HOME

TheInfoList



Click Here for Items Related To - SS584
OR:
SS584 on:   [Wikipedia]   [Google]   [Amazon]

SS 584 (also known as Multi-Tier Cloud Security (''MTCS'')) is an
information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthori ...
standard, published by Singapore Standards. The standard was last revised in 2020. SS 584 specifies a
Management system A management system is a set of policies, processes and procedures used by an organization to ensure that it can fulfill the tasks required to achieve its objectives. These objectives cover many aspects of the organization's operations (including ...
for Cloud Security, to three levels. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an
audit An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon.” Auditing ...
.


Rationale

Although most Cloud Service Providers are certified to
ISO 27000 ISO/IEC 27000 is part of a growing family of ISO/IEC standards - the ' ISO/IEC 27000 series'. ISO/IEC 27000 is an international standard titled: ''Information technology — Security techniques — Information security management systems — Overv ...
, the ISO standard does not focus on the unique risks arising from provisioning via the Cloud. Smaller customers also have difficulty assessing if a CSP's ISMS is sufficient for their needs, as ISO 27001 is risk-based, and may vary significantly between implementations. This may be a barrier to adoption by
SMEs Superconducting magnetic energy storage (SMES) systems store energy in the magnetic field created by the flow of direct current in a superconducting coil which has been cryogenically cooled to a temperature below its superconducting critical t ...
, who would like a simpler way to decide if a CSP meets their needs. To encourage adoption of Cloud Services, the then
IDA Ida or IDA may refer to: Astronomy *Ida Facula, a mountain on Amalthea, a moon of Jupiter *243 Ida, an asteroid * International Docking Adapter, a docking adapter for the International Space Station Computing * Intel Dynamic Acceleration, a tech ...
established a series of groups in 2012 to produce a standard that CSPs could certify to. The standard would have multiple levels of security assurance: * Tier 1: Designed for non-business critical data and system, with baseline security controls to address security risks and threats in potentially low impact information systems using cloud services (e.g.: Web site hosting public information) * Tier 2: Designed to address the need of most organizations running business critical data and systems through a set of more stringent security controls to address security risks and threats in potentially moderate impact information systems using cloud services to protect business and personal information (e.g.: Confidential business data, email, CRM – customer relation management systems) * Tier 3: Designed for regulated organizations with specific requirements and more stringent security requirements. Industry specific regulations may be applied in addition to these controls to supplement and address security risks and threats in high impact information systems using cloud services (e.g.: Highly confidential business data, financial records, medical records) Note that the standard interchangeably uses the terms "tiers" and "levels".


History of SS 584

SS584:2013 was issued in 2013, and the program was initially administered by IDA. In 2015, the standard was revised (SS 584:2015). At this time,
Accreditation Accreditation is the independent, third-party evaluation of a conformity assessment body (such as certification body, inspection body or laboratory) against recognised standards, conveying formal demonstration of its impartiality and competence to ...
was handed over to the Singapore Accreditation Council, a division of
Enterprise Singapore Enterprise Singapore (ESG) is a statutory board under the Ministry of Trade and Industry of the Government of Singapore. It was formed on 1 April 2018 to support Singapore small and medium enterprise (SMEs) development, upgrade capabilities, i ...
, in line with other Singapore Standards. As of late 2019, the standard is being revised again, with inputs from industry, and a new version will be issued in Oct 2020.


Certification

CSPs that wish to have their services certified must classify each into
IaaS The first major provider of infrastructure as a service (IaaS) was Amazon in 2008. IaaS is a cloud computing service model by means of which computing resources are supplied by a cloud services provider. The IaaS vendor provides the storage, net ...
,
PaaS Platform as a service (PaaS) or application platform as a service (aPaaS) or platform-based service is a category of cloud computing services that allows customers to provision, instantiate, run, and manage a modular bundle comprising a computing ...
, or
SaaS Software as a service (SaaS ) is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. SaaS is also known as "on-demand software" and Web-based/Web-hosted software. SaaS is co ...
. They also decide to which level they wish to demonstrate compliance (Tier 1, 2, or 3). For compliance to Level 3, the CSP must be certified to
ISO/IEC 27001 ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, ...
. CSPs must obtain the services of an Accredited Certification Body, who will audit the management system of the CSP for compliance to SS 584. The CB will then issue a Certificate attesting to this, usually valid for three years. Annual Surveillance Audits are required. A list of Services and CSPs certified is available. Examples of Certified CSPs include IBM and
AWS Amazon Web Services, Inc. (AWS) is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis. These cloud computing web services provide di ...
.


Overseas Acceptance

Although the standard is not an International standard, as the first national standard to address Cloud Security, it has seen acceptance outside Singapore. In particular, the
Korean Korean may refer to: People and culture * Koreans, ethnic group originating in the Korean Peninsula * Korean cuisine * Korean culture * Korean language **Korean alphabet, known as Hangul or Chosŏn'gŭl **Korean dialects and the Jeju language ** ...
RSEFT regulations recognise SS 584 as meeting most of the requirements for CSPs. Documents from Datamation and CloudwatchHUB describe the international use and impact of this standard.


See also

*
Cyber security standards IT security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all ...
*
ISO/IEC 27001 ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, ...
*
Singapore Standard (regulatory policy) Singapore Standard (SS) specifies the standardization, standards used for industrial activities in Singapore. The standardization process is coordinated by Singapore Standards Council, administered by Enterprise Singapore, a Governmental body. ...


References

{{Reflist Information assurance standards