multi tier cloud security Singapore standard

The Multi-Tier Cloud Security (MTCS) Singapore Standard (SS) also known as SS584 is the world’s first Cloud Security Standard introduced in Singapore. The main purpose of introducing this standard is to promote and encourage the adoption of sound risk management and security practices for Cloud Service providers.

With the spike in digital transformation and adoption of Cloud technology in businesses, the security standard was introduced in Singapore to provide clarity on the levels of security offered by different Cloud Service Providers (CSPs). Discussing more on this in detail we have covered an article that sheds light on the Cloud Security Standard of Singapore.  

Multi-Tiered Cloud Security SS584

The Singapore Standard SS 584:2015 Multi-tiered Cloud security which is also commonly known as MTCS covers multiple tiers of cloud security which is developed under the Information Technology Standards Committee (ITSC) for various Cloud Service Providers (CSPs) in Singapore.

The Standard is based on the internationally recognized ISO 27001 standard with additional enhancements. This is to provide Cloud Service Users with a mechanism to benchmark and tier the capabilities of Cloud Service Providers against a minimum set of security requirements. 

With this, the Cloud Service Providers can demonstrate high-level security in their offering. Although the Cloud Security Standard is voluntary, it is mandatory for Cloud Service Providers participating in bulk tenders from the Government.

The Standard is approved by the Information Technology Standards Committee (ITSC) and is supported by Enterprise Singapore and IMDA Singapore. The MTCS Security Standard specifies 19 areas of cloud computing security requirements and employs a multi-tiered framework comprising three levels for various cloud security requirements.

 The CSPs are to be certified for one of the three levels depending on the nature of the clients’ businesses, their risk level, and the market sector. Given below are the details of the three-tier security explained briefly.

MTCS Three Tier Security 

MTCS SS has three tiers of security with Tier 1 being the base level and Tier 3 being the most stringent. With the new standard, certified Cloud Service Providers can clearly demonstrate the level of security that they can offer to their clients.

Tier 1- This is a base level tier designed for non-business critical data and systems with basic security controls to counter certain risks and threats targeting low-impact information systems. (For instance, the Website hosting public information).

Tier 2- Designed with a bit more stringent security controls for organizations using cloud services, this tier of security protects a business or personal information. It addresses the need of organizations that run their business-critical data and systems in public or third-party cloud systems. (For instance Credit Card Data, Emails, Personal Identifiable Information)

Tier 3- This is the most stringent level and the most secure level designed for regulated organizations with specific requirements. It is specifically designed and applies to industry-specific high-impact information systems using cloud services. (For instance Financial or Medical records or confidential business data)

Benefits of MTCS SS584 Certificate

  • The standard assures the users that certified Cloud Service Providers meet accepted minimum baseline security requirements. 
  • With the new standard, certified Cloud Service Providers can demonstrate the level of security that they can offer to their users.
  • Businesses that rely on services from Cloud Service Providers will be able to use the MTCS SS to understand and assess the cloud security they require.
  • Businesses will be in a position to make an informed, risk-based decisions relating to the adoption of cloud services.  
  • Enhances the overall quality, security, and reliability of cloud services. 

Recently the Singapore Accreditation Council officially published SS 584:2020 Specification for Multi-Tiered Cloud Computing Security in October 2020. The latest version is said to go effective on 1st November 2022.

The transition period is two years from 1 November 2020 till 31 October 2022. So, with that as of 1 November 2022, SS 584:2015 shall cease. The key changes introduced in SS 584:2020 are as follows: 

  • Editorial changes for terms and definition used in the standard.
  • Introduction of edge node’s definition, integrated requirements, and audit procedures into the standard.
  • Introduction of applicability and compensatory controls requirements and audit procedures.
  • Option to extend certification to cover TR 82 on Cloud-Native Security.

In addition, TR 82 on Cloud-Native Security provides additional guidance for relevant controls specified in SS 584:2020. This is to mitigate vulnerabilities specific to Cloud-Native architecture that are applicable for Cloud Service Provider that one may consider for voluntary certification.

How can VISTA InfoSec help you?

VISTA InfoSec is a global Cyber Security Consulting firm with its offices established in Singapore, the US, UK, and India. As an independent Consulting firm, we provide objective and farsighted recommendations to our clients in adopting the best practices and cloud computing technology for their business.

For organizations looking for assistance in the transition and adoption of SS 584:2020, our experts will guide you through the process. Our team of experienced professionals shall provide organizations end-to-end assistance and advisory services. Having said that, we will help organizations adopt highly effective and reliable cloud computing services to harness the maximum potential for improved business productivity. Our professional assistance and advisory services will help ensure organizations are more agile and responsive to the evolving landscape. 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.