Data center regulations for Singapore

The need for data center security

A data center is a physical facility that houses IT applications and infrastructure for an organization's business-critical data storage and operations. Since it is the data hub, a data center is vulnerable to leaks, thefts, and attacks, and proper security measures should be implemented at every stage. Common data center security threats include:

• Phishing attacks where user data is stolen, including login credentials and credit card numbers stored in the data center.
• Ransomware attacks caused by a hacker planting malicious software in the network that results in a financial demand to return the network to operational standards.
• Data loss due to faulty hardware or software, or data theft.

To avoid similar challenges, data centers have to ensure both physical and software security at every stage. Security aspects start from site selection, capacity planning, business continuity plan, disaster recovery, and include data access, monitoring, logging, asset management, operational support, maintenance, and environmental conditions. The respective governing bodies have defined and documented standards for these so that organizations can comply with them and keep their data centers secure.

Why Singapore is a data center hub

Singapore is a gateway to Asia for the rest of the world, and its infrastructure and wealth have helped it become one of the largest repositories for data storage and processing. Other key reasons include:

• High-quality infrastructure with uninterrupted power and water supplies, low latency, and fiber optic network connectivity.
• Singapore's reputation for being a successful data center hub accounts for 60 percent of Southeast Asia's data market, and encourages further investments in data center projects.
• Singapore, among the top 8 percent of countries most safe from natural disasters, also embraces green data center initiatives to ensure sustainability.
• The stable political set-up, comparatively low taxes, and business-friendly regulations also favor data center investments in Singapore.

Laws that govern data center security

Singapore has formulated different laws for personal data, cloud data, incident response, design aspects, and so on. Data centers designed with proper strategies to store and process data can enhance the end-user experience and protect their data.

Any organization found guilty of a data breach can be fined up to 10 percent of its annual turnover in Singapore. Currently, the maximum a company can be fined for a data breach is S$1 million.

The PDPA

The Personal Data Protection Act of 2012 (PDPA) governs the collection, use, and disclosure of personal data by private organizations. PDPA is aimed at giving more control to individuals, such as customers, employees, or members of associations, by encouraging organizations to facilitate the safe and protected cross-border transfer of information. The security measures defined cover the data stored in both electronic and non-electronic forms.

The main obligations of PDPA cover:

• Consent obligation: Only collect, use, or disclose personal data with an individual's consent. Allows individuals to withdraw consent, and requires the organization to stop collecting and storing their data.
• Purpose limitation obligation: Collect, use, or disclose data only for the purpose for which the individual has given consent.
• Notification obligation: Notify the individuals about the purpose of use well in advance.
• Access and correction obligation: Upon request, the data and how the data has been used or disclosed in the past have to be provided.
• Accuracy obligation: Ensure that the data collected is accurate and complete.
• Protection obligation: Make security arrangements to protect the data from unauthorized access.
• Retention limitation obligation: Stop retaining or using the data when it is no longer necessary for business or legal purposes.
• Transfer limitation obligation: Transfer personal data to another country based only on the enforced regulations, and ensure that the data is protected by regulations similar to the PDPA, in the country to which it is transferred.
• Openness obligation: Designate a data protection officer (DPO) to implement PDPA in your organization. Disclose information about your data protection practices and regulations on request.

The Personal Data Protection Commission (PDPC) also defines a few simple steps to get started with personal data protection in Singapore.

• Appoint a DPO.
• Know the purpose of the data protection plan, and chart out your personal data inventory.
• Implement the data protection process.
• Communicate the process to employees, and ensure that they follow it as defined.
• Establish an internal audit policy, and conduct frequent audits to ensure that the security practices are in place.

The MTCS or SS584

Multi-Tier Cloud Security (MTCS), also known as Singapore Standard 584, is the world's first cloud security standard that covers multiple tiers. Prepared by the Information Technology Standards Committee (ITSC), MTCS defines how cloud service providers (CSPs) have to protect customer data and address their concerns about the confidentiality of the data in the cloud. With a total of 535 controls, it aims to provide transparency and visibility into how the CSPs handle data.

MTCS has three levels of security, referred to as tiers, with tier 3 being the most stringent. In the words of MTCS:

• Tier 1: Designed for non-business critical data and systems with basic security controls that address security risks and threats targeting low-impact information systems, e.g. a website hosting public information.
• Tier 2: Designed for organizations that use cloud services to protect a business or personal information, and run critical business data and systems in moderate-impact information systems. CSPs in this tier have more stringent security controls, e.g. email or customer relation management (CRM) systems.
• Tier 3: Designed for companies with specific needs and more stringent security requirements. Industry-specific regulations may also be applied, to supplement and address security risks and threats in high-impact information systems using cloud services, e.g. to secure financial and medical records. For compliance at this level, the CSP must be certified to ISO/IEC 27001.

TR 62: 2018 Guidelines for COIR

The technical reference (TR) 62 for cloud outage incident response (COIR) is a set of guidelines that will keep your business afloat when there are cloud outages in Singapore. It covers both CSPs and cloud service customers (CSCs). COIR provides guidelines for having appropriate communication plans, activation of preplanned processes, mobilization of emergency resources, prioritization levels for recovery and restoration of affected cloud services, and continuous monitoring of CSP’s uptime to detect outages.

COIR categorizes the cloud outage impact into four tiers with tier A being the most serious.

• Tier A- Systemic/Life-threatening impact: This can apply to cloud services hosting functions which can have a direct impact on human safety, or the stability of the economy, market, or industry at large and those that would require immediate restoration, e.g. incidents on air traffic controls that can put the pilots, passengers, and others at risk.
• Tier B- Business-critical impact: This is designed for cloud service hosting functions that are critical to the operation of an organization. CSPs are expected to restore their services within four hours of the incident identification, e.g. payment gateways.
• Tier C- Operational impact: This is designed for cloud service hosting functions that are critical to the operation of an organization, but can withstand a long outage. In this case, CSPs are expected to implement a fix within eight hours, e.g. email services going down.
• Tier D- Minimal impact: This is appropriate for cloud services hosting functions that can bear outages for longer durations. CSPs would be expected to restore services within two working days, e.g. corporate websites with general information.

SS ISO/IEC 21878:2019 Security guidelines for design and implementation of virtualized servers

Singapore Standard (SS) ISO/IEC 21878:2019 is an adoption of ISO/IEC 21878:2018 aimed at the security aspects of the increased virtualization of data center infrastructure. This specifies standardizations for architecting virtual server configurations from a security perspective. This is to ensure that the virtual machines (VMs) and the applications running on them are secure.

Other data center standards

Similar to the security and privacy standards, Singapore has also formulated other data center standards for design, quality, and environmental aspects.

Conclusion

Singapore is a growing data center hub offering many benefits for establishing new data centers due to its infrastructural, geographical, political, and technological setup. However, a shortage of land and zoning restrictions present some challenges. All organizations are expected to comply with and follow the standards above. The Cloud Security Alliance's Security Trust Assurance and Risk (CSA STAR) certification for security assessment of CSPs is also considered important in Singapore.