Cybersecurity, Compliance and Cloud: Lessons from Singapore

with Yeo Beng Huay

Yeo Beng Huay leads the Governance Planning and Policy Division in GovTech, Singapore. Her team plans and formulates policies, standards, and guidance for government ICT and smart systems, and provides data driven management of compliance and risks.

Episode 38: Cybersecurity, Compliance and Cloud: Lessons from Singapore

Public Sector Future

Episode summary

Yeo Beng Huay leads the Governance Planning and Policy Division in GovTech, Singapore. Her team plans and formulates policies, standards and guidance for government ICT and smart systems; digitalizes governance to provide anticipatory and data driven management of compliance and risks; and trains public officers.

Download the episode transcript

Listen to this episode on any of these podcast platforms:

Spotify

Apple Podcasts

Google Podcasts

Deezer

Libsyn

How can governments manage and improve their cybersecurity and compliance?

Yeo Beng Huay leads the Governance Planning and Policy Division in GovTech, the Government Technology Agency of Singapore. In the third episode of our cybersecurity mini-series she shares how Singapore has adopted ambitious cloud-first goals and how her team are using agile approaches to policy making, automation and training to help agencies manage cybersecurity and compliance in the transition to cloud.

Leading on cybersecurity for the Singapore government

Yeo Beng Huay leads the Governance Planning and Policy Division in GovTech, the Government Technology Agency of Singapore. GovTech is the lead agency for digital government in Singapore. They harness technology to make a difference to citizens and businesses. 

Yeo explained the role of GovTech “broadly, our work can be categorized into three areas: products, solutions, and cybersecurity and governance. What we do is develop products for citizens, businesses, and the whole government. And in terms of services, we manage technology for about 60% of the Singapore government agencies, and cybersecurity and governance. We are the sectoral lead for cybersecurity in Singapore government.”

‘Smart Nation’ KPI for government move to cloud

“In Singapore, we are working on the Smart Nation. In 2018, we developed our digital government blueprint as a statement of our ambitions in support of Smart Nation. We advocate the Singapore government that is digital to the core. Under the digital government blueprint, we set out our own KPI to say that at least 70% of the eligible government services to be on commercial cloud by 2023.” 

Yeo added, “This is an ambitious goal. And with the acceleration of the cloud adoption, what it means to us from the governance group is to really make sure that there are proper clear security policies in place and tools to support the government agency in migrating their current solutions to cloud.”

What is it about cloud that attracts the government?

“I think in simple terms, it allows us to deliver our services faster, in a more agile fashion. And in fact, COVID has actually reaffirmed our emphasis in this area. It allows us to deliver our digital services in a very – in a quick time, turnaround time, and during COVID where citizens and businesses are not able to contact us physically, and we are able to roll out digital services in a very short span of time.”

“That is really due to the benefit of cloud and having the necessary governance policy in place beforehand. So, I’m happy to say that we had a head start.”

Yeo also explained there was an important governance element, which was, before they can move their digital clients from on-premise to the cloud, they have to ensure that they have the foundational governance elements in place.

“I think that is important, because cloud was new to us a few years ago. It is important to make sure that we have the foundation, we have the necessary tools and support to the agency while they strive towards moving their services to the cloud,” Yeo added.

How did you manage the transition?

Yeo explained that to support the move to cloud, the approach to policy making used “a very agile fashion”. Having first put in place the cloud-first policy, they started by focusing on policies for a smaller group, for systems classified as restricted and below. She added that “along the way we fine-tuned it. In fact, we get feedback from the agencies to make sure that the cloud policies are feasible and easier to comply [with].”

Yeo explained further, “So, the policy is evolving, as we go along, to make sure that it stays relevant, it is continued to be able to support the agency easily, and they are able to comply with, and more importantly, they are able to put in place controls.”

Yeo’s team follows a process that monitors and measures progress, allowing them to take in feedback and make changes if needed.

“Our policymaking is a quite extensive process. Before we’re able to roll out, we will have to seek consultation from the engineers, the business users, and CIO community, deliberate over there before we can get the approval and launch. But having said that, it doesn’t stop us from checking out to make sure that they are okay. Agencies are able to operationalize what we put in place. So, we do have a feedback channel. And we look at that and we have a process to say that ‘hey, look here, something is not quite here.’ Everybody is asking questions about this particular statement. We should fine tune it, look back and refine and improve along the way,” Yeo said.

The most common compliance needs

How does Yeo address compliance in an automated way with limited resources that allows time to not only be compliant, but ensures that her team is continuously compliant?

“So having a policy is not enough, actually. And we do training, as well, but with the increasing adoption of cloud, we are now looking towards automation to try to improve auto-tracking, as well as streamline the governance process.”

Yeo continued, “This included putting in place some auto-tracking, we call it CloudSCAPE, which stands for Cloud Security and Compliance Automation Platform Ecosystem, but what it does is that it monitors deployment on the government cloud to make sure that it actually complies with our policy.”

That includes the automated scans to monitor and send alerts where the system does not meet the security baseline, and also, it actually provides some remediation guides, for how the team can secure the cloud resources. 

“So, this is rolled out, 1.0, and we are working towards refining it. More than that, just last year, we also implemented a digital governance platform, where we pull into the relevant datapoints, provide a dashboard to the agency, say their cybersecurity engineer, to have a dashboard view of their compliance status, including the asset tracking, as well as patch management progress. This allows them to take action earlier. And we are continuing to improve to provide more insightful dashboards for the various stakeholders so that they can know ahead, what are the potential risks and be able to take action earlier to remediate? So automation is a way to go, moving forward,” Yeo said.

But how do you enforce this process in a way that doesn’t disrupt operations?

“At the policy level, at the standards level we did set for critical vulnerabilities you have to remediate by a certain time when the patch is made available. So, the purpose of this is really to provide an environment, a platform where a lot of the various stakeholders, whether you’re our cyber engineer or you are the CIO, to allow them to have more awareness of their risk for the ICT system. And then they can do more to uplift their compliance level.”

Mitigating challenges using cloud

Yeo was asked to share some of the challenges that her team is able to mitigate in the cloud and that they weren’t able to do in an on-prem environment.

“I would say that speed is definitely one of them. For example, if I have a government service where I look at seasonality of a transaction, for on-prem services with on-prem system, you will need to install with the hardware capacity to be able to manage the surge and load, whereas in cloud, it can be done pretty easily. You can actually do the autoscaling, and you can scale down when you don’t need it.”

Yeo added, “If you don’t need the services, you can even shut it down, from the cloud. We do see the beauty of cloud versus on-prem.”

How to optimize the compliance framework

The GovTech team are progressing towards moving higher levels of classification of systems into cloud. Yeo explained that “we will go progressively, as we learn and as we improve our governance processes to get control, and that’s where we can move on to the next level.” This will be supported by automation to enable auto-tracking, and the digital governance platform to raise awareness of risk areas. Alongside these efforts, the team are putting in place training to “to make sure that our officers are well equipped with the necessary skills to govern the cloud”.

“So it is actually indeed a transformation, not just in terms of digital services,” Yeo explained.

It’s important to modernize not only the technology, but also the people, the functions, the processes and the organizational structure of these programs.

How to avoid pitfalls

Yeo emphasized the importance of clarity to allow agencies to move forward “One of the things that we need to do is really to make sure that there’s a clear policy in place.” This allows agencies to be able to move forward with cloud adoption in a compliant manner. Yeo also emphasized the importance of training, agility in approach, and the opportunities to use automation to help improve compliance.

Practical advice for government organizations

What advice can Yeo offer other government organizations when it comes to cybersecurity?

“I will just say that, first start with what you have, looking at your assets and what are the scope that you can roll out in managed scope. We have a certain set of processes in place to guide the agency forward. Also have in place some automation to help to trigger certain exceptions that didn’t meet the baseline or certain with critical risks. This is so that you have a safe environment for the agency to do their startup.”

“As you progress, you can refine the policies and do more complex cloud services, and you can move on to the next level. So, I will say that the first step is to start small. Make sure you have the necessary compliance processes in place and automation to help trigger any risk area before you go into and do more on cloud,” Yeo concluded.