Singapore has introduced a set of recommended measures for data centre operators and cloud service providers to mitigate the risk of disruptions. While currently not mandated for adoption, the guidelines will likely set the path for the country's upcoming legislation to govern its digital infrastructures.
The Infocomm Media Development Authority (IMDA) on Tuesday announced the new advisory guidelines that it said aim to boost the resilience as well as security of cloud and data centre services. Adoption of these measures also will minimise disruptions and allow for services to be quickly restored, the industry regulator said, adding that outages can adversely impact Singapore's economy.
Increasing use of digital services, such as online banking and e-commerce, has heightened the need for infrastructures on which these services operate, to be reliable and to remain available.
Services are disrupted and daily activities impacted, when cloud providers and data centres experience difficulties, said Josephine Teo, Minister for Digital Development and Information (MDDI) and Minister-in-charge of Smart Nation and Cybersecurity.
"However, at the moment, if we look at the requirements for security and resilience of these kinds of foundational digital infrastructure, there is no set requirement yet," Teo said. And while existing best practices already may be adopted within the industry, these are not informed.
"I think it's timely for us to raise the standards in the industry," the minister said, in her comments on the release of the guidelines. "[They] will help to give us better assurance that, even if we are not able to prevent all disruptions, preventive measures are up to mark."
"We want to raise the baseline standards and, over time, bring these to a higher level," she said. "That is the intention of putting this into practice through the advisory guidelines…and subsequently through legislative and regulatory requirements."
FutureCIO understands that the guidelines may be incorporated, in some form, into Singapore's upcoming Digital Infrastructure Act. The bill was first mooted last March as a necessary regulatory move to ensure digital infrastructures and services are robust. Its proposal had followed several high-profile service disruptions in recent years, including an hours-long outage at an Equinix data centre in October 2023, caused by a cooling system fault, that brought down banking services. A fire at a Digital Realty data centre last September also disrupted tech services.
According to Teo, the Digital Infrastructure Act is set to be tabled later this year. Until then, the newly released guidelines will offer a testbed for what works and what may need further finetuning.
Feedback from industry players that have adopted the new guidelines can help identify requirements that will allow the Act to be "more responsive" to their needs, the minister said.
The guidelines were established after consultation with industry players and service providers, including those in key verticals such as banking and healthcare.
The measures also take into consideration existing industry standards such as IMDA's Multi-Tier Cloud Security Standard and ISO 27001.
Lessons from past incidents help identify potential risks
They identify best practices that address various risks, including cyber attacks, misconfigurations in technical architecture and physical hazards, such as water leaks and cooling system failures, according to IMDA.
The guidelines also pull learnings from past incidents and include risks assessment, business impact analysis, and business continuity planning.
The cloud services guidelines, for instance, encompass seven categories spanning user access controls, data governance, network segregation, and security testing. Recommended measures for data centres cover areas such as power and cooling, fire suppression, incident management, and cyber threat mitigation.
FutureCIO understands that while the guidelines do not explicitly instruct on the use of artificial intelligence (AI), cloud and datacentre operators that use the technology to manage their facilities should do so to achieve desired outcomes that are in line with those stated in the advisory guidelines.
The recommended measures also will be continuously updated alongside industry developments and feedback.
