When selecting a core component for your enterprise-grade Internal Developer Platform (IDP), one crucial factor that should top your priority list is security. It's not enough for your tool's provider to merely grasp the importance of security; they must also offer the necessary features to fortify your organization's defences—rather than compromise them. In this blog, we will delve into how the Humanitec Platform Orchestrator excels at bolstering the security of your engineering organization by enabling security best practices by design. By exploring these key aspects, you can gain valuable insights into how Humanitec can serve as a powerful ally in enhancing your engineering organization's overall security posture.
How the Humanitec Platform Orchestrator works
The Humanitec Platform Orchestrator powers Internal Developer Platforms (IDPs) by sitting at the platform’s core and enabling developers to deploy Workloads and all their Resource dependencies with a single Workload specification. Developers don’t need to specify configuration values per environment; Humanitec automatically uses the outputs of Resources and the secret store to configure the Workloads.
Platform engineers, on the other hand, can define exactly how Resources will be provisioned and allocated to each Workload based on matching criteria, enabling standardization by design.
The flow of work looks like this:
While the architecture of a Dynamic IDP using Humanitec looks like:
Humanitec integrates well with other tooling and does so securely. The customer has flexible options to store secrets on their own infrastructure if desired and pick their choice of secret store. This is a diagram of the data that flows to Humanitec (when the customer stores secrets):
7 security benefits of using Humanitec
Now we’ve covered how Humanitec works, let's dive into how exactly it can be used to bolster your organization's overall security posture.
1. Enforce security and infrastructure best practices by design
Humanitec makes standardization by design the norm. Whenever platform engineers implement Resource Definitions for Workloads to use, the Workloads will automatically use standardized solutions on every deployment, which means using the best possible secure configuration for your Resources.
For example, let’s say a developer specifies they need a Postgres database for their Workload. The platform engineer can define where and how this gets provisioned depending on the environment the Workload is deployed. In this scenario, there’s no need for the developer to worry about infrastructure details, while the platform engineer has full control over how and where the Resource is created.
2. Resource secrets are automatically injected into Workloads
One of the main reasons to use secret variables in your Workloads is to configure Resources. When these Resources are provisioned separately, these secrets need to be handled with care by the developer configuring the Workload.
Humanitec provisions Resources and can automatically inject the secret values into Workloads using Placeholders. This means that the secrets never need to be written down or even looked at by the developers.
For other values that are not Resource-related, developers can create secrets with Humanitec, which are then safely stored in their secret store of choice. Once the secrets are written down, you can choose to disable reading them except for when used by a Workload.
Moreover, the Platform Orchestrator can automatically infer secrets and configuration values based on context. This removes the need for a sprawl of values and secrets across multiple repositories for every single environment and it eliminates configuration drift as developers only need to create one Workload specification that applies to all environments.
3. Control access with RBAC
Humanitec lets you define different access levels based on responsibilities with Role Based Access Control (RBAC). Developers can work more confidently knowing they can’t break something outside of their purview, and you can also increase focus on the tasks that are required of them.
Developers also don’t need direct access to the cluster when using Humanitec. All Workload deployments are done via Humanitec, and you have complete observability of your Workload log and deployment history (who, when, what and potentially why).
4. Revert easily with built-in rollback
With Humanitec, you can rollback your deployments and revert to any previous deployment version if a security issue was discovered on a newer application version. This seamless process requires very little additional work for the user. Every deployment in Humanitec is a delta, meaning all your changes can be reverted—similar to how Git works.
5. Audit every deployment
Every deployment is auditable in Humanitec. You can view who, when, where, and why the deployments were made and specify the reasons why deployments are done with a message.
6. Stay secure with single sign-on (SSO)
Humanitec enables you to use your existing identity provider, with support for SAML1.1 or 2.0 and SSO with your Google and Microsoft accounts.
7. Agent-based connection
Humanitec offers an agent to create a tunnel between your internal network and the SaaS offering of Humanitec. This means you don’t need to open up your network to the public internet.
Keeping security at our core
In conclusion, security is at the core of Humanitec's design, with every decision made to prioritize the protection of your infrastructure and data. By choosing Humanitec, you gain significant security advantages that contribute to a more robust and efficient platform:
1. Platform engineers can ensure the implementation of security measures and best practices for every deployment, resulting in enhanced infrastructure security and reduced sprawl.
2. Resource secrets are automatically injected into Workloads via Placeholders. Secure storage of secrets eliminates the need for passing them around and prevents secret sprawl.
3. Users can rollback deployments and revert to previous versions in case of security issues, with minimal additional work.
4. Role assignments and cluster access controls allow for mitigating direct access to clusters, increasing security by limiting unauthorized interactions.
5. Auditing capabilities enable you to track and analyze deployments, providing insight into who initiated them, the reasons behind them, and when they occurred.
6. Implementing single sign-on (SSO) is a straightforward process, integrating seamlessly with your existing company user base and enhancing convenience without compromising security.
7. Our agent eliminates the need for a direct connection to your internal clusters.
With Humanitec, security is not an afterthought but an integral part of our product's DNA. Our Platform Orchestrator enables security best practices by design and in doing so, empowers you to build and manage your platform with confidence and peace of mind.