Adopting cloud infrastructure promised enterprises a host of benefits, including cost efficiency, scalability, business continuity, and enhanced collaboration.
Today, few enterprises rely on a single cloud provider; instead, most run workloads across multiple platforms. A 2024 study by IDC revealed that 90% of organisations in the Asia Pacific have adopted a multi-cloud reality. This approach enables enterprises to optimise performance, control costs, and avoid vendor lock-in by utilising services from multiple vendors.
Despite its benefits, enterprises face multiple challenges in managing multiple clouds. IBM has highlighted issues such as maintaining consistent cloud security and compliance policies across various platforms, consistently deploying applications across target environments, and monitoring tools to achieve a singular view and configure consistent responses.
While enterprises grapple with the complexities of managing multiple clouds, Singapore is building a playbook to shape the future of cloud computing. Agencies such as the Infocomm Media Development Authority (IMDA) and Enterprise Singapore (ESG) are spearheading efforts to address a critical concern: establishing trust in multi-cloud management.
Their answer lies in standards.
Standardised multi-cloud management
As companies ramp up their adoption of multi-cloud data strategies, Raju Chellam, chair of the Cloud and Data Standards at the Information Technology Standards Committee (ITSC), emphasises the crucial role of a unified governance framework for managing multi-cloud data.
“The ITSC operates under the Singapore Standards Council,which is part of the national standardisation program managed by ESG. It is supported by ESG and IMDA. IMDA serves as the Secretariat for ITSC. ITSC is tasked with developing Singapore Standards and Technical References for IT, especially where no international standards exist,” Chellam explained.
For Chellam, a unified governance framework for multi-cloud data management helps ensure consistency across cloud platforms, as CSPs (Cloud Service Providers) and SaaS vendors may have their own data models, APIs, and security protocols.
“A unified framework ensures standardised policies for data access, classification and retention, as well as uniform compliance with regulations like Singapore’s PDPA (Personal Data Protection Act), EU’s GDPR, the US’ HIPAA, etc,” Chellam shared.
He adds that such a framework centralises the monitoring and auditing of data usage and movement, with consistent encryption, identity, and access controls, to detect and respond to security incidents across cloud platforms and services.
Cloud and data standards
To support unified controls in multi-cloud deployments specific to Singapore, ITSC prioritises key cloud and data standards such as SS 584:2020 Multi-Tier Cloud Security (MTCS) Standard, TR 62:2018 COIR (Cloud Outage Incident Response) Guidelines, and IMDA’s Advisory Guidelines for Cloud Services and Data Centres.
SS 584:2020 MTCS Standard is the world’s first cloud security standard, which ITSC developed to help CSPs demonstrate security capabilities.
“It has three tiers: Tier 1 specifies basic controls for non-critical data. Tier 2 specifies moderate controls for business-critical data. Tier 3 specifies stringent controls for regulated industries such as finance and healthcare,” he explained.
Moreover, Chellam said that the TR 62:2018 COIR Guidelines provide a framework for CSPs and cloud users to manage cloud outages which are not caused by cybersecurity incidents.
“COIR focuses on operational failures, infrastructure issues, and environmental risks. It encourages transparency and resilience in service-level agreements,” he said.
IMDA also released Advisory Guidelines for Cloud Services and Data Centres in February 2025, complementing ITSC standards. Aligned with MTCS and international standards such as ISO 27001 and the Cloud Security Alliance’s Cloud Controls Matrix, it serves as a cybersecurity control framework to provide fundamental security principles that guide CSPs and cloud users in assessing the overall security risk of a cloud service.
Guidelines-based cybersecurity
According to Chellam, current ITSC guidelines and standards help enterprises mitigate cybersecurity risks in unified multi-cloud environments by aligning with SS 584:2020.
Meanwhile, TR 62:2018 COIR helps build a coordinated response plan, setting up cross-cloud incident playbooks &protocols and Unified Identity &Access Management across cloud platforms can help enforce consistent access controls.
Chellam also advises organisations to apply multi-factor authentication and role-based access controls, deploy Security Information &Event Management tools that aggregate logs across clouds.
He also urges CIOs to avoid vendor lock-in by using open standards and containerised workloads such as Kubernetes, as well as set data portability and exit strategies in SLAs.
Interoperability and standardisation
To promote unified platform management in multi-cloud environments, ITSC plays a pivotal role. It facilitates interoperability and standardisation among CSPs by establishing Technical Committees and Working Groups that develop SS and TRs for cloud computing, virtualisation, and data governance.
They also monitor and harmonise international standards for adoption in Singapore and provide a neutral platform for industry, academia, and government agencies to collaborate on standardisation, issuing Advisory Guidelines for Cloud Services &Data Centres.
He adds that these groups also ensure consistent policy enforcement, infrastructure security for secure multi-tenancy services, and resilience planning and business continuity/disaster recovery for unified ops.
Balancing innovation, compliance, and operational efficiency
Chlellam suggests CIOs can balance innovation, compliance, and operational efficiency in hybrid and multi-cloud setups through a 5A Approach: Adopt, Accelerate, Align, Automate, and Audit
First, organisations can adopt a “cloud smart” strategy by selecting the most suitable environment for each application, whether it is a public cloud, private cloud, hybrid cloud, or edge.
“Do this by mapping workloads for performance, cost and compliance, and by avoiding a one-size-fits-all cloud approach,” he said.
Next, “Accelerate” involves modernisation of legacy systems for multi-cloud integration. He said that CIOs should prioritise legacy transformation to ensure compatibility with hybrid cloud models.
“This will help maintain operational continuity while enabling innovation velocity,” Chellam said.
For Chellam, “Alignment” entails following MTCS, COIR and IMDA Guidelines and Frameworks.
“If AI is factored, use the IMDA AI Model Governance Framework as a guide. Select CSPs based on MTCS-aligned tiered security requirements,” he said.
Chellam adds that it is vital to automate governance and compliance with real-time cybersecurity detection, quarantine, alerting and mitigation. He urges organisations to deploy AI and predictive analytics to identify &remediate compliance gaps proactively.
Lastly, the auditing process involves using blockchain-enabled audit trails and homomorphic encryption to analyse encrypted data without exposing PII (personally identifiable information), especially in regulated sectors like finance and healthcare.
Standardising innovations in multi-cloud management
Research across industriesshows that standardisation enables continuous improvement by documenting processes, reducing variability, easing skills transfer, and providing a baseline for improvement.
Similarly, modernising multi-cloud management can be optimised through guidelines and standards. By providing appropriate guardrails, they ensure that innovations occur securely, efficiently, and with built-in resilience.
