Ensuring Government Web Services and Data Hosted on Commercial Data Centres are Assured of Availability and Data Security

2 Ms Poh Li San asked the Prime Minister in view of the recent disruption caused by the power outage at Microsoft Azure on 8 February 2023 (a) how can Government web services and data hosted on commercial data centres be assured of availability and data security; and (b) what is the Government’s procurement policy in terms of web services and data hosted in data centres owned by Singapore companies compared to foreign companies.

The Senior Minister of State for Communications and Information (Dr Janil Puthucheary) (for the Prime Minister): Mr Speaker, outages and disruptions can happen to any digital service, including those hosted on cloud services. The recent service degradation at a Microsoft data centre had limited impact on Government services. Nonetheless, GovTech has been working with Microsoft to fully restore affected services and prevent similar occurrences in future.

In general, cloud service providers offer improved availability, scalability and cost efficiency. These advantages were most evident during the COVID-19 pandemic, when we could quickly deploy services to support national efforts, such as contact tracing, proximity tracking and distribution of face masks.

To qualify for Government procurement, cloud services providers must meet our criteria for availability, resilience and security. The same criteria apply regardless of the service provider’s ownership and location of data centres. The services are regularly monitored to ensure compliance with agreed service levels and stringent security standards. Prior to this incident, cloud service providers had been able to meet our requirement to be available at least 99.9% of the time.

Mr Speaker: Ms Poh Li San.

Ms Poh Li San (Sembawang): Thank you, Speaker. I thank the Senior Minister of State for the reply. I have two supplementary questions. The first is regarding risk management. What is our strategy to diversify the use of different cloud services and data centres providers hosting various Government-linked functions? And the second question is on the degree of control. What degree of Government control do we have over the service providers in terms of such availability and resilience, and also what is the recourse in a situation of failure?

Dr Janil Puthucheary: Sir, our cloud services are hosted by three different service providers. So, there is already some diversity in the contractual arrangements that we have and the provision of services from the commercial sector. There is also diversity in the way in which we structure our cloud-supported databases and services, with some things happening on commercial cloud, Government commercial cloud and some things on on-premise solutions. So, there is already some diversity and we will continue to look to see how we can improve the resilience of our cloud service providers and uphold the standards that we have required.

To Ms Poh Li San's second question about the degree of control over the cloud service providers and what recourse, there are service standards that are contractually agreed to and the service providers have every interest in working with us to make sure that they do meet those service standards. But in addition to that, like any contractual arrangement between a cloud service provider and the client, our engineers work closely with their engineers, both in terms of setting up the architecture and also, in terms of trouble-shooting when problems arise. So, that close relationship is part of the way in which we ensure the resilience of our service and the recourse when things go wrong.

Mr Speaker: Ms Poh.

Ms Poh Li San: I thank the Senior Minister of State. In view of the importance of data in our digital society, will there be plans for some form of Government-owned cloud service, for maximising our control?

Dr Janil Puthucheary: To be clear, our plans are only for 70% of Government services to be on cloud providers by 2023. We are on track to meet that target. And so, already, we have plans and we have planned for some of our services to be controlled by the Government directly. These would primarily be those that support the work of the security services and agencies that are associated with that.