Multi-Tiered Cloud Security SS584

The Multi-Tiered Cloud Security (MTCS) Singapore Standard (SS 584:2015) is the world’s first cloud security standard that covers multiple tiers of cloud security. It aims to encourage the adoption of sound risk management and security practices for cloud computing. MTCS prescribes cloud computing security practices and controls, applied to cloud users and Cloud Service Providers (CSPs), to strengthen governance, reliability and resilience of cloud security controls in their environments.


MTCS serves the needs of differing cloud users for data sensitivity and business criticality. As cloud computing resources are shared across public sector organizations and private companies, in various locations and within diversity of information security maturity levels, risks have emerged of unsanctioned access to sensitive data.


MTCS certification is currently applied to different service models offered in cloud computing across South-East Asia, simplified to three types: The base type is data center infrastructure (Infrastructure-as-a-Services), the platform that sits on top of the infrastructure (Platform-as-a-Service), and finally the enterprise-facing application (Software-as-a-Service).


MTCS certification would help CSPs structure disclosure clauses in service level agreements with end-user contracts, concerning data retention, ownership, portability, legal obligations, availability, business continuity, disaster recovery and incident reporting.

Security Level System

MTCS has three levels of security, Level 1 being the base and Level 3 being the most stringent:

Level 1 – Designed for non-business critical data and systems, with baseline security controls to address security risks and threats in potentially low impact information systems using cloud services (e.g. Web site hosting public information).

Level 2 – Designed to address the need of most organizations running critical data and systems through a set of more stringent security controls. These address security risks and threats in potentially moderate impact information systems using cloud services to protect business and customer information (e.g. Personally Identifiable Information (PII), credit card data, CRM data, emails).

Level 3 – designed for regulated organizations with specific requirements. Industry specific regulations may be applied in addition to these controls, which supplement or address security risks and threats in high impact information systems using cloud services (e.g. Highly confidential business data, financial records, medical records).