© 2014 IDA Singapore.
All Rights Reserved.
MTCS & Its Cross Certification
with CSA STAR/CCM
Presented to ASEAN CSA Summit 2015
Tao Yao Sing
Assistant Director, National Cloud Computing Office
12 June 2015
© 2014 IDA Singapore.
All Rights Reserved.
Objective
To provide a cloud security framework
• Caters for different needs of cloud users
from basic requirements to one with
high confidentiality, high integrity &
high availability such as FSI
• Highlights key security areas &
associated controls for each tier
• Complements existing security
standards
e.g. ISO27001 & industry specific
standards/regulatory requirements
© 2014 IDA Singapore.
All Rights Reserved.
MTCS – Conceptual View
MTCS designed with ISO27001:2005 as base
Other relevant standards, guidelines & reference documents are considered including
TR30, TR31, CSA CCM, PCI DSS, ENISA, NIST 800 series & industry specific guidelines
ISO 27001 (ISMS) – Base Standards
Multi-tier Cloud Security Standards –
Cloud Related Controls
MG
F
Co
nstr
Domain Specific Standards
– More Specific Controls H
ealth
care
Fin
an
ce
Go
vt
© 2014 IDA Singapore.
All Rights Reserved.
Key Differences of MTCS Tier Levels
Each MTCS tier builds upon lower tier either with additional security
requirements or more stringent controls
Level 3
535 controls
Level 2
449 controls
Level 1
296 controls
• Data governance (24)
• Cloud services
administration (16)
• Tenancy and customer
isolation (16)
• Operations (16)
• Business continuity
planning (BCP) and disaster
recovery (DR) (7)
• Tenancy and customer
isolation (11)
© 2014 IDA Singapore.
All Rights Reserved.
Structure of MTCS standard
The Standard
Core Information Security
Cloud Governance
Cloud Infrastructure
Security
Cloud Operations
Management
Cloud Specific Information Security
Cloud Services
Administration
Cloud User Access
Tenancy and Customer Isolation
© 2014 IDA Singapore.
All Rights Reserved.
CSP Self-Disclosure – More Transparency
* Five essential characteristics of Cloud Computing as defined by NIST
Legal &
Co
mp
liance
Data C
on
trol
Pro
vider
Perform
ance
© 2014 IDA Singapore.
All Rights Reserved.
CSP Self-Disclosure – More Transparency
Service Sup
po
rt Service Elasticity
Security
Co
nfig
© 2014 IDA Singapore.
All Rights Reserved.
MTCS Certification Framework
Certification Scheme • 3 different levels of certification & further qualified with types of services
• Certification will be valid for 3 years with a yearly surveillance audit to be
conducted
Qualified Assessors and CBs for MTCS Certification • Audit skill and cloud computing security knowledge
• Relevant audit experience
• 7 Certification Bodies have been qualified to offer certification services
Prerequisites • All applicants must complete CSP self-disclosure
Accreditation Scheme
• Available from Singapore Accreditation Council since Oct 2014
Cross-Certification with Other Int’l Standards
• Harmonization with ISO27001 & CSA OCF/STAR
© 2014 IDA Singapore.
All Rights Reserved.
List of MTCS Certified CSPs
CSP Certification Level Services
Amazon Web Services (SG) 3 IaaS, PaaS
Clearmanage Pte Ltd 3 IaaS
Microsoft Operations Pte Ltd 3, 2 IaaS, PaaS, SaaS
Ribose Group, Inc. 3 SaaS
Acclivis Technologies 1 IaaS
Ascenix 1 IaaS
Auctorizium 1 SaaS
Inspire-Tech (EasiShare) 1 SaaS
M1 Limited 1 IaaS, SaaS
NewMedia Express Pte Ltd 1 IaaS
ReadySpace 1 IaaS
Starhub Limited 1 IaaS
Telin Singapore 1 IaaS
© 2014 IDA Singapore.
All Rights Reserved.
Mapping Between CSA STAR/CCM & MTCS • Collaboration with CSA to cross-certify MTCS & STAR/CCM • Systematic 3-step approach taken to map detailed requirements in
MTCS to corresponding requirements in CSA STAR/CCM 1. Mapping of Control Areas 2. Mapping of Specific Requirements in each Control Area 3. Mapping Details of each Requirement
© 2014 IDA Singapore.
All Rights Reserved.
SUMMARY OF MAPPING: MTCS vs CSA STAR/CCM
CSA CCM -> MTCS
MTCS -> CSA CCM
CSA -> MTCS Included in CSA controls Gaps
Level 1
(total controls :296)
227 (77%)
69 (23%)
Level 2
(total controls :449)
327 (73%)
122 (27%)
Level 3
(total controls :535)
377 (70%)
158 (30%)
MTCS -> CSA Included in MTCS controls Gaps
Level 1
(total controls : 136)
122 (90%)
14 (10%)
Level 2
(total controls : 136)
124 (91%)
12 (9%)
Level 3
(total controls : 136)
124 (91%)
12 (9%)
© 2014 IDA Singapore.
All Rights Reserved.
Summary MTCS SS584:2013 was launched at CloudAsia in Nov 2013
>180 copies sold
Certification services offered by 7 CBs
Accreditation scheme by Singapore Accreditation Council available since 29 Oct
2014
Cross-certifying with other int’l standards/framework (ISO27001 & CSA OCF/STAR)
Currently more than 10 IaaS & SaaS ISVs have been MTCS certified
Alignment of MTCS standards with specific industry sectors
CSP Registry being set up to host pertinent info (Security Cert/ Self-Disclosure/
Performance/ Availability) about CSPs to build trust through transparency
Joint white paper with CSA on “Virtualization Security” published on 20 Apr 2015 &
submitted to ISO/IEC SC27 in May 2015 to kick-off a 6-month study period
© 2014 IDA Singapore.
All Rights Reserved.
List of Useful Links
MTCS Standard SS584:2013 • http://www.singaporestandardseshop.sg/product/product.aspx?id=5b014ff6-
02ca-4918-afb0-379703794b4d
MTCS Certification Scheme • http://www.ida.gov.sg/Collaboration-and-Initiatives/Initiatives/Store/MTCS-
Certification-Scheme
List of MTCS Certification Bodies • http://www.ida.gov.sg/~/media/Files/Collaboration%20Initiatives/Initiatives/2013/
mtcs/ListOfParticipatingCBs.pdf
MTCS Certification Grant Support • http://www.spring.gov.sg/Enterprise/CDG/Pages/Enhancing-Quality-
Standards.aspx
• http://www.spring.gov.sg/Enterprise/CDG/Documents/CDG_Brochure.pdf
CSP Registry • http://www.ngp.org.sg/index.php/resources/csp-registry/
© 2014 IDA Singapore.
All Rights Reserved.
Structure of MTCS Standard
Consists of the following focus areas & clauses:
Core Information Security (Clauses 6-21) • Cloud governance (Clauses 6-12)
6. Information security management 10. Legal and compliance 7. Human resources 11. Incident management
8. Risk management 12. Data governance 9. Third-party
• Cloud infrastructure security (Clauses 13-17) 13. Audit logging and monitoring 16. System acquisitions and development 14. Secure configuration 17. Encryption
15. Security testing and monitoring
• Cloud operations management (Clauses 18-21) 18. Physical and environmental 20. Change management 19. Operations 21. BCP and DR
Cloud Specific Information Security (Clauses 22-24) 22. Cloud services administration 23. Cloud user access
24. Tenancy and customer isolation