#101: Security platform engineering
Hey there! Welcome to Platform Weekly. Your weekly piece of the platform engineering orange. Every week, we unpack a part of the platform engineering universe diving into news, lessons, and best practices. Haven’t answered the State of Platform Engineering 2024 surveys yet? Help us out!
Security benefits of platform engineering
There are two contradictory truths in the wide world of large-scale platform engineering projects.
The first is that almost no one (except security) cares about security. The second is that nothing gets done, without sign-off from security.
I was on a call with almost 100 people yesterday talking about platform engineering. Some were people who’d only just started their first platform engineering role, others were Heads of platform teams with 30 years of experience. When I asked the group, “What problems are you looking to solve with platform engineering?” Almost zero of them mentioned security.
The answers were what you can imagine, standardization, cognitive load, ticket ops, etc. And it’s completely understandable, those are the big money makers. It’s what’ll get you the funding you want for your platform, and they’re what’ll have the most impact on your organization. But they aren’t enough to pass the most important sniff test of all. Will security sign off?
Let me explain why they should.
The beautiful thing about platform engineering is that you can focus on all those money-makers… and better security comes with it.
Unlike with, say, DevOps, the elements of platform engineering (the building of an Internal Developer Platform as a product) that drive business value are often the same that can drive improved security. And if they aren’t automatically aligned, building an IDP that enables security by design is relatively simple and does not slow down or take away from your platform engineering initiative at all.
The standardization that drives better workflows that decrease config spread, and improve developer self-service so they can deploy faster and easier - is the same standardization that makes everything in your org easier for security to maintain.
Those golden paths you’re building to simplify devs' lives likely also for example massively reduce the attack service of your organization by decreasing the number of non-standard un-compliant environments and unique configurations that attackers can exploit.
At the same, platform engineering brings with it an unparalleled degree of versatility and scalability.?
Does your organization need military-grade security for your Internal Developer Platform ??
Well, it can have it.
Does your org need multiple clouds? On-prem, and some air-gapped? Sure. It can have it.
Or maybe it just needs to reduce the number of incorrectly made TF files. It can do that too.
Take a look around your platform initiative. Especially if security isn’t something you’ve had in mind. Where might it easily fit in?
You might realize you might have had the arguments to convince your security team in front of you the whole time.
You won’t find us needing PlatSecOps in 5 years time.
You’ve got it covered already.
P.S. It's your last chance to fill in the State of Platform Engineering survey!