Platform Engineering Security: Strategies, Challenges, and Lessons Learned

A presentation at Platform Engineering Security Webinar in March 2025 in by Bruno Amaro Almeida

Slide 1

Slide 1

Platform Engineering Security Strategies, Challenges, and Lessons Learned Bruno Amaro Almeida VP, IT Operations March 2025 Photo by taopaodao on Unsplash

Slide 2

Slide 2

Hello! Bruno Amaro Almeida VP, IT Operations Fortum brunoamaro.com

Slide 3

Slide 3

We are one of the cleanest power generators in Europe with strong Nordic focus 3

Slide 4

Slide 4

IT STRATEGIC PRIORITIES Customer Centric Cost Efficient Secure and Reliable

Slide 5

Slide 5

IT vs IT credit: Spy vs Spy comic

Slide 6

Slide 6

6

Slide 7

Slide 7

“A digital platform is a foundation of selfservice APIs, tools, services, knowledge and support which are arranged as a compelling internal product.” Evan Bottcher https://martinfowler.com/articles/talk-about-platforms.html

Slide 8

Slide 8

⃗ manual. ticket. ⃗ automated. days. ⃗ self-service. minutes. Photo by CardMapr.nl on Unsplash

Slide 9

Slide 9

Core IT Digital Development App B App C App A IT Service Managers Service X Product X Experiment X AI & Data Team SWD Team I&V Team

Slide 10

Slide 10

Core IT Digital Development App B App C App A IT Service Managers Managed Services Provider (MSP) Platform / DevSecOps / DEX Team Service X Product X Experiment X AI & Data Team SWD Team I&V Team

Slide 11

Slide 11

Core IT Digital Development App B App C App A IT Service Managers Platform Engineering Service X Product X Experiment X AI & Data Team SWD Team I&V Team

Slide 12

Slide 12

#1 // What Platform Engineering Capabilities? Platform Service Management 12 Platform Engineering (Datacenters, Cloud and DevEx) M365 & IAM Includes application areas such as: onpremises,cloud management (AWS, Azure, ..) and DevOps Tooling Includes areas such as: Authentication & access, Exchange, E ntra ID, PKI, PAM, IGA Includes areas such as: SSE / Zero Trust, Remote Access, IT and OT connectivity, .. Target Customers / Audience: Fortum Developers and Service Managers Target Customers / Audience: Fortum Developers and Service Managers Target Customers / Audience: Fortum Developers and Service Managers Network Cyber Security Platforms Includes areas such as: IT SOC Data Platform, OT SOC Platform, SOC Tooling Target Customers / Audience: SOC Analysts, IT and OT Cyber Security Specialists Data Platforms Includes areas such as: Customer Data Platforms, Asset Data Platforms, Integrations, … Target Customers / Audience: Fortum Developers and Service Managers

Slide 13

Slide 13

#2 // How Should the Holistic Delivery Model Work? 13

Slide 14

Slide 14

#3 // How Platform Engineering Changed How We Think About Cyber Security (and vice-versa) Core IT Applications and Services Digital Development Cyber Strategy and Governance Compliance Cyber Risk Cyber Culture Awareness … IT Service Desk Application Management Security Operations Center Platform Operations Center Cyber Security Platforms Platform Engineering (Datacenters, Cloud and DevEx) 14 Data Platforms M365 & IAM Network

Slide 15

Slide 15

Personas x User Centric Operating Model 15 Service Offering x Service Delivery Model Workflow and Process x Automation

Slide 16

Slide 16

Personas x User Centric Operating Model Service Offering x Service Delivery Model Workflow and Process x Automation o Iterate over the relation and working model across different Cyber Security responsabilities areas: Cyber Governance x Security Engineering x Operative Security Operations o Establish dedicated Cyber Security Platforms (e.g. SOC Data Platforms) o Ensure security mindset is part of all Platform Engineering teams o Smaller, gradual and purposeful changes based on organization maturity at that time

Slide 17

Slide 17

Questions & Answers Bruno Amaro Almeida VP, IT Operations brunoamaro.com