CLOUD INITIATIVES FOR A SMART NATION

Transcription

1 OUTLINE CLOUD INITIATIVES FOR A SMART NATION 11 April TAO YAO SING ASSIST. DIRECTOR, STANDARDS, IMDA Impediments to Cloud Adoption Cloud Security Virtualization Security for Servers Cloud Resiliency Cloud Outage Incident Response Cloud Professionals Development Body of Knowledge for Cloud Computing Cloud for Services (-as-a-service Pilot) Moving Forward 2 IMPEDIMENTS TO CLOUD ADOPTION OVERVIEW MTCS Addressing cloud adoption issues 1. Surveys have consistently confirmed that cloud security is Number 1 concern in adoption 2. Concern & tolerance of security differs from users to users 3. We need a security standard to provide visibility & clarity of security provisions of CSPs for better matching of users needs Industry Specific Standards (e.g. Govt, Finance & Healthcare industries) More Specific Controls Multi-tier Cloud Security Standards Cloud Related Controls ISO (ISMS) Base Standards 3 4

2 FRAMEWORK OF MTCS STANDARD MTCS is based on a multi-tiered framework comprising 3 levels of IS requirements SUMMARY OF STATUS (1 OF 2) MTCS SS584 was launched at CloudAsia in Nov 2013 >200 copies sold Level Overview Security Control Focus Non-business critical data & systems Most business critical data & systems Regulated organizations with specific requirements & more stringent security needs Baseline security controls for potentially low-impact information systems A set of more stringent security controls for potentially moderate-impact information systems Additional set of security controls for potentially high-impact information systems Accreditation scheme by Singapore Accreditation Council available since 29 Oct 2014 Certification services offered by 7 CBs. 6 have already been accredited Cross-certifying with other int l standards/frameworks (ISO27001 & CSA OCF/STAR) 5 6 SUMMARY OF STATUS (2 OF 2) MTCS CERTIFICATION STATUS Mapping with ISO27018 (CoP for PII Protection in Public Cloud) completed & published ServiceNow Alignment of MTCS standards with specific industry sectors Mapping of MTCS to Healthcare IT Security Policies & Standards completed Currently more than 20 IaaS & SaaS ISVs/CSPs (with >80 cloud services 66 IaaS/PaaS vs 16 SaaS) have been MTCS certified L3: AWS, ClearManage, Microsoft, Alibaba, Ribose, ServiceNow L2: SoftLayer/IBM, Tata Comms L1: Acclivis, Acscenix, ICONZ-WebVisions, IIJ, M1, Starhub, NME, ReadySpace, Telin, Auctorizium, BlazeClan, Evvo, Inspire-Tech, Reachfield, Wizlearn 7 8

3 9 VIRTUALIZATION SECURITY FOR SERVERS TR30 Servers Virtualization Security published in Joint project in 2014 with CSA to publish a whitepaper in Apr 2015 Initial NWI submission to in Apr 2015 to kick-off a 6- month study period. SP report approved and NWIP ISO meeting in Apr 2016 Ballot was called and project approved in Aug Currently in Working Draft stage. CLOUD RESILIENCY OUTAGE INCIDENT RESPONSE IN SCOP E OUT OF SCOPE 10 To develop a tiered COIR framework to ensure transparency in Cloud Service Providers (CSPs) cloud outage incident responses thus enabling cloud users to evaluate accordingly. This framework will help cloud users opt for the appropriate level of outage protection to complement their BC/DR capabilities. Cloud outages directly associated with: Operational mistakes; Infrastructure or system failure; Environment issues (like flooding/fire) Cyber-security incidents and malicious acts REGULATORS Standardise BCM requirements for CSPs Feb 2016 IDA COIR guidelines launch Feb 2016 NWI Approved by ITSC ITSC WG formed/kicked off in Jul 2016 Industry engagement briefing & FG sessions in Jan-Feb 2017 Public consultation in May-Jun 2017 CLOUD USERS Transparency of service provided by CSPs WHO BENEFITS? CSPs Aligned to market demand on the services expectation COIR OVERVIEW - MULTI-TIERED FRAMEWORK 4 tiers were defined in the COIR Framework based on impact of outage to business, sector, economy and human life COIR OVERVIEW - 17 CRITERIA DEFINITION FOR EACH TIER Minimal Operational Business Critical Life Threatening For cloud services hosting functions that are least important to an organisation s ops. Alternative means/fallback mechanisms are available. Duration of outage in days is tolerable. Low urgency to access data during outage period 11 Tier D Tier C Tier B For cloud services hosting functions that are essential to an organisation s ops. Ops restored within same day. Medium urgency to access data during outage period. Else outage will impact org s op l efficiency/ effectiveness significantly. For cloud services hosting functions that are critical to an org s ops. Any outage can impact biz severely Ops shall be restored within hours. Have a high urgency to access data during this period. Else, survival is at stake if outage prolongs Tier A For cloud services hosting functions that are mission critical to human safety or stability of economy, mkt, industry (systemic). The impact is beyond organisation s ops. Any outage will put human safety/stability of market, economy or industry at stake. 12

4 CLOUD PROFESSIONALS DEVELOPMENT Objective To establish consistent measure for assessment & recognition of cloud professionals in SG Body of knowledge (BOK) on cloud computing will form the basis for: Designing training courses to attain proficiency in cloud computing; Establishing a professional certification scheme; and Awarding continuing education credits or professional proficiency points IMDA completed initial draft and handed over to SCS Cloud Chapter for implementation considerations BoK BCM conference on 17 Mar 2017 CLOUD FOR DATA SERVICES DAAS PILOT Led by exponential growth of data & demand for data/datasets. Many business strategies & decisions are now made based on availability of timely data A DaaS pilot was piloted in Mar 2014 for 2 years exploring ways to enhance SG data ecosystem: sets discovery (Federated Namespace Registry) sets access (APIs) quality (DQM) CONCEPTUAL REPRESENTATION OF DAAS PILOT set access via developer-friendly APIs DAAS PILOT SEEKS TO ENHANCE DATA ECOSYSTEM Challenges Mash Ups Analytics Provider #1 sets Quality Tool set Registry (DSR) #1 Contains set catalogue quality dashboard Provider #2 sets DSR #2 Quality Tool Cross-Provider set Discovery Provider #N sets DSR #N Quality Tool Through providing ease in dataset discovery across industry verticals With a dataset discovery mechanism Through helping potential buyers make better-informed purchases With a data quality dashboard Through delivering datasets via developer-friendly APIs With guidelines for data access APIs 15 Federated set Registry (FDSR) 16

5 TECHNICAL REFERENCE 41 : 2015 (TR 41 : 2015) Guidelines recommending a baseline set of data quality metrics which are industry domain agnostic for structured & machine-readable datasets Relevance & completeness Punctuality & timeliness Accessibility or availability TECHNICAL REFERENCE 33 : 2013 (TR 33 : 2013) Guidelines & best practices for design & implementation of APIs & access protocols Use existing architecture & standards for web services Standardize web resource identification, design & data representation Security mechanism 17 Ease of use Reliability & trustworthiness More information can be Versioning convention 18 API documentation (documentation template) Use of metadata More information can be SOME OF THE TYPES OF DATASETS ON DAAS CLOUD FOR DATA SERVICES DAAS PILOT Business Singapore consumer classification Corporate financial data from BizInsights Singapore consumer classification Strategic corporate information data Company directory SingPost 6D Postal Code Environment Singapore weather data Sample haze data Shopping Footfall and location datasets Population in shopping malls Social media buzz of malls sample dataset 2013, 2014 Transport Traffic data Taxi queue information sample data Live parking availability Real Estate Melbourne apartments for rent/sale Singapore property caveats Real Estate listing data Real Estate agent data Scientific Singapore hydrodynamic hindcast Model - L Model Habitat fragmentation in a birdpollinated eucalypt Results Piloted 28 data providers with 81 datasets Held 2 -Driven Innovation Challenges for Institutes of Higher Learning and a Discovery Challenge to promote datasets sharing/mashup Lessons Learnt Getting datasets owners to share is not easy Motivation to share usually not monetary driven Effective mashup needs to standardize (common) data definitions & formats Next phase Explore possible means to deliver significant impact & value through sharing and mashup of datasets 19 20

6 MOVING FORWARD Driving for cloud adoption Broad-based adoption through certified SaaS for SMEs Self-assessment tool for SMEs are now available for download Sectorial adoption through identified domains (e.g. Healthcare) Singapore has improved adoption from 24.6% (2013) to 28.9% (2015) overall Enhancing cloud service resiliency & recoverability Cloud outage incident response (COIR) WIP Promote self-regulation for cloud industry Identify specialised areas of cloud computing in selected sectors E.g. Artificial Intelligence, Marketplace (explore data use cases) LIST OF USEFUL LINKS MTCS Standard SS584: dza==&keyword=ss%20584 MTCS Certification Scheme & Self-Assessment Tool List of MTCS Certified Cloud Services List of Accredited Certification Bodies MTCS Certification Grant Support IMDA COIR Guidelines Virtualization Security for Servers TR30: dza==&keyword=tr% THE END 23