IMDA issues guidelines for cloud services and data centres; some may be added to new laws

Cloud service and data centre operators must perform background checks of all employees and due diligence on third-party service providers under new advisory guidelines released by the Infocomm Media Development Authority (IMDA) on Feb 25. 

The move comes as the Government seeks to fortify the digital infrastructure that underpins key services such as banking, e-commerce and telecommunications, and mitigate the risk of damage to Singapore’s economy and digital way of life from infrastructure outages.  

Parts of these guidelines are likely to be incorporated into the upcoming Digital Infrastructure Act that will hold cloud service providers and data centre operators accountable to higher security and resilience standards. The Act is set to be tabled in Parliament later in 2025. 

The new legislation was first mooted in March 2024 on the back of widespread outages of digital services both locally and overseas. 

In October 2023, more than 2.5 million payment and ATM transactions could not be completed by two banks due to a fault in the cooling system of a data centre used by the banks.  

In April 2023, a fire in a Global Switch data centre in Paris brought down Google Cloud services in Europe for weeks for some customers.

Singapore’s digital economy contributes a sizeable 17.7 per cent of the country’s gross domestic product. 

Explaining that cloud service providers are like digital superhighways and data centres are like record-keepers for online transactions, Minister for Digital Development and Information Josephine Teo said that when such operators face difficulties, the public will experience inconveniences in day-to-day activities. 

“If we look at the requirements for security and resilience of these kinds of foundational digital infrastructure, there is no requirement yet... I think it’s timely for us to raise the standards of the industry,” Mrs Teo told the media on the sidelines of a tour of Microsoft’s data centre. 

While major operators voluntarily adopt industry standards, not all players are certified to standards of resilience. So the guidelines set a baseline for the industry.

Additionally, industry players can give feedback ahead of the new legislation’s implementation. 

“The advisory guidelines, in a way, allow us to round-test a set of practices and the industry can put them in deployment... I think it will help us shape a set of requirements in the Digital Infrastructure Act that is more responsive to their needs and will bring about greater assurance to the public,” said Mrs Teo.

The guidelines were developed by the inter-agency Taskforce on the Resilience and Security of Digital Infrastructure and Services, led by the Ministry of Digital Development and Information.

The task force consulted closely with key operators in Singapore, and the guidelines reference existing internal and industry standards and incorporated lessons from past incidents. 

For cloud services, the guidelines cover seven categories of measures to improve security and resilience. The measures involve the management of privileged accounts, user access controls, and audit logging and monitoring.

For data centres, the guidelines provide a framework for operators to put in place business continuity management systems, including fire and flood mitigation measures, to minimise service disruptions. 

They also include guidance on implementing such policies, as well as how to tackle risks of cyber threats such as supply chain attacks, malware attacks and ransomware. 

Players that could come under the legislation in Singapore include data centre operators Equinix and Microsoft, as well as cloud service providers Google and Amazon Web Services.

The guidelines will be continuously updated to incorporate technological developments, learning points from incidents and industry feedback. 

Source: The Straits Times © SPH Media Limited. Permission required for reproduction.

Not great for morale: What it means when workers are told to reapply for their jobs Safety of mental health clients at risk if psychologists remain unregulated