Countries across the globe are increasingly privacy-aware and have drafted laws and regulations based on the usage patterns and organizations in those countries. The governing bodies in Singapore have issued minimum requirements to establish data centers to ensure the safety and security of individuals, infrastructure, and the data stored. Organizations must comply with the standards specified by fulfilling all audit and regulatory requirements to establish data centers in Singapore, and are also expected to test and update their controls regularly.
A data center is a physical facility that houses IT applications and infrastructure for an organization's business-critical data storage and operations. Since it is the data hub, a data center is vulnerable to leaks, thefts, and attacks, and proper security measures should be implemented at every stage. Common data center security threats include:
To avoid similar challenges, data centers have to ensure both physical and software security at every stage. Security aspects start from site selection, capacity planning, business continuity plan, disaster recovery, and include data access, monitoring, logging, asset management, operational support, maintenance, and environmental conditions. The respective governing bodies have defined and documented standards for these so that organizations can comply with them and keep their data centers secure.
Singapore is a gateway to Asia for the rest of the world, and its infrastructure and wealth have helped it become one of the largest repositories for data storage and processing. Other key reasons include:
Singapore has formulated different laws for personal data, cloud data, incident response, design aspects, and so on. Data centers designed with proper strategies to store and process data can enhance the end-user experience and protect their data.
Any organization found guilty of a data breach can be fined up to 10 percent of its annual turnover in Singapore. Currently, the maximum a company can be fined for a data breach is S$1 million.
The Personal Data Protection Act of 2012 (PDPA) governs the collection, use, and disclosure of personal data by private organizations. PDPA is aimed at giving more control to individuals, such as customers, employees, or members of associations, by encouraging organizations to facilitate the safe and protected cross-border transfer of information. The security measures defined cover the data stored in both electronic and non-electronic forms.
The main obligations of PDPA cover:
The Personal Data Protection Commission (PDPC) also defines a few simple steps to get started with personal data protection in Singapore.
Multi-Tier Cloud Security (MTCS), also known as Singapore Standard 584, is the world's first cloud security standard that covers multiple tiers. Prepared by the Information Technology Standards Committee (ITSC), MTCS defines how cloud service providers (CSPs) have to protect customer data and address their concerns about the confidentiality of the data in the cloud. With a total of 535 controls, it aims to provide transparency and visibility into how the CSPs handle data.
MTCS has three levels of security, referred to as tiers, with tier 3 being the most stringent. In the words of MTCS:
The technical reference (TR) 62 for cloud outage incident response (COIR) is a set of guidelines that will keep your business afloat when there are cloud outages in Singapore. It covers both CSPs and cloud service customers (CSCs). COIR provides guidelines for having appropriate communication plans, activation of preplanned processes, mobilization of emergency resources, prioritization levels for recovery and restoration of affected cloud services, and continuous monitoring of CSP’s uptime to detect outages.
COIR categorizes the cloud outage impact into four tiers with tier A being the most serious.
Singapore Standard (SS) ISO/IEC 21878:2019 is an adoption of ISO/IEC 21878:2018 aimed at the security aspects of the increased virtualization of data center infrastructure. This specifies standardizations for architecting virtual server configurations from a security perspective. This is to ensure that the virtual machines (VMs) and the applications running on them are secure.
Similar to the security and privacy standards, Singapore has also formulated other data center standards for design, quality, and environmental aspects.
Data centers are extremely energy-intensive, and almost 50 percent of the energy expenditures of data centers in Singapore is attributed to the use of electricity. This includes both energy consumption by IT systems and energy consumption by facility systems. To address this, the Infocomm Media Development Authority of Singapore, along with other government bodies, have developed the Green Data Center standards similar to ISO 50001 standards for energy management.
With respect to facility systems, direct liquid cooling, close‐coupled refrigerant cooling, air and cooling management, passive cooling, free cooling, and power supply efficiency are assessed. Concerning IT systems, software power management, energy‐aware workload allocation, dynamic provisioning, energy‐aware networking, wireless data centers, and memory type optimization is assessed.
The Telecommunications Industry Association's (TIA) ANSI/TIA-942-A is the telecommunications infrastructure standard for data centers. It is an American National Standard that specifies the minimum requirements for structured cabling work. Defined in TIA/EIA-568, it describes the design, installation, and performance requirements for cabling in data centers.
The other common data center standards that are followed worldwide and are given equal importance in Singapore are:
Singapore is a growing data center hub offering many benefits for establishing new data centers due to its infrastructural, geographical, political, and technological setup. However, a shortage of land and zoning restrictions present some challenges. All organizations are expected to comply with and follow the standards above. The Cloud Security Alliance's Security Trust Assurance and Risk (CSA STAR) certification for security assessment of CSPs is also considered important in Singapore.