Singapore rolls out guidelines to bolster cloud and datacentre resilience

Singapore’s Infocomm Media Development Authority (IMDA) has launched a set of advisory guidelines aimed at bolstering the resilience and security of cloud services and datacentres in the city-state.

The move comes as Singapore increasingly relies on digital infrastructure for essential services and seeks to mitigate the potentially devastating impact of service outages and cyber attacks.

“Disruptions to cloud services and datacentres can lead to significant inconveniences to our daily lives, and adversely impact our economy and society,” IMDA said. “With the right practices, such disruptive occurrences can be minimised, and services can be restored quickly when a disruption occurs.”

The advisory guidelines address a spectrum of risks, including technical vulnerabilities, physical hazards such as fires or water leaks, and increasingly sophisticated cyber attacks. To mitigate these risks, IMDA recommended cloud service providers to implement security testing protocols, well-defined user access controls, data governance frameworks and disaster recovery plans.

For datacentre providers, it recommended establishing business continuity management systems to minimise service disruptions and maintain high availability, alongside specific measures to mitigate cyber security risks.

The IMDA drew on existing international and industry standards in developing the guidelines, as well as lessons learned from past incidents and consultations with key cloud service providers and datacentre operators in Singapore.

In November 2024, an outage at a Microsoft Azure datacentre took down the websites of the CPF Board and Nanyang Technological University, among others, while the digital banking services of DBS Bank, Southeast Asia’s largest lender, were disrupted due to a fault in the cooling systems at Equinix, the bank’s datacentre provider.

The launch of the advisory guidelines is part of a broader effort by an inter-agency taskforce to develop measures to uplift digital resilience and security across Singapore. IMDA said the guidelines will complement the upcoming Digital Infrastructure Act (DIA), designed to regulate systemically important digital infrastructure such as major cloud providers and datacentre operators.

Noting the importance of the guidelines, Annabel Lee, director of public policy at Amazon Web Services (AWS), said: “Security and resilience have always been top priorities for us at AWS. As we plan to expand our cloud infrastructure footprint and double our investment in Singapore by 2028, we look forward to collaborating even more closely with IMDA to raise the bar on digital security and resilience in the industry.”

Bill Chang, CEO of Nxera, Singtel’s datacentre arm, welcomed the new guidelines, adding that the company has always incorporated resilience and security-by-design in building and operating its datacentres not just in Singapore but also in the region. “We will continue to do so to meet the evolving needs of our government, customers and regulator,” he said.

Chua Kim Chuan, group chief information security officer at SingHealth, said: “As a major healthcare service provider, a robust digital infrastructure provided by our IT partners and suppliers is critically important to SingHealth. We welcome the advisory guidelines and the DIA as they align with our commitment to enhancing cyber security and digital resilience, further safeguarding our systems and patients’ interests.”

The IMDA said the advisory guidelines will be continuously updated to reflect technological advancements, learning points from incidents and ongoing industry feedback. The agency encouraged companies providing digital services to conduct their own risk assessments and implement business continuity plans to mitigate the impact of disruptions on their customers.