Almost a year after Singapore mulls the introduction of a Digital Infrastructure Act (DIA) following several major outages, a clearer picture has emerged with the official introduction of the Cloud and Data Centre Operators guidelines by Infocomm Media Development Authority (IMDA) yesterday. Serving in effect as a prelude to the Act, the guidelines have taken key stakeholders’ views into account including the biggest cloud and data centre players in Singapore.
This would put the much-anticipated Digital Infrastructure Act on a clearer path to being implemented by the end of this year, or at least having the bill approved by Parliament.
Being guidelines only, compliance is voluntary but “Cloud Service Providers (CSP) and Data Centre (DC) operators are strongly encouraged to adopt the recommended measures,” urged the authority as stated in its website. This would have the effect of facilitating a ‘practice run’ in the run-up towards full implementation.
The Advisory Guidelines (AGs) set out best practices to address risks to Cloud Services and DCs which range from misconfigurations in technical architecture to physical hazards such as fires, water leaks and cooling system failures, as well as cyber-attacks. The key measures include risks assessment, business impact analysis, business continuity planning, and cybersecurity measures.
- For Cloud Services, the AGs cover seven categories of measures such as security testing, user access controls, proper data governance, and planning for disaster recovery. (Annex A (123.18KB)
- For DCs, this includes guidance on implementing business continuity policies, controls and processes, and measures to address cybersecurity risks. (Annex B (131.66KB) .
The Guidelines will be updated regularly to incorporate industry and technological development, learning points from incidents, as well as industry feedback. According to the IMDA website, the guidelines take into account existing industry standards including: IMDA’s Multi-Tier Cloud Security Standard, Cloud Security Alliance Cloud Controls Matrix, ISO 27001, and ISO 22301, and were developed in consultation with many CSP and DC operators, as well as end-user enterprises.
They include Amazon Web Services, Equinix, Google, Microsoft, Keppel, ST Telemedia Global Data Centre, Singtel / Nxera and SingHealth (end user).