Open to new roles

Robin Chan

DevOps Engineer · Systems · Security

Five years inside a HIPAA-regulated telehealth SaaS, from QA security testing to owning the infrastructure. I studied cybersecurity before I wrote my first pipeline — so least privilege, attack surface and failure modes are where I start, not what I bolt on afterward.

  • 📍 Toronto, ON
  • 🌐 Open to remote / hybrid
  • 🎓 CEH v13
  • $18k Annual savings from a 14-server cloud-to-bare-metal migration
  • 40+ Containerized services in the biweekly US & CA release cycles I help manage
  • 26 Terraform modules maintained across multiple AWS accounts
  • FedRAMP Moderate authorization effort — implemented technical controls

01 Experience

Same company, three roles, one continuous trajectory — cybersecurity training into QA into infrastructure ownership.

  1. DevOps Engineer

    2023 — Present

    Keel Digital · HIPAA-regulated telehealth SaaS

    • Led a 14-server migration from DigitalOcean droplets to OVHcloud bare-metal (Proxmox VE) — vendor analysis, Debian selected for a minimal OS footprint, full disk images transferred over SSH, Ansible to remediate networking post-migration. Designed a NAT gateway topology that removed public interfaces from every dev VM, cutting attack surface and saving ~$18,000 CAD annually.
    • Built an OpenSearch SIEM from the ground up: Fluentbit log ingestion with PII/PHI filtering, Lambda-based automated alerting, and custom Sigma rules targeting authentication and authorization threats.
    • Maintain Terraform IaC across multiple AWS accounts and 26 modules (ECS, S3, IAM, KMS, RDS, VPC, SageMaker); built a new AWS Comprehend module from scratch integrating S3, KMS and IAM.
    • Extended GitHub Actions CI/CD across multiple repos — Trivy scanning as a build gate, parallel multi-service builds, multi-brand matrix builds producing per-brand images; deploys to ECS via automated task definition updates and to dev via SSH through a bastion host.
    • Administer a self-hosted OAuth/SSO platform serving thousands of users across US/CA production — client and scope management, auth flows, delegated admin groups, Zabbix alerting on auth failures. Manage least-privilege IAM across 16 environments.
    • Rapid Response Team — 10+ production incidents; traced one degradation to database connection-pool exhaustion via Elastic log analysis and coordinated remediation.
    • Deployment Team — release cycles for 40+ containerized services across US and Canadian production, biweekly, with out-of-band releases for vulnerability fixes.
    • Contributed to the FedRAMP Moderate authorization effort — implemented controls spanning S3 encryption at rest, audit logging, network segmentation, access control and CI/CD hardening.
  2. QA Analyst

    Co-op 2020 — 2022 · Full-time 2022 — 2023

    Keel Digital

    • Discovered and reported a critical vulnerability in the registration API before it reached production, through security-focused API testing.
    • Developed JMeter test suites for API rate limiting, RBAC enforcement and authorization boundary testing.
    • Added a Nessus container to the application's Docker Compose stack, running monthly internal-network vulnerability scans for compliance and reporting findings to security, compliance and operations.
    • Solely responsible for artifact builds and production deployments for client onboarding and demos — multiple releases per week at peak.

02 Projects

Work outside work. The cloud build ships with a write-up of its decisions — including the mistakes, which is usually where the real learning is.

URL Shortener on ECS Fargate

In progress

A Python/FastAPI service deployed to AWS ECS Fargate with Terraform and a GitHub Actions pipeline, built in phases from an empty AWS account. Multi-stage Docker build running as a non-root user — 230MB image versus the 1GB+ a naive single-stage build produces. CloudWatch logs, alarms and dashboard.

The build log is the point. It records the real reasoning — why root credentials can't be scoped down the way an IAM identity can, why health checks belong on a dedicated dependency-light route rather than a business-logic one — and the mistakes as they happened, including a credential exposure that led to adding gitleaks pre-commit scanning, and the discovery that gitleaks' AWS rule doesn't flag a bare AKIA key without valid checksum structure. Most portfolios show only the polished result.

  • AWS
  • ECS Fargate
  • Terraform
  • Docker
  • GitHub Actions
  • FastAPI
  • CloudWatch
  • gitleaks

Ephemeral Game-Server Infrastructure

Homelab

A self-managed Kubernetes homelab where dedicated game servers — currently Palworld — exist only while players are on them: spun up on demand, torn down when the last player leaves. Dedicated servers burn power and money sitting idle; making them ephemeral drives idle cost to zero, in exchange for problems worth engineering.

Those problems are the point of the lab: what triggers a server into existence, how world state survives teardown, and how spin-up stays fast enough that players never notice the server didn't exist a minute ago. This is the infrastructure behind the Kubernetes (homelab) line on my résumé — deliberately labeled homelab, and happy to walk through the lifecycle end to end.

  • Kubernetes
  • Linux
  • Lifecycle automation
  • Game servers

03 Skills

Cloud & Infrastructure

  • AWS EC2
  • ECS
  • Lambda
  • S3
  • IAM
  • SSM
  • CloudWatch
  • EventBridge
  • VPC
  • Proxmox VE
  • OVHcloud
  • DigitalOcean
  • Linux

IaC, CI/CD & Containers

  • Terraform
  • Ansible
  • GitHub Actions
  • Docker
  • Kubernetes (homelab)

Monitoring & Security

  • OpenSearch / ELK
  • Sigma rules
  • Zabbix
  • Grafana
  • Loki
  • Prometheus
  • Fluentbit
  • Keycloak (SSO/IAM)
  • Nessus
  • Trivy
  • JMeter

Compliance Frameworks

  • FedRAMP
  • HIPAA
  • PHIPA
  • PIPEDA
  • NIST
  • ISO 27001
  • SOC 2

Scripting

  • Python
  • Bash
  • Lua
  • JavaScript

Education & Certifications

  • Certified Ethical Hacker (CEH) v13 EC-Council
  • Advanced Diploma, Cybersecurity Fanshawe College · London, ON

04 About

I studied cybersecurity at Fanshawe College and earned my CEH before I wrote my first pipeline. That order matters more than it sounds like it should: I entered the workforce already thinking about attack surface, access control and failure modes, and it shows up in the defaults I reach for. Least privilege in every IAM policy. Network topology that starts from what shouldn't be reachable. Trivy gating the build rather than just flagging it.

QA at Keel Digital is where that training met real production systems. I built JMeter suites against rate limiting, RBAC and authorization boundaries, added Nessus scanning to the Compose stack for monthly compliance scans, and found a critical vulnerability in a registration API before it shipped. That stretch taught me how APIs actually behave under pressure and where security assumptions quietly fall apart once tested.

DevOps took it further. Knowing the traffic patterns and service dependencies from the QA side shaped how I build pipelines, how I scoped the bare-metal migration, and how I designed our SIEM's log ingestion. I've since contributed to a FedRAMP Moderate authorization — 300+ NIST SP 800-53 controls, third-party assessment, continuous monitoring — which is about as unforgiving a proving ground as compliance work gets.

The cybersecurity-to-QA-to-DevOps path means fewer blind spots. I'm looking for platform, systems or DevSecOps work where that combination is worth something — ideally somewhere the security and reliability requirements are real rather than aspirational.

05 Contact

Email is the best way to reach me — résumé available on request. Happy to talk about platform, systems, DevOps or security engineering roles.