MTCS & Its Cross Certification with CSA STAR/CCM 12 June... · MTCS & Its Cross Certification with CSA STAR/CCM Presented to ASEAN CSA Summit 2015 Tao Yao Sing ... MTCS SS584:2013

© 2014 IDA Singapore.

All Rights Reserved.

MTCS & Its Cross Certification

with CSA STAR/CCM

Presented to ASEAN CSA Summit 2015

Tao Yao Sing

Assistant Director, National Cloud Computing Office

12 June 2015



Objective

To provide a cloud security framework

• Caters for different needs of cloud users

from basic requirements to one with

high confidentiality, high integrity &

high availability such as FSI

• Highlights key security areas &

associated controls for each tier

• Complements existing security

standards

e.g. ISO27001 & industry specific

standards/regulatory requirements



MTCS – Conceptual View

MTCS designed with ISO27001:2005 as base

Other relevant standards, guidelines & reference documents are considered including

TR30, TR31, CSA CCM, PCI DSS, ENISA, NIST 800 series & industry specific guidelines

ISO 27001 (ISMS) – Base Standards

Multi-tier Cloud Security Standards –

Cloud Related Controls

MG

F

Co

nstr

Domain Specific Standards

– More Specific Controls H

ealth

care

Fin

an

ce

Go

vt



Key Differences of MTCS Tier Levels

Each MTCS tier builds upon lower tier either with additional security

requirements or more stringent controls

Level 3

535 controls

Level 2

449 controls

Level 1

296 controls

• Data governance (24)

• Cloud services

administration (16)

• Tenancy and customer

isolation (16)

• Operations (16)

• Business continuity

planning (BCP) and disaster

recovery (DR) (7)

• Tenancy and customer

isolation (11)



MTCS Cloud Security Model



Structure of MTCS standard

The Standard

Core Information Security

Cloud Governance

Cloud Infrastructure

Security

Cloud Operations

Management

Cloud Specific Information Security

Cloud Services

Administration

Cloud User Access

Tenancy and Customer Isolation



CSP Self-Disclosure – More Transparency




* Five essential characteristics of Cloud Computing as defined by NIST

Legal &

Co

mp

liance

Data C

on

trol

Pro

vider

Perform

ance




Service Sup

po

rt Service Elasticity

Security

Co

nfig



MTCS Certification Framework

Certification Scheme • 3 different levels of certification & further qualified with types of services

• Certification will be valid for 3 years with a yearly surveillance audit to be

conducted

Qualified Assessors and CBs for MTCS Certification • Audit skill and cloud computing security knowledge

• Relevant audit experience

• 7 Certification Bodies have been qualified to offer certification services

Prerequisites • All applicants must complete CSP self-disclosure

Accreditation Scheme

• Available from Singapore Accreditation Council since Oct 2014

Cross-Certification with Other Int’l Standards

• Harmonization with ISO27001 & CSA OCF/STAR



List of MTCS Certified CSPs

CSP Certification Level Services

Amazon Web Services (SG) 3 IaaS, PaaS

Clearmanage Pte Ltd 3 IaaS

Microsoft Operations Pte Ltd 3, 2 IaaS, PaaS, SaaS

Ribose Group, Inc. 3 SaaS

Acclivis Technologies 1 IaaS

Ascenix 1 IaaS

Auctorizium 1 SaaS

Inspire-Tech (EasiShare) 1 SaaS

M1 Limited 1 IaaS, SaaS

NewMedia Express Pte Ltd 1 IaaS

ReadySpace 1 IaaS

Starhub Limited 1 IaaS

Telin Singapore 1 IaaS

http://aws.amazon.com/

http://www.clearmanage.com/



http://www.microsoft.com/en-sg/default.aspx

http://www.ribose.com/

http://www.acclivis.com.sg/



http://www.ascenix.net/

http://auctorizium.com/

http://www.inspire-tech.com/







http://www.m1.com.sg/

http://www.newmediaexpress.com/



http://www.readyspace.com.sg/

http://www.starhub.com/



http://www.telin.co.id/about-us/subsidiaries/telin-singapore/





Cross-Certification with

CSA STAR/CCM



Mapping Between CSA STAR/CCM & MTCS • Collaboration with CSA to cross-certify MTCS & STAR/CCM • Systematic 3-step approach taken to map detailed requirements in

MTCS to corresponding requirements in CSA STAR/CCM 1. Mapping of Control Areas 2. Mapping of Specific Requirements in each Control Area 3. Mapping Details of each Requirement



SUMMARY OF MAPPING: MTCS vs CSA STAR/CCM

CSA CCM -> MTCS

MTCS -> CSA CCM

CSA -> MTCS Included in CSA controls Gaps

Level 1

(total controls :296)

227 (77%)

69 (23%)

Level 2


327 (73%)

122 (27%)

Level 3


377 (70%)

158 (30%)

MTCS -> CSA Included in MTCS controls Gaps

Level 1

(total controls : 136)

122 (90%)

14 (10%)

Level 2


124 (91%)

12 (9%)

Level 3


124 (91%)

12 (9%)



Summary MTCS SS584:2013 was launched at CloudAsia in Nov 2013

>180 copies sold

Certification services offered by 7 CBs

Accreditation scheme by Singapore Accreditation Council available since 29 Oct

2014

Cross-certifying with other int’l standards/framework (ISO27001 & CSA OCF/STAR)

Currently more than 10 IaaS & SaaS ISVs have been MTCS certified

Alignment of MTCS standards with specific industry sectors

CSP Registry being set up to host pertinent info (Security Cert/ Self-Disclosure/

Performance/ Availability) about CSPs to build trust through transparency

Joint white paper with CSA on “Virtualization Security” published on 20 Apr 2015 &

submitted to ISO/IEC SC27 in May 2015 to kick-off a 6-month study period



Thank You [email protected]



List of Useful Links

MTCS Standard SS584:2013 • http://www.singaporestandardseshop.sg/product/product.aspx?id=5b014ff6-

02ca-4918-afb0-379703794b4d

MTCS Certification Scheme • http://www.ida.gov.sg/Collaboration-and-Initiatives/Initiatives/Store/MTCS-

Certification-Scheme

List of MTCS Certification Bodies • http://www.ida.gov.sg/~/media/Files/Collaboration%20Initiatives/Initiatives/2013/

mtcs/ListOfParticipatingCBs.pdf

MTCS Certification Grant Support • http://www.spring.gov.sg/Enterprise/CDG/Pages/Enhancing-Quality-

Standards.aspx

• http://www.spring.gov.sg/Enterprise/CDG/Documents/CDG_Brochure.pdf

CSP Registry • http://www.ngp.org.sg/index.php/resources/csp-registry/

http://www.singaporestandardseshop.sg/product/product.aspx?id=5b014ff6-02ca-4918-afb0-379703794b4d









http://www.ida.gov.sg/Collaboration-and-Initiatives/Initiatives/Store/MTCS-Certification-Scheme









http://www.ida.gov.sg/~/media/Files/Collaboration Initiatives/Initiatives/2013/mtcs/ListOfParticipatingCBs.pdf

http://www.ida.gov.sg/~/media/Files/Collaboration Initiatives/Initiatives/2013/mtcs/ListOfParticipatingCBs.pdf

http://www.spring.gov.sg/Enterprise/CDG/Pages/Enhancing-Quality-Standards.aspx





http://www.spring.gov.sg/Enterprise/CDG/Documents/CDG_Brochure.pdf

http://www.ngp.org.sg/index.php/resources/csp-registry/





List of Participating Certification Bodies



Structure of MTCS Standard

Consists of the following focus areas & clauses:

Core Information Security (Clauses 6-21) • Cloud governance (Clauses 6-12)

6. Information security management 10. Legal and compliance 7. Human resources 11. Incident management

8. Risk management 12. Data governance 9. Third-party

• Cloud infrastructure security (Clauses 13-17) 13. Audit logging and monitoring 16. System acquisitions and development 14. Secure configuration 17. Encryption

15. Security testing and monitoring

• Cloud operations management (Clauses 18-21) 18. Physical and environmental 20. Change management 19. Operations 21. BCP and DR

Cloud Specific Information Security (Clauses 22-24) 22. Cloud services administration 23. Cloud user access

24. Tenancy and customer isolation