platform engineering best practices
May 29, 2024

Platform Engineering Best Practices: Data Security and Privacy

Security & Compliance
Platform Engineering

By

Security is and will always be a huge concern, and Platform Engineering is here to stay: so, what are some Platform Engineering best practices that can support your data security and privacy efforts? You’d be surprised where they overlap, and what you can learn about putting security and productivity together — we’ll explain. 

Table of Contents: 

Data Security and Privacy Takeaways from The State of DevOps 2024 

The 2024 State of DevOps: The Evolution of Platform Engineering revealed a surprising trend for us: most organizations with some level of Platform Engineering maturity already have security as a part of their platforms from the start; it’s already baked into the foundation of their self-service and Platform Engineering initiatives. 

When we think about this for a minute — is it so surprising? Self-service is at the heart of Platform Engineering, and most (if not all) organizations need to find a way to have security constantly running and continually in place. 

The report results came from over 400 respondents, most of whom worked within technology — i.e., respondents working with digital assets that need to be protected. Here are a few important callouts about our respondents: 

  • 44% of respondents were from the Technology industry 
  • 40% came from Management (Senior Managers, Managers, etc.) 

2024 sodor survey respondent overview

Our report also revealed the top three things that “should” be included within the Platform Engineering team’s scope of work: 

  1. Services that enable app developers to build, deploy, and run their apps 
  2. Provisioning and managing infrastructure to support developer teams 
  3. Automating workflows and processes 

This expanded scope helps organizations reach their data security and privacy goals — 83% said that the platform team has helped their company become more compliant. Which brings us to our next section: 

Why You Can’t Have Security Without Compliance 

Security and compliance aren’t separate or even competing priorities, but the truth is that effective security can hardly be achieved without robust compliance. Here’s why: 

Understanding Security and Compliance 

Security refers to the practices and technologies employed to protect systems, networks, and data from attacks, damage, unauthorized access, and other security threats. This involves a variety of different measures, including firewalls, antivirus software, encryption, intrusion detection systems, and security protocols. 

Compliance involves adhering to laws, regulations, standards, and industry guidelines designed to ensure data protection, privacy, and operational integrity. Examples of regulatory frameworks include ACSC Essential 8, the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS). 

Compliance-Specific Benefits 

  • You create a foundation of trust when customers see that you are following industry standards or have passed audits that achieve a compliant state. 
  • You avoid legal and financial repercussions that come from compliance failure, including severe penalties, legal consequences, and reputational damage. 
  • You have a starting point for mitigating risk by identifying and addressing potential security risks through mandatory risk assessments and audits. These processes make sure that security measures are implemented, regularly tested, and improved. 

Security-Specific Benefits 

  • You can address new and evolving threats at a faster pace than compliance requirements can be built, which offers you a more dynamic and flexible security approach to address emerging risks. 
  • You can tailor a security posture to your business when a one-size-fits-all compliance approach might leave out specific vulnerabilities that affect your organization. 
  • You can stay vigilant with continuous monitoring and updating mechanisms to ensure that security measures remain effective against evolving threats. This includes regular risk assessments, vulnerability scans, and security updates beyond what is required for compliance. 

The short summary is simple: compliance is a starting point, but true security demands ongoing dedication and proactive efforts. 

Platform Engineering Best Practices that Boost Security  

The most evolved organizations go beyond DevOps, focusing on building and managing platforms that provide infrastructure, tools, and services for developers. This way, teams are empowered to deliver software faster, with greater reliability, by abstracting and automating infrastructure complexities. 

Self-service automation is the secret to data security and privacy success, and luckily, it is a shared goal with Platform Engineering. 

Here’s where security, compliance, and Platform Engineering overlap: 

Automate Everything 

You can automate common aspects of security and compliance to reduce the manual time, effort, and resources you’re dedicating to things like: 

  1. Testing: Continuous testing can help you identify vulnerabilities before they become a bigger problem — which is why automated testing tools should regularly assess the platform for security issues. 
  2. Patching: Automation can help you regularly update all platform components, including operating systems, libraries, and third-party software, to patch known vulnerabilities. 
  3. Scanning: Automation can make it easy to regularly review your infrastructure-as-code scripts and employ security scanning tools to detect misconfigurations and vulnerabilities. 
  4. Deployments: Need to roll out a new access management process or a fix? Automating deployments can make this painless, fast, and accurate. 
  5. Access Management: You can automate your rules for effective access management, making sure that only authorized personnel have access to sensitive areas of the platform. 
  6. Compliance Frameworks: Building automated policy as code to adhere to your compliance frameworks makes it easier to stay compliant and tackle audits down the road. 
  7. Incident Response: Use automation to prepare for security incidents with a well-defined and regularly updated plan that follows a set of instructions when something goes wrong. 

Make Security as a Service a Key Deliverable 

Per our 2024 report, a surprising ~70% of organizations already integrate security measures from the start of their platform engineering initiatives — and this really reflects the urgency due to evolving regulations and cyber threats. 

Platform teams are transforming security tasks into security as a service like... 

  • Enforcing software and tool version compliance (51%) 
  • Implementing organizational security standards (46%) 
  • Conducting continuous vulnerability scans (42%) 

43% of platforms now have dedicated security and compliance teams — the emphasis on proactive security management is clear. It's no longer merely optional; delivering proactive platform security as a service has become critical for navigating today's threat landscape. 

How Puppet Supports Platform Engineering Best Practices  

Platform engineering can empower developers to focus on innovation, not security fires. By streamlining infrastructure provisioning, automating workflows, and enforcing consistency, platform engineers pave the way for rapid development cycles and secure deployments. That's where Puppet comes in. 

Puppet lets you leverage modules to enforce security and compliance policies throughout your infrastructure. You can build and customize vulnerability scans, automate security patching, and streamline — all while safely staying compliant — we call this “freedom within boundaries.” You have flexibility to customize, and Puppet will ensure you are still compliant and audit ready. 

Puppet also allows you to seamlessly shift to a “Zero Trust” security model where all components of the environment are treated as potential threats. This is a fundamental change in the way information systems are designed and operated, adding a layer of always-on security policy protection.

Don’t take our word for it, try it for free and see how Puppet can make a difference to your Platform Engineering and security initiatives: 

TRY OUT PUPPET

Tony Green

Tony Green

Sales Engineering Manager, Puppet by Perforce

Tony has been a UNIX systems administrator for over 30 years, in those times servers weren't pets, they were more like children. His goal has always been to automate himself into obsolescence and Puppet is the tool he's using to make that happen. Tony has worked in the finance, telecommunications and media industries, where he helped develop people, tools and services. He  developed the [os_patching] Puppet module, which is now part of Puppet Enterprise.  He is now leading Puppet's Sales Engineering teams in Australia and Singapore.