#WorkinginCSA: Shaping Cloud Security Policies to Safeguard Singapore’s Digital Future

Outside of work, he enjoys traveling, air pistol shooting, and building up his home automation system.

1. Tell us more about your team’s work and your role as a Senior Assistant Director in CSA’s Cloud Cybersecurity Programme Office (CCPO).

Cloud Cybersecurity Programme Office (CCPO) serves as the central subject matter expert within the Cyber Security Agency of Singapore (CSA) for all matters related to cloud security governance, consultation and technologies. Our core mission is to secure Singapore's cloud-enabled digital economy. We do this by demystifying complex cloud security issues on public and private cloud platforms, promoting clear guidelines to manage security risks, engaging with industry experts to address emerging threats, and securing the deployment of critical national projects in the cloud. My role is to help shape and evangelise the adoption of cloud security policies and industry best practices. This enables the Singapore Government, our Critical Information Infrastructure (CII), and the wider ecosystem to harness the power of the cloud securely, resiliently and confidently. A typical day is dynamic and involves a mix of strategic policy work, technical consultation and industry engagement. This could mean developing and refining national cloud security guidelines - such as the Cloud Security Companion Guides, which we co-developed with partners like major cloud providers and cloud security solution vendors, or providing security consultation for critical government systems and CIIs migrating to the cloud. It also involves collaborating with industry partners through forums and speaking engagements to understand emerging threats and share best practices.

My technical expertise is currently focused on translating policy into practical and scalable implementation for organisations moving into the cloud. I advocate for a pragmatic, risk-based approach. It’s important to get a feel of the cloud and understand how to secure it before taking bigger steps ahead, especially for highly sensitive systems. This philosophy is built on five foundational security principles:

1. Zero-Trust Principles: We must move away from outdated perimeter-based defences and assume no implicit trust, continuously validating every interaction.

2. Full Asset Inventory: It is critical for organisations to maintain a complete and updated inventory of all cloud assets, from data and applications to infrastructure.

3. System Configuration Posture Visibility: Beyond just knowing what assets you have, it's vital to have visibility into their security posture. This means actively monitoring for insecure configurations, vulnerabilities, and policy drifts to detect and prevent attackers from exploiting weaknesses in things like cloud Application Programming Interfaces (APIs) or service settings.   

4. Continuous ‘Shift-Left, Shift-Right’ Testing: Security cannot be a one-time check. This principle involves embedding security throughout the entire development lifecycle, from continuously testing code for vulnerabilities early on (‘shift-left’) to also testing applications that are already live in production to ensure they remain secure and resilient (‘shift-right’).   

5. Continuous Chaos Engineering Testing for Resiliency: To build truly resilient cloud infrastructures, we must proactively test their ability to withstand disruptions. This involves going beyond standard tests to conduct simulations of real-world failures - such as cloud outages or cyberattacks - to validate that business continuity and disaster recovery plans are not just theoretical but effective in practice. 

2. What inspired you to become interested in Cloud Cybersecurity and pursue a career in this field?

Rather than a sudden epiphany, my journey into cybersecurity evolved naturally from my background as a solution architect and my experience building one of Singapore's most critical pieces of digital infrastructure.

A key, formative period for me was my time at GovTech, where I was one of the architects for the National Digital Identity (NDI) platform. This wasn't just another IT project; it was a strategic national project at the heart of Singapore's ‘Smart Nation’ ambition. Working on a mission-critical, cloud-native system like NDI - which SingPass serves as the trusted digital backbone for over 5 million residents and facilitates more than 500 million transactions annually - gave me a profound, firsthand understanding of the immense responsibility involved in securing digital services at a national scale. We were leveraging a modern, cloud-native tech stack and an Infrastructure-as-Code (IaC) approach to build a resilient and secure platform from the ground up.

This experience at the forefront of the government's cloud migration was the primary catalyst for my shift into a dedicated cybersecurity role. I saw directly that the cloud is a double-edged sword. On one hand, it was a ‘vital backbone for government digital services’, enabling rapid improvements and new capabilities that were essential during the COVID-19 period. On the other hand, I saw the persistent and complex security challenges that came with it. The difficulties in maintaining full visibility of assets, the nuances of the shared responsibility model, and the trade-offs between speed and security.

It became clear to me that for Singapore's digital transformation to succeed, we needed more than just innovative services; we needed a robust, practical, and automatable security framework to underpin the entire effort. This motivated my transition from a ‘builder’ role at GovTech to a ‘guardian’ role at the CSA. I wanted to apply the practical lessons I had learned in the trenches about what works and what doesn't when building secure systems at scale - to help shape the national policies that protect our entire digital ecosystem and enable all organisations to navigate their own cloud journeys safely.

3. What are some projects you’ve worked on in CSA that you found particularly interesting and/or challenging? What made them interesting, and how did you navigate the challenges?  

A significant and ongoing project that I find particularly interesting is our work with industry partners, government agencies and the Infocomm Media Development Authority (IMDA) to review and shape the next revision of Singapore's Multi-Tier Cloud Security (MTCS) standard. This isn't just a routine update; it's a critical initiative to ensure our national cloud security benchmark remains robust and relevant. MTCS is a tiered-based cloud security standard and is voluntary for any cloud service provider (CSP) in Singapore, making it a cornerstone of our private and public sector's digital foundation.

The core challenge is keeping a national standard ahead of the curve. To navigate this, the process is deeply collaborative but also evidence-based, and this is where our CSA Cloud Lab becomes a critical asset. The lab allows us to move beyond theoretical discussions by providing a secure, scalable platform to validate new security controls and simulate emerging threats in a controlled ‘sandbox’ environment. For example, CSA officers conduct rigorous Proof of Concept (POC) projects to learn and use new cloud-native services, new technologies like multi-cloud architectures, microservices-driven models or Artificial Intelligence (AI)-driven threat detection/investigation platforms. This ensures that any updates to our national standards and guidance are not only technically sound but also practically proven against real-world scenarios, de-risking their adoption for the entire ecosystem.

Another project which I find very rewarding is helping organisations adopt the Cybersecurity Code of Conduct (CCoP 2.0) under the Cybersecurity Act in Singapore. To provide clear, actionable guidance for cloud environments, my team have co-developed with GovTech the CCoP for Cloud, which defines the specific technical, security, and operational controls required on top of the existing CCoP 2.0. The challenge is always bridging the gap between regulatory requirements and the day-to-day reality for engineering teams. To address this, we are actively working with the major cloud service providers to co-develop the CCoP (Cloud) Companion Guide. 

This is where we champion the use of ‘Policy as Code’ (PaC) by moving it from theory to practice. We are currently co-prototyping the use of PaC to continuously monitor Critical Information Infrastructure (CII) systems for compliance with the CCoP in cloud. My role is often that of a translator and enabler. We engage directly with the community of cloud builders and practitioners through technical sessions and workshops. In these forums, we demonstrate how to use automation and familiar tools like IaC to build security and compliance directly into their development pipelines. This empowers teams to codify security rules, making compliance an automated, continuous part of their workflow rather than a manual, after-the-fact checklist. It's about translating the ‘what’ of policy into the ‘how’ of implementation, empowering teams with the tools to build security in from the start and ensuring that robust security can accelerate innovation, not hinder it.

4. Tell us something about your job that not many people know about.

People often assume my role involves set policies in isolation, far removed from real-world implementation challenges. They might picture policy workers working from an ivory tower. My approach to cloud security policy is deeply rooted in hands-on experience. As a former Senior Solution Architect at GovTech, I helped design and build the cloud-native infrastructure for the National Digital Identity (NDI) platform - a strategic national project. Working on a mission-critical system like SingPass, which handles over 500 million transactions a year, meant I was in the trenches, using tools like IaC to build a secure, resilient, and scalable platform from the ground up. This experience continues to shape how I approach my current role at CSA.

Another common misunderstanding is viewing my role as purely administrative – focused solely on drafting policy documents. In reality, it’s about translating policy into practical, scalable engineering solutions. My passion lies in ‘Policy as Code’ (PaC), a deeply technical, engineering-focused discipline that uses automation and IaC to build security controls directly into the development pipeline. When I speak to the tech community, I demonstrate how these approaches can help teams meet the requirements of national standards, like our Cybersecurity Code of Conduct (CCoP), without slowing down innovation. It’s about making security an enabler, not a roadblock.

Here’s another thing people get wrong – thinking we work alone Actually, collaboration is central to everything we do. We are constantly working with industry partners and other government agencies like GovTech and IMDA to review and update foundational frameworks like the MTCS standard. This isn't just about ticking boxes; it's about a continuous, strategic effort to ensure our national standards evolve to address new threats and technologies, keeping Singapore's entire digital ecosystem secure and resilient.

5. Outside of work, do you have any hobbies and interests? How do you unwind from work?

Outside of my professional duties, I find it’s essential to engage in pursuits that cultivate different but complementary mindsets. My interests are quite varied - they include international travel, the precision sport of air pistol shooting and the ongoing technical project of building out my home automation system. Each provides a unique way to unwind, but more importantly, each hones skills that are directly applicable to my work in cybersecurity.

Air pistol shooting, for instance, is a profound exercise in discipline and focus. It’s a sport where success is measured in millimetres, and every single action - from your stance and breathing to the final, steady trigger pull - must be deliberate, precise, and controlled. This mindset is directly transferable to the world of cybersecurity, where a single misconfiguration, a single overlooked vulnerability, can be the critical point of failure in an entire system. The sport cultivates the meticulous attention to detail and the calm-under-pressure disposition that is essential when analysing complex security architectures or making critical decisions during an incident.

My home automation project is my personal lab - a sandbox where I can remain hands-on with the very technologies we work to secure. It’s one thing to write policy about securing Internet of Things (IoT) devices; it’s another to grapple with integrating them, scripting their automations, and properly segmenting the network to isolate them. This hobby allows me to test principles like Zero Trust in a practical setting and gives me firsthand empathy for the real-world challenges that organisations and engineers face when implementing security controls. It ensures my policy work remains grounded in technical reality and keeps my skills sharp, which is crucial in a field that evolves so rapidly.

Finally, planning an international travel trip to an unfamiliar destination has its own form of risks and adventure - it requires understanding a different environment, anticipating challenges and having contingency plans. This broadens my perspective and is invaluable when collaborating with international counterparts on global security standards and norms. More importantly, completely disconnecting from the day-to-day allows me to return to work feeling refreshed.

Together, these hobbies are not just pastimes; they are a core part of my professional development. They create a valuable feedback loop, providing a balance between intense focus, hands-on technical application and strategic thinking - all of which are essential for navigating the complexities of the cybersecurity landscape.