Microsoft Taking Up the Mantra of Platform Engineering
Microsoft is going all in on platform engineering as the company continues to develop and expand its almost one-year-old Secure Future Initiative (SFI) that aims to make software security front and center in everything Microsoft does.
And strikingly, in a 25-page progress report on its SFI efforts, Microsoft points to platform engineering as one of its critical new tools for improving the cybersecurity of its products and services around the globe.
“Driving continuous improvement in operational efficiency requires measurement and feedback systems,” the company wrote in its SFI progress report. “To scale SFI, drive rapid progress, and to accelerate individual and team productivity, we are leveraging Microsoft Platform Engineering practices and tools. Platform engineering is a practice, built up from DevOps principles, that seeks to improve security, compliance, costs and time-to-business value with streamlined developer experiences and self-service infrastructure within a secure, governed framework.”
In the report, Microsoft called platform engineering “both a product-based mindset shift and adoption of a set of tools, systems, and processes. Applying well-established platform engineering patterns to SFI enabled us to make significant progress and maintain individual and team productivity.”
For Microsoft, which for many years has not established an enduring legacy of software security in its products, the company’s platform engineering statements and adoption are intriguing and welcome. If Microsoft is putting its chips and investments in platform engineering, it is plausible that more enterprises and companies will do the same across the global IT marketplace over the next few years.
Microsoft’s ‘Unique Responsibility in Safeguarding the Future for Customers’
In a blog post about the company’s SFI progress report, Charlie Bell, executive vice president at Microsoft Security, wrote that these efforts are continuing to grow as the largest cybersecurity engineering effort in the company’s history.
“At Microsoft, we recognize our unique responsibility in safeguarding the future for our customers and community,” wrote Bell. “As a result, every individual at Microsoft plays a pivotal role to prioritize security above all else” under the SFI initiative.
So far, Microsoft has dedicated the equivalent of some 34,000 full-time engineers to its SFI efforts since the program was launched in November of 2023, wrote Bell.
One of the biggest moves in the SFI program is Microsoft’s shift to fostering a security-first culture, which is a bold move for a company that had not previously embraced such an approach in its long history.
“Operationalizing an infrastructure project at Microsoft’s scale — more than 100,000 engineers, project managers and designers with over 500,000 work items modified per day and 5 million builds per month — is an enormous task that requires significant alignment and coordination,” wrote Bell. “Driving continuous improvement in operational efficiency requires measurement and feedback systems.”
To drive continuing progress with its SFI update plans, Bell also unveiled that Microsoft has created a new Cybersecurity Governance Council to improve governance and has appointed deputy chief information security officers (deputy CISOs) for key security functions, covering all engineering divisions. “Those deputy CISOs will be led by the company’s CISO, Igor Tsyganskiy. The deputy CISOs form the Cybersecurity Governance Council and are responsible for the company’s overall cyber risk, defense and compliance,” he wrote.
Security has taken on such a new importance within the company that it will now be a “core priority for all employees at Microsoft and will be included in their performance reviews,” he wrote. “This will empower every employee and manager to commit to — and be accountable for — prioritizing security, and a way for us to codify an employee’s contributions to SFI and celebrate impact.”
Analysts React to Microsoft’s Growing Platform Engineering Adoption
“It is interesting that Microsoft has finally really gotten on the security bandwagon,” Rob Enderle, principal analyst of Enderle Group, told The New Stack. “Microsoft’s evolution in terms of taking security seriously started by them saying it just was not their job, Then in the early 2000s they took the job on, but it was still an effort that was not well integrated with the rest of the company. This latest move takes it to the next step, integration, which should improve Microsoft platform security significantly.”
Enderle said he expects that Microsoft’s interest in platform engineering to improve software and IT security will add interest in platform engineering for more enterprises. “Microsoft is a power player in the industry and when they get serious about something, as is the case here, IT customers will take notice,” he said. “Companies tend to make better decisions when the result directly impacts their performance, as is the case here. Making these tools available to Microsoft’s customers after vetting them through internal use results in significant productivity benefits, as should be the case here.”
Another analyst, Dan Olds, principal and CEO of Olds Research, agreed.
“Microsoft put a stake in the sand in 2023 with their SFI initiative nearly a year ago,” said Olds. “Some might argue that it is maybe a decade too late, but it is hard to argue with the goals and methodologies they laid out and the tangible progress they have made in the last year.”
The company’s move to dedicate some 34,000 full-time engineers to these efforts “is not playing around,” said Olds. “It is a huge investment. And I think their three core principles are well thought out — secure by design, secure by default and secure operations — and neatly cover all the bases.”
The Key Is Platform Engineering
At the same time, Olds said he has seen big, grandiose announcements like this before from large tech companies, but they do not always pan out.
“The question I always have after far-reaching initiatives are announced is ‘OK, great, so how are you actually going to accomplish this?’” said Olds. In this case, he is optimistic. “With their recently released SFI report, we see that Microsoft has embraced platform engineering in a big way. And it is easy to see why.”
Olds pointed to a Microsoft blog post on platform engineering from November 2023 by Amanda Silver, a corporate vice president and general manager for Microsoft’s first-party engineering systems, which revealed what Olds called “startling statistics.”
Using her analysis, Silver wrote that “even on a good day, most developers only spend 84 minutes coding. Developers use an average of 16 tools per day, and it takes 23 minutes to regain focus after context switching. All of this makes developers exhausted at the end of their day,” she explained.
But worse, Silver wrote, this “is extremely inefficient for their organizations. And there is a tension there — organizations want their developers to be able to execute fluidly, but they also need to ensure that the software they build is secure, compliant and hits the quality expectations of the end users.”
One of the answers to these challenges, said Olds, is the company’s broad and insightful adoption of platform engineering. Silver’s numbers, he said, are likely “somewhat universal in big shops with a lot of projects.”
By using platform engineering across its operations, Microsoft will be constraining the number of tools that developers can use and dramatically improving its software and security processes, said Olds. “The payoff in terms of developer productivity is obvious, but there is also a big impact on security. Limiting the number of tools will limit the amount of code that has to be vetted, secured, maintained and monitored. It will also make ameliorating security holes quicker and easier since all developers are using a common set of tools and thus can jump in to fix something right away.”
By implementing limited and controlled tools under platform engineering, it will be like a restaurant that reduces the number of delicious dishes that it offers to patrons, said Olds. “Limiting the menu of a restaurant will almost always increase the quality of the food they deliver to customers,” he said. “The chefs become experts on each recipe, the ingredients and cooking techniques, resulting in replicable, high-quality output. I think that platform engineering will pay off in the same way for Microsoft and other companies adopting it.”
