associations Conferences & seminars Made Available Support Scheme for Certification Open to Singapore registered companies Co-payment funding support of Qualifying Costs capped at 50% Company must attain MTCS certification within a year of project commencement Must engage a participating Certification Body for auditing Scheme was later revised to support accredited certification

6 Initial Deployment Early Adopters (2/2) Cross-certification with other International standards Many CSPs have already been certified to some international standards (e.g. ISO27001) To enhance MTCS SS for recognition beyond Singapore by crosscertification/harmonizing with international frameworks (ISO27001 & CSA OCF/STAR) Minimize effort & reduce cost needed for CSPs to gain MTCS certification Benefit CSPs with regional business

7 Creating Demand Drivers push by major buyer Launched Public Cloud Services Bulk Tender in Apr 2014 Based on demand aggregation on WOG basis MTCS certification is a pre-condition for award Awarded in Nov 2014 to 8 CSPs PTC, NME, azaas, CrimsonLogic, Starhub, M1, Acclivis/Microsoft Azure, AsiaPac/AWS

8 List of MTCS Certified CSPs CSP Certification Level Services Amazon Web Services (SG) 3 IaaS, PaaS Clearmanage Pte Ltd 3 IaaS Microsoft Operations Pte Ltd 3, 2 IaaS, PaaS, SaaS Ribose Group, Inc. 3 SaaS Acclivis Technologies 1 IaaS Ascenix 1 IaaS Auctorizium 1 SaaS Inspire-Tech (EasiShare) 1 SaaS M1 Limited 1 IaaS, SaaS NewMedia Express Pte Ltd 1 IaaS ReadySpace 1 IaaS Starhub Limited 1 IaaS Telin Singapore 1 IaaS

9 Accrediting MTCS Standard Accreditation Scheme Established accreditation scheme with Singapore Accreditation Council in Oct 2014 Assurance of Quality of MTCS Certification Services Criteria for certification bodies (adherence to ISO/IEC & applicable IAF mandatory document) Criteria for MTCS auditors Streamlined estimation of audit duration

10 Next Steps Driving SaaS Certification A core group of MTCS certified IaaS service providers are available to host SaaS Partnership with these MTCS certified IaaS service providers to offer support SaaS ISVs Alignment of MTCS Standard with Specific Industry Sectors Joint Working Group formed to map MTCS to Healthcare IT Security Policies & Standards Alignment of MTCS to healthcare security requirements will open up public cloud services to healthcare sector Further Expansion of MTCS to Address other Related Concerns E.g. cloud outage and incident response

11 Thank You

12 MTCS Conceptual View Govt Finance MGF Domain Specific Standards More Specific Controls Healthcare Multi-tier Cloud Security Standards Cloud Related Controls ISO (ISMS) Base Standards Constr MTCS designed with ISO27001:2005 as base Other relevant standards, guidelines & reference documents are considered including TR30, TR31, CSA CCM, PCI DSS, ENISA, NIST 800 series & industry specific guidelines