You finally got exec buy-in and budget approval to get started on your platform engineering journey and have started building your Internal Developer Platform (IDP). You’re mapping out your target reference architecture, and designing golden paths that will make your devs’ lives so much better. Everything is going according to plan. You are only missing the green light from security. If their review goes sideways, it could stop the entire thing. Now you are nervous. But should you be?
When discussing the benefits of platform engineering and of Internal Developer Platforms, it is common for the community to focus heavily on value drivers like automation (increased dev velocity) and standardization (no more TicketOps). Both of those things have a huge impact on time to market and allow engineering organizations to move fast without breaking things.
Yet right there one of the implicit key benefits of platform engineering is often forgotten. Its impact on security and its position as the next evolution of DevSecOps. Here are 5 reasons why your security team will fall in love with your Internal Developer Platform (and why there’s no need to stress about that security review).
Top security benefits of platform engineering
1. Standardization by design
A well-designed Internal Developer Platform will ensure that configurations are automatically updated, reducing the cognitive load on developers and promoting standardization across environments.
All interactions between developers with the underlying infrastructure, such as requesting a new database or spinning up a new environment, will follow golden paths and pre-defined paved roads that adhere to the most up-to-date configurations. This massively reduces the risk of vulnerabilities or last-minute unhappy surprises when apps and services are deployed. No more ad-hoc setups that vary from team to team or app to app.
Using this well-designed Internal Developer Platform, your platform engineering team alongside your security team thus can more easily implement security and infrastructure best practices. And ensure they are enforced across all teams and workflows, by design.
2. Scalable security best practices
As an effective Internal Developer Platform enforces security best practices automatically, platform engineering teams can more easily enable the scaling of Secure by Design principles across large organizations.
Internal Developer Platforms also enable shared security services, standardization, and automation of repetitive security tasks by default across the entire estate. Teams are naturally onboarded to the latest security best practices as the IDP gets rolled out and adopted. This would allow security measures like for example, least privilege access control being consistently and efficiently implemented across all applications.
3. Reduced attack surface
The benefits of standardization are not limited to improved ability to ensure best practices are implemented. As standardization becomes easier to enforce and maintain within your organization, the number of non-standard un-compliant environments will decrease drastically. This limiting of the variability of infrastructure can massively reduce the attack surface of your organization, simply due to the fact that there are fewer unique configurations that attackers can exploit.
Alongside this, IDPs can also make it significantly easier to design and maintain isolated environments.
4. Versatility
The core principles of platform engineering apply to almost any setup, as an enterprise-grade Internal Developer Platform offers incredible versatility in terms of the underlying stack it leverages. The security benefits of platform engineering listed in this article will almost certainly apply whether your organization works in the cloud, on-prem, in a complex hybrid setup, or even in air-gapped environments for the highest security cases like governments or major public institutions.
5. Prevent privilege creep
Cleaning up unused permissions is as important as being able to hand out new ones. Failure to do so will result in a gradual expansion of permissions and no control over who, or what, is able to access which systems and data within an organization. This is known as "privilege creep".
A well designed platform engineering approach can ensure that access privileges for both humans and systems are not only assigned in a controlled manner, but also revoked when no longer needed. When permissions become one of the resources managed by your platform, they are inventoried, created, and removed, just like any other resource, and maintained through following the same platform engineering principles.
Conclusion
While platform engineering is often celebrated for boosting velocity and time to market, its impact on security can be immense.
By enforcing standardized security practices, automating compliance, and fostering better collaboration between teams, platform engineering teams, and the Internal Developer Platforms they build, can help ensure that security is deeply integrated into the development process. While at the same time, they can enable scalable and consistent implementation of security measures, streamlining audits, and reducing the risk of vulnerabilities.
Ultimately, Internal Developer Platforms built and run by a platform engineering team allow developers to focus on delivering software quickly and efficiently, without compromising on security, making it an essential component of modern software development.
