Mitigating risk at the root: Platform engineering is a humanistic approach that works

Human error is the root cause of the majority of security incidents and data breaches — 68% of a record-high 10,000+ breaches globally, according to Verizon’s 2024 Data Breach Investigation Report. Human error runs the gamut from misconfigurations at cloud resource inception, to manual errors in secrets management, to being tricked by targeted phishing attacks. Fortunately, applying a platform engineering approach to the vast cloud estates modern enterprises rely on can dramatically reduce related human error — and cloud risk — at its root.

»Platform engineering and IDPs

Platform engineering enables a cohesive, highly secure, and efficient enterprise cloud operating model. It is the discipline of designing and building tools and workflows that give software engineering teams self-service access to cloud resources in a secure and compliant manner.

Conceptually, platform engineering is a highly scalable superset of DevOps methodologies designed to break down the barriers between development and operations teams. Its a practice that is especially critical at organizations that have a long tradition of operating as siloes.

Platform teams are typically focused on building an internal developer platform (IDP), which consists of tools and workflows that blend security, development, and operations components. An IDP can be broken down into six key functions:

1. Security
2. Pipeline
3. Provisioning
4. Connectivity
5. Orchestration
6. Observability

The platform team aims to create a stable and scalable foundation for practices like DevOps. Properly executed, the IDP mitigates risk and improves efficiency in multiple ways:

1. Reduces human error and risk by driving consistency, streamlining developer workflows, and scaling compliance and security practices at scale through automation
2. Supports improved software developer productivity, more frequent releases, better application stability, and lower costs
3. Creates a single point of engagement for cybersecurity, software development, IT operations teams, and compliance.

»IDPs and error reduction during cloud resource provisioning

Error reduction is the flashing-neon benefit of an IDP, with good reason. It is estimated that an American adult makes 35,000 decisions a day, with most studies suggesting that the average person can effectively compare and choose between five to nine options simultaneously. The AWS Service Catalog offers well over 200 services, making it impossible to consider more than a handful of options when spinning up new cloud resources. Cloud resource provisioning is one of the key areas where an IDP shines. Provisioning is a step where many configuration errors occur, creating the data breach vulnerabilities that cybercriminals most frequently exploit.

»IDPs as a bridge between developers and security

An IDP can neutralize the opposing goals between development and security teams. Generally speaking, developers want to go fast and reduce cost; security teams want to reduce risk, which can be expensive and hinder developer speed. Organizations that don’t provide clear overarching goals of where and how these teams can meet in the middle create (and perpetuate) opposing cultures.

Instead of continuing an environment in which developers barge ahead to procure and configure cloud resources, and security/operations teams are branded “the department of ‘no,’” platform teams deliver a more prescriptive approach that brings both parties into closer alignment. Because the IDP provides the structure for these teams to meet in the middle, all members can spend more time doing the work they do best.

»How to “shift left” to systemically reduce risk

Shift left is a strategy that puts testing, vulnerability scans, and best practice templating in the earlier stages of software development. By shifting these tasks “left” to a point in the design, development, and pre-provisioning phases, software teams can prevent security issues or discover them earlier before they become more impactful in the final phases when the application and infrastructure are already built. An IDP can implement a shift-left strategy by abstracting security, reliability, and compliance policies and best practices into:

• Golden images
• Golden modules
• Tests
• Checks
• Policy-as-code gates

This allows organizations to to enforce corporate development, security and operations policies in a repeatable and highly scalable way, without pushing developers into deeply technical territory. These guidelines are built into the way cloud resources are initiated, providing strong protection that is invisible to users.

IDPs allow security and compliance organizations to insert a security plane into every developer workflow to be automatically consumed before deployment. Equally important, cloud resources originating through the IDP are more easily tracked, audited, and managed, allowing vulnerabilities to be detected and remediated faster.

»Mitigate risk with an IDP now

HashiCorp believes that a successful platform engineering program starts with a conversation. We want to listen and learn about your organization’s story, its digital estate, and its larger ecosystem. What needs to change, and what does “good” look like?

To start the conversation, get in touch. For another look into internal development platforms, watch the video of my session at HashiConf, Measuring the impact of an internal development platform, and follow me on LinkedIn.