Insights

Singapore: New advisory guidelines to strengthen resilience of cloud services and data centres

Market Insight 11 March 2025 11 March 2025
Asia Pacific
Corporate & Advisory - Technology Risk
Cyber Risk

The Singapore Infocomm Media Development Authority (“IMDA”), have, in two advisory guidelines dated 25 February 2025, issued best practices on the resilience and security of Singapore’s compute infrastructure, namely Cloud and Data Centres.

The advisory guidelines are:

The Advisory Guidelines for Resilience and Security of Cloud Services (“AG for CS”); and
The Advisory Guidelines for Resilience and Security of Data Centres (“AG for DC”).

For Cloud Services, the AG for CS covers 7 categories of measures to uplift the security and resilience of Cloud Services. Measures that CSPs are encouraged to implement relate to areas such as security testing, user access controls, proper data governance, and planning for disaster recovery.

For Data Centres (“DC”), the AG for DC provides a framework for operators to put in place a robust business continuity management system to minimise service disruptions and ensure high availability for their customers. This includes guidance on implementing business continuity policies, controls and processes, and continuously reviewing and improving them. The AG also sets out measures to address cybersecurity risks in DCs.

Cloud service providers (“CSPs”) and data centres operators (“DCOs”) are encouraged to designate an officer (such as a senior representative) to take charge of implementing the measures.

In this client update, we summarise the key aspects of the two advisory guidelines.

AG for CS

The measures are organised into 7 categories, and are in line with existing international standards (such as MTCS, ISO 27001 and CCM), with some additional measures to better address risks.

Category	What does it generally cover?
1. Cloud Governance	Information Security Management: CSPs should ensure that information security is managed within the CSPs’ overall administrative structure. Information Human Resources: CSPs should ensure that all employees and third parties are suitable for their roles prior to employment or contract and that they understand their responsibilities, employment and contract terms and conditions (including termination) to reduce the risk of theft, fraud or misuse of facilities. Risk Management: CSPs should establish and maintain a cloud-specific risk management programme to identify, quantify, prioritise, and mitigate or resolve risks impacting the cloud service operations and information assets. Third Party: CSPs should ensure that it has an effective control framework over its third-party service providers supporting the cloud environment. Legal and Compliance: CSPs should ensure that they and their third-party service providers conform to the CSPs’ information security and risk management policies, standards, and procedures and contractual obligations. Incident Management: CSPs should implement incident management controls to ensure that information security events and weaknesses impacting the information assets and systems in the cloud environment are communicated in a timely manner. Data Governance: CSPs should ensure that only authorised users have access to the data stored in the cloud environment at all times.
2. Cloud Infrastructure Security	Audit logging and monitoring: CSPs should ensure that activities performed and events occurred in the cloud environment are being tracked and maintained for a period of time to detect any unauthorised activities and to facilitate investigation and resolution in the event of security incidents (e.g., access violations). Secure configuration: CSPs should ensure that the systems in the cloud infrastructure and the supporting networks are designed and configured securely to prevent against unauthorised entry points or malicious activities through weak system configurations. Security testing and monitoring: CSPs should conduct security testing and implement monitoring controls across the cloud infrastructure including services, VMs and physical infrastructure to detect vulnerabilities and malware in a proactive and timely manner. System acquisition and development: CSPs should implement system acquisitions and development security controls to ensure that security is an integral part of the information systems as well as the business processes associated with these systems. CSPs should establish policies and procedures for the development or acquisition of new applications, systems, databases, infrastructure, services, operations, and facilities. Encryption: CSPs should implement encryption and secure cryptographic key management to ensure that sensitive information in transmission or in storage electronically is being protected against unauthorised use or disclosure.
3. Cloud Operations Management	Operations: CSPs should implement operations security controls to ensure that the operations of the cloud are documented, secure, reliable, resilient and recoverable. Change management: CSPs should implement change management controls to ensure that changes to the cloud infrastructure are carried out in a planned and authorised manner.
4. Cloud Services Administration	CSPs should implement cloud services administration controls to ensure the enforcement of policies, standards and procedures relating to the creation, maintenance and removal of privileged accounts used for managing cloud services and supporting networks.
5. Cloud Service Customer Access	CSPs should implement cloud user access controls to ensure that policies, standards and procedures are established and implemented to govern the creation, maintenance and removal of user accounts to restrict access and safeguard user credentials to prevent unauthorised access to information and information systems.
6. Tenancy and Customer Isolation	CSPs should implement tenancy and customer isolation controls to restrict user access within the same physical resource and segregate network and system environments such that the customers do not pose a risk to one another in terms of data loss, misuse and privacy violation.
7. Cloud Resilience	Physical and environmental security: CSPs should implement physical and environmental security controls to prevent unauthorised physical access, damage or interference to the cloud environment and infrastructure with the use of appropriate procedures and assessments. Business continuity and disaster recovery: CSPs should implement business continuity and disaster recovery controls to ensure timely resumption from, and the possible prevention of interruptions to business activities and processes caused by failures of information systems and disasters.

AG for DC

There are 3 main key risks – (1) DC infrastructure; (2) Governance; and (3) Cyber.

Risks	What does it generally cover?
1. Infrastructure Risk	These are risks stemming from insufficient consideration of risk in the design of DCs. The key risk areas are: Power management: E.g., risks of power disruption caused by inadequate power redundancy during planned maintenance or inadequate lightning protection leading to power outage; Environmental control management: E.g., risks of loss of cooling due to inadequate redundancy within environmental control systems to ensure continuous cooling; Cable management: E.g., risks of loss of network connectivity due to insufficient bend radius resulting in damaged cables; Facilities/tenant space protection: E.g., risks of unauthorised access due to inadequate physical controls, and fire due to inadequate fire detection and suppression systems; and Building site and design suitability: E.g., risks of water intrusion into the DC due to lack of protection against environmental risks such as flooding.
2. Governance Risk	These are risks stemming from insufficient risk oversight of DC operations. The key risk areas are: Operations management: E.g., risks of power or cooling failure due to inadequate monitoring of DC infrastructure elements such as power supply and environmental control systems; Incident management: E.g., risks of prolonged service disruption due to poor incident management response and service recovery processes; and Change management: E.g., risks of unauthorised change due to weak change management processes
3. Cyber Risk	These are risks of cyberattacks on DC operating systems and controls E.g., risks of data centre infrastructure management systems being compromised which may result in unauthorised temperature changes due to inadequate cybersecurity control measures.

To manage the above risks, DCOs should adopt the following process:

Concluding remarks

The advisory guidelines are an additional step to boost the resilience and security of Cloud Services and DCs, following the amendments to the Singapore Cybersecurity Act last year to address the cybersecurity risks of such digital infrastructure.

Additionally, the advisory guidelines complement the upcoming introduction of a new Singapore Digital Infrastructure Act (“DIA”), which will regulate systemically important digital infrastructure such as major CSPs and DC operators.

The advisory guidelines, along with the upcoming DIA, will bolster infrastructure resilience for cloud services and data centres, and create a more secure and reliable digital environment for businesses and consumers.

How we can help

As a dynamic, global law firm, Clyde & Co provides expert advice to our clients on digital laws and regulations, complex IT outsourcing and procurement agreements, and data protection compliance issues that arise out of their projects. Our team of seasoned specialists also provides expert advice on how to address compliance risks, navigate crisis response, and respond to data protection and privacy issues across the full cyber lifecycle.

To discuss how this latest regulatory development may mean to you, please feel free to reach out to the author below.

End

Authors:

Thomas Choo

Managing Partner

Zhen Guang Lam

Senior Associate

Themes:

Areas:

Market Insights

Stay up to date with Clyde & Co

Subscribe here