SS 584 (also known as Multi-Tier Cloud Security (MTCS)) is an information security standard, published by Singapore Standards.[1] The standard was last revised in 2020.
SS 584 specifies a Management system for Cloud Security, to three levels. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.
Although most Cloud Service Providers are certified to ISO 27000, the ISO standard does not focus on the unique risks arising from provisioning via the Cloud. Smaller customers also have difficulty assessing if a CSP's ISMS is sufficient for their needs, as ISO 27001 is risk-based, and may vary significantly between implementations. This may be a barrier to adoption by SMEs, who would like a simpler way to decide if a CSP meets their needs.
To encourage adoption of Cloud Services, the then IDA established a series of groups in 2012 to produce a standard that CSPs could certify to. The standard would have multiple levels of security assurance:[2]
Tier 1: Designed for non-business critical data and system, with baseline security controls to address security risks and threats in potentially low impact information systems using cloud services (e.g.: Web site hosting public information)
Tier 2: Designed to address the need of most organizations running business critical data and systems through a set of more stringent security controls to address security risks and threats in potentially moderate impact information systems using cloud services to protect business and personal information (e.g.: Confidential business data, email, CRM – customer relation management systems)
Tier 3: Designed for regulated organizations with specific requirements and more stringent security requirements. Industry specific regulations may be applied in addition to these controls to supplement and address security risks and threats in high impact information systems using cloud services (e.g.: Highly confidential business data, financial records, medical records)
Note that the standard interchangeably uses the terms "tiers" and "levels".
SS584:2013 was issued in 2013, and the program was initially administered by IDA.[3]
In 2015, the standard was revised (SS 584:2015). At this time, Accreditation was handed over to the Singapore Accreditation Council, a division of Enterprise Singapore, in line with other Singapore Standards.
As of late 2019, the standard is being revised again, with inputs from industry, and a new version will be issued in Oct 2020.
CSPs that wish to have their services certified must classify each into IaaS, PaaS, or SaaS. They also decide to which level they wish to demonstrate compliance (Tier 1, 2, or 3).
For compliance to Level 3, the CSP must be certified to ISO/IEC 27001.
CSPs must obtain the services of an Accredited Certification Body, who will audit the management system of the CSP for compliance to SS 584. The CB will then issue a Certificate attesting to this, usually valid for three years. Annual Surveillance Audits are required.
A list of Services and CSPs certified is available.[4] Examples of Certified CSPs include IBM[5] and AWS.[6]
Although the standard is not an International standard, as the first national standard to address Cloud Security, it has seen acceptance outside Singapore. In particular, the Korean RSEFT regulations recognise SS 584 as meeting most of the requirements for CSPs.[7]
Documents from Datamation[8] and CloudwatchHUB[9] describe the international use and impact of this standard.
