On 25 February 2025, the Infocomm Media Development Authority (“IMDA”) of Singapore issued advisory guidelines aimed at enhancing the resilience and security of Singapore’s digital infrastructure, a key component underpinning Singapore’s digital economy. The Advisory Guidelines for Resilience and Security of Cloud Services (“Cloud Services Guidelines”) provide cloud service providers (“CSPs”) with guidance on and best practices for managing their respective risks and ensuring business continuity. While compliance with the Cloud Services Guidelines is not mandatory, CSPs are encouraged to adhere to the measures set out.
Cloud Services Guidelines
The Cloud Services Guidelines focus on Infrastructure-as-a-Service (“IaaS”) and Platform-as-a-Service (“PaaS”) models, given the foundational role they play in enabling the provision of other services.
Having taken guidance from international standards such as the Multi-Tier Cloud Security, ISO 27001 and Cloud Security Alliance Cloud Control Matrix, the Cloud Security Guidelines focus on seven areas:
1. Cloud Governance
Cloud Governance measures that are advocated include policies and processes to be implemented by CSPs to manage the way cloud services are provided. These include the following:
- Information Security Management
CSPs should ensure robust information security management, including establishing information security roles and standards, designating security liaisons who act as the point of contact with customers and the authorities, and providing general oversight over how information security measures are implemented and monitored
- Information Human Resources
CSPs should ensure that their employees and any third parties acting on their behalf are appropriately qualified and experienced for their roles, and that they appreciate their responsibilities and the consequences of their failure to comply with the necessary standards. Examples of steps that should be taken include performing suitable background checks, regular evaluations of security personnel, as well as the establishment and administration of a formal disciplinary process for employees and third parties who breach the information security policies.
CSPs should implement risk management programmes tailored to the unique risks associated with cloud services. CSPs should also conduct regular risk assessments, establish processes to review and monitor risks to the cloud environment, and develop a risk register to monitor and report identified risks.
CSPs should implement control frameworks that allow them to exercise appropriate control over third-party service providers that support their cloud services. CSPs should establish robust frameworks, perform due diligence to identify any risk, develop and maintain risk management procedures, procure written contractual agreements that address third-party risks with all third-party service providers, and ensure that all third-party service providers comply with their contractual obligations regarding their cloud operations.
CSPs should ensure compliance with their information security and risk management policies, both from their employees as well as from third-party service providers. Measures to take include continually reviewing all relevant documentation for compliance and contractual requirements, reviewing risk management procedures to ensure compliance with organisational policies and standards, and enforcing commercial agreements with third parties in the event of any breach.
CSPs should establish sufficient incident management controls that enable the prompt communication of information security events and weaknesses affecting the CSPs’ information assets and cloud systems. Measures include maintaining response plans for information security incidents and procedures to deal with such incidents, ensuring the efficacy of the incident response plans, and implementing clear security incident reporting processes.
CSPs should prevent unauthorised access to data stored in the cloud environment. Applicable measures to control access include encrypting data, requiring authentication before a user can access data, as well as establishing procedures for the input, storage or transmission of data. Furthermore, CSPs should involve customers in the data governance process. CSPs should communicate their data storage as well as retention policies and procedures to customers, and should provide them with the means to track access to and usage of their data.
2. Cloud Infrastructure Security
- Audit Logging & Monitoring
CSPs should track and maintain the records of all activities and events within the cloud system to identify unauthorised activities, facilitate investigations into those activities, and to resolve any incidents. CSPs should protect the integrity and accuracy of these logs.
CSPs should apply secure configuration baselines across cloud infrastructure, including disabling unnecessary services and ensuring security patches are applied promptly. Robust and comprehensive controls should be implemented to manage the various risks. Such controls include anti-malware solutions to address malicious code threats, controls on code that is executed remotely, as well as the performance of compliance checks to ensure that that the baseline security configuration standards are met.
- Security Testing and Monitoring
To enable the timely detection and resolution of any vulnerabilities and malware, CSPs should regularly test and continually monitor their cloud infrastructure. Regular vulnerability scans and penetration testing, as well as the implementation of network intrusion detection and network intrusion prevention systems, will strengthen CSPs’ ability to secure their cloud infrastructure.
- System Acquisition and Development
CSPs should acquire and develop new applications, systems and similar facilities to reinforce the security of their information systems.
CSPs should utilise encryption and secure cryptographic key management to protect sensitive information from unauthorised use or disclosure. Key steps to be taken include implementing mechanisms that allow for encryption where possible and establishing procedures to manage all stages of the Key Lifecycle Management of cryptographic keys (e.g., generation, distribution, replacement, destruction, etc).
3. Cloud Operations Management
CSPs should establish operations security controls that document and secure their cloud operations in a reliable way. Key controls include operations management policies and procedures documentation, processes to monitor and plan capacity resource requirements, and processes to ensure that systems supporting critical information assets may be recovered. The Cloud Services Guidelines also list, as an additional measure that CSPs can consider, the implementation of processes to deal with vulnerabilities identified or reported by researchers.
Change management controls that prevent unplanned and unauthorised changes to the cloud infrastructure should be implemented. Among other measures, CSPs should introduce a formal change management process, establish backup procedures and develop rollback procedures that enable the reversion of unauthorised changes.
4. Cloud Services Administration
Cloud services administration controls are crucial to the enforcement of standards in the development, maintenance and deletion of accounts designated for the management of cloud services and supporting networks. Key controls include the establishment of a formal registration and approval process for the grant and modification of privileged rights to personnel who administer the cloud services, the implementation of password security controls to the system and data, as well as specific controls for third party administrative access. The Cloud Services Guidelines also highlight the inclusion of additional approvers to authorise system configuration changes, especially for sensitive changes, as an additional measure CSPs can consider implementing.
5. Cloud Service Customer Access
To safeguard customer data and access, CSPs should adopt cloud user access controls that govern the creation, maintenance and removal of user accounts.
Key controls include the establishment of a formal user registration process to control user access to cloud services, implementing formal processes that promptly detect and terminate unauthorised access attempts, and implementing measures to detect changes in cloud users’ administrator details. The Cloud Services Guidelines also highlight strong encryption of software authentication tokens as an additional measure for CSPs to consider.
6. Tenancy and Customer Isolation
To ensure that customers do not pose data loss, misuse or privacy violation risks to each other, CSPs should establish tenancy and customer isolation controls that isolate network and system environments, as well as restrict user access within the same physical resource. In this respect, key controls include limiting the sharing of resources between the various networks employed by the CSP, developing secure network architecture that protects the cloud infrastructure, and segregating customers’ access to data to prevent data co-mingling.
7. Cloud Resilience
- Physical and Environmental Security
Beyond technical and cyber measures, CSPs should also implement robust physical and environmental security controls that guard against physical access or interference to infrastructure supporting the cloud environment. CSPs should implement appropriate procedures and assessments, including maintaining accurate logs of inventory and assets, implementing control measures such as requiring authorisation before assets are transferred off-site, and restricting visitor access to facilities in which cloud services are provided or cloud information is processed.
- Business Continuity and Disaster Recovery
CSPs should develop business continuity and disaster recovery controls to prevent or mitigate any failures of the information system, and to enable a prompt recovery of the system and restoration of any disrupted services. CSPs should develop a process to test the efficacy of their plans and the ability of personnel to perform appropriate remediation actions. The Cloud Services Guidelines also recommend the testing of a server’s ability to allocate sufficient resources toward recovery during a service failure, as an additional measure that CSPs can consider implementing.
Conclusion
CSPs play a crucial role in Singapore’s digital ecosystem. It is imperative that CSPs continually improve their security and resilience measures to keep abreast of potential threats and maintain the reliability of Singapore's digital infrastructure. The Cloud Services Guidelines provide detailed frameworks for CSPs to enhance their security posture and ensure business continuity. Whilst these recommendations are not mandatory, they clearly signal the expectations of the regulator and CSPs should therefore review their operations and processes for compliance with the Cloud Services Guidelines.
The information provided above does not, and is not intended to, constitute legal advice pertaining to the Cloud Services Guidelines; information, content, and materials stipulated above is based on our reading of the amendments and are for general informational purposes only.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.