The need for data center security
A data center is a physical facility that houses IT applications and infrastructure for an
organization's business-critical data storage and operations. Since it is the data hub, a data
is vulnerable to leaks, thefts, and attacks, and proper security measures should be implemented at
every stage. Common data center security threats include:
- Phishing attacks where user data is stolen, including login credentials and credit card numbers
stored in the data center.
- Ransomware attacks caused by a hacker planting malicious software in the network that results in
financial demand to return the network to operational standards.
- Data loss due to faulty hardware or software, or data theft.
To avoid similar challenges, data centers have to ensure both physical and software security at every
stage. Security aspects start from site selection, capacity planning, business continuity plan,
disaster recovery, and include data access, monitoring, logging, asset management, operational
support, maintenance, and environmental conditions. The respective governing bodies have defined and
documented standards for these so that organizations can comply
with them and keep their data centers secure.
Why Singapore is a data center hub
Singapore is a gateway to Asia for the rest of the world, and its infrastructure and wealth have helped
it become one of the largest repositories for data storage and processing. Other key reasons include:
- High-quality infrastructure with uninterrupted power and water supplies, low latency, and fiber optic
- Singapore's reputation for being a successful data center hub accounts for 60 percent of Southeast
Asia's data market, and encourages further investments in data center projects.
- Singapore, among the top 8 percent of countries most safe from natural disasters, also embraces green
data center initiatives to ensure sustainability.
- The stable political set-up, comparatively low taxes, and business-friendly regulations also favor
data center investments in Singapore.
Laws that govern data center security
Singapore has formulated different laws for personal data, cloud data, incident response, design aspects,
and so on. Data centers designed with proper strategies to store and process data can enhance the end-user
experience and protect their data.
Any organization found guilty of a data breach can be fined up to 10 percent of its annual turnover in
Singapore. Currently, the maximum a company can be fined for a data breach is S$1 million.
The Personal Data Protection Act of 2012 (PDPA) governs the collection, use, and disclosure of personal
data by private organizations. PDPA is aimed at giving more control to individuals, such as customers,
employees, or members of associations, by encouraging organizations to facilitate the safe and protected
cross-border transfer of information. The security measures defined cover the data stored in both
electronic and non-electronic forms.
The main obligations of PDPA cover:
- Consent obligation: Only collect, use, or disclose personal data with an individual's consent. Allows
individuals to withdraw consent, and requires the organization to stop collecting and storing their
- Purpose limitation obligation: Collect, use, or disclose data only for the purpose for which the
individual has given consent.
- Notification obligation: Notify the individuals about the purpose of use well in advance.
- Access and correction obligation: Upon request, the data and how the data has been used or disclosed
in the past have to be provided.
- Accuracy obligation: Ensure that the data collected is accurate and complete.
- Protection obligation: Make security arrangements to protect the data from unauthorized access.
- Retention limitation obligation: Stop retaining or using the data when it is no longer necessary for
business or legal purposes.
- Transfer limitation obligation: Transfer personal data to another country based only on the enforced
regulations, and ensure that the data is protected by regulations similar to the PDPA, in the country to
which it is transferred.
- Openness obligation: Designate a data protection officer (DPO) to implement PDPA in your organization.
Disclose information about your data protection practices and regulations on request.
The Personal Data Protection Commission (PDPC) also defines a few simple steps to get started with
personal data protection in Singapore.
- Appoint a DPO.
- Know the purpose of the data protection plan, and chart out your personal data inventory.
- Implement the data protection process.
- Communicate the process to employees, and ensure that they follow it as defined.
- Establish an internal audit policy, and conduct frequent audits to ensure that the security practices
are in place.
The MTCS or SS584
Multi-Tier Cloud Security (MTCS), also known as Singapore Standard 584, is the world's first cloud
security standard that covers multiple tiers. Prepared by the Information Technology Standards Committee
(ITSC), MTCS defines how cloud service providers (CSPs) have to protect customer data and address their
concerns about the confidentiality of the data in the cloud. With a total of 535 controls, it aims to
provide transparency and visibility into how the CSPs handle data.
MTCS has three levels of security, referred to as tiers, with tier 3 being the most stringent. In the
words of MTCS:
- Tier 1: Designed for non-business critical data and systems with basic security controls that address
security risks and threats targeting low-impact information systems, e.g. a website hosting public
- Tier 2: Designed for organizations that use cloud services to protect a business or personal
information, and run critical business data and systems in moderate-impact information systems. CSPs in
this tier have more stringent security controls, e.g. email or customer relation management (CRM)
- Tier 3: Designed for companies with specific needs and more stringent security requirements.
Industry-specific regulations may also be applied, to supplement and address security risks and threats
in high-impact information systems using cloud services, e.g. to secure financial and medical records.
For compliance at this level, the CSP must be certified to ISO/IEC 27001.
TR 62: 2018 Guidelines for COIR
The technical reference (TR) 62 for cloud outage incident response (COIR) is a set of guidelines that
will keep your business afloat when there are cloud outages in Singapore. It covers both CSPs and cloud
service customers (CSCs). COIR provides guidelines for having appropriate communication plans, activation
of preplanned processes, mobilization of emergency resources, prioritization levels for recovery and
restoration of affected cloud services, and continuous monitoring of CSP’s uptime to detect outages.
COIR categorizes the cloud outage impact into four tiers with tier A being the most serious.
- Tier A- Systemic/Life-threatening impact: This can apply to cloud services hosting functions which can
have a direct impact on human safety, or the stability of the economy, market, or industry at large and
those that would require immediate restoration, e.g. incidents on air traffic controls that can put the
pilots, passengers, and others at risk.
- Tier B- Business-critical impact: This is designed for cloud service hosting functions that are
critical to the operation of an organization. CSPs are expected to restore their services within four
hours of the incident identification, e.g. payment gateways.
- Tier C- Operational impact: This is designed for cloud service hosting functions that are critical to
the operation of an organization, but can withstand a long outage. In this case, CSPs are expected to
implement a fix within eight hours, e.g. email services going down.
- Tier D- Minimal impact: This is appropriate for cloud services hosting functions that can bear outages
for longer durations. CSPs would be expected to restore services within two working days, e.g. corporate
websites with general information.
SS ISO/IEC 21878:2019 Security guidelines for design and implementation of virtualized servers
Singapore Standard (SS) ISO/IEC 21878:2019 is an adoption of ISO/IEC 21878:2018 aimed at the security
aspects of the increased virtualization of data center infrastructure. This specifies standardizations for
architecting virtual server configurations from a security perspective. This is to ensure that the virtual
machines (VMs) and the applications running on them are secure.
Other data center standards
Similar to the security and privacy standards, Singapore has also formulated other data center standards
for design, quality, and environmental aspects.
The Green Data Centre Standard in Singapore or SS 564
Data centers are extremely energy-intensive, and almost 50 percent of the energy expenditures of data
centers in Singapore is attributed to the use of electricity. This includes both energy consumption by
IT systems and energy consumption by facility systems. To address this, the Infocomm Media Development
Authority of Singapore, along with other government bodies, have developed the Green Data Center
standards similar to ISO 50001 standards for energy management.
With respect to facility systems, direct liquid cooling, close‐coupled refrigerant cooling, air and
cooling management, passive cooling, free cooling, and power supply efficiency are assessed. Concerning
IT systems, software power management, energy‐aware workload allocation, dynamic provisioning,
energy‐aware networking, wireless data centers, and memory type optimization is assessed.
The Telecommunications Industry Association's (TIA) ANSI/TIA-942-A is the telecommunications
infrastructure standard for data centers. It is an American National Standard that specifies the minimum
requirements for structured cabling work. Defined in TIA/EIA-568, it describes the design, installation,
and performance requirements for cabling in data centers.
ISO and others
The other common data center standards that are followed
worldwide and are given equal importance in Singapore are:
- ISO 27001, ISO 27017, ISO 27018
- PCI DSS
- SOC 1, 2, and 3.
Singapore is a growing data center hub offering many benefits for establishing new data centers due to
its infrastructural, geographical, political, and technological setup. However, a shortage of land and
zoning restrictions present some challenges. All organizations are expected to comply with and follow the
standards above. The Cloud Security Alliance's Security Trust Assurance and Risk (CSA STAR) certification
for security assessment of CSPs is also considered important in Singapore.