Case Study

Standardizing Enterprise Scale: A Global API Governance Framework for SSG



Standardizing Enterprise Scale: A Global API Governance Framework for SSG — case study cover
Customer

SkillsFuture Singapore (SSG)

Service

API governance

Date

May 2020

Consistency, security, and speed to market matter for external API consumers and internal service consumers in equal measure. Effective governance automates best practice and gives engineering teams the freedom to iterate safely. That principle shaped how Sakura Sky engineered SkillsFuture Singapore’s API governance framework.

SkillsFuture Singapore (SSG) is the Singapore government agency that promotes lifelong skills development for the national workforce, and operates a complex ecosystem of internal, external, and partner-delivered APIs to do it. Sakura Sky’s Cloud practice delivered a versioned, adaptive governance framework designed to evolve with the agency’s technical maturity.

The Challenge

As a complex adaptive system with many intertwined silos, committees, and regulations, SSG needed an approach that optimised IT effectiveness without creating approval bottlenecks. The goal was business agility, with the risks of system evolution and data access mitigated by design rather than by review committee.

The Engineering

We defined the boundaries of governance across the entire API value chain, separating the needs of Service Providers (the engineers building APIs) from Service Subscribers (the engineers consuming them), because the two groups operate on different cadences and require different controls. The framework rests on four engineered commitments:

  • Lifecycle stage-gating. A four-stage workflow (Inception, Build, Adoption, Close) with explicit entry and exit criteria at each milestone. Quality is gated by the gates, not by a review board’s calendar.
  • Standardised technical patterns. REST architectural styles, OpenAPI documentation, and JSON schema definitions are mandated for every API, so every consumer sees the same shape regardless of which team produced the endpoint.
  • Security baseline in code, not policy. The OWASP REST Security Cheat Sheet is enforced as a mandatory compliance standard at the endpoint level, not described in a PDF that nobody reads.
  • Hybrid operational model. Centralised standards, distributed decision-making. Engineering teams retain autonomy day-to-day while global security and monitoring posture stays uniform across the agency.

Outcomes

This was greenfield work, so the deliverables themselves are the outcome: the framework, the standards, and the measurement model SSG continues to operate on.

  • Performance accountability. Standardised SLAs and SLOs give every API team measurable visibility into performance, scalability, and availability.
  • Automated consistency. Every API is tested for conformance against the framework before publication, so the developer experience stays uniform across the ecosystem.
  • Continuous improvement. A quarterly assessment schedule using industry tooling (Apigee Compass) measures program maturity against global peers, so SSG’s governance posture evolves with the practice.

The pattern under all four commitments is the one we now apply across our GRC service line and our Praxis compliance solution: governance engineered into the substrate so compliance posture is the outcome of how the system runs, not a separate annual exercise.


If you’re standing up or maturing an API governance practice across a complex multi-team organisation, contact us to scope an engagement.