Security, standardization, support: our platform team

Note: In the following article, our colleagues Christian, Head of Engineering at DigitalService, and Kai, Tech Lead of our platform team, explain how our software engineers work with and within a platform team. They use a number of technical terms that may seem unfamiliar to anyone who does not work in software development. While this lingo is always briefly explained, some people may still find it difficult to follow the individual steps. For a better understanding, we link at the appropriate places to our glossary. If anything is still unclear, we’d be happy to answer your questions via the comment section.

Our software development work brings us into contact with a wide range of project partners from various ministries and federal institutions, all of whom have different standards, programs, and technical requirements. But we know by now that there’s no need to reinvent the wheel every time and that we can reuse certain components internally. We established our own platform team in summer of 2023 with a view to harmonizing software development within DigitalService. This team standardizes aspects related to security and infrastructure. This blog post explains how the team is structured, how it makes our solutions more secure, and why individual teams then have to handle less complexity.

DigitalService runs its solutions using containers, an approach that is fully in line with the federal government’s container strategy (document in German only). Containers are isolated environments that provide a consistent and portable way to deploy software and their dependencies. To manage and orchestrate these containers, we use Kubernetes – a platform that automates application distribution and scaling.

Despite or especially when using Kubernetes, each team still had to solve many challenges for themselves: different project teams were deploying various security and maintenance solutions, resulting in significant extra work and risks. Especially with shared components, there was often a diffusion of responsibility, as each project team had to independently take care of aspects such as secrets management, deployment pipelines, and observability. Some problems were addressed with the introduction of GitOps via ArgoCD, but those systems also had to be maintained.

Having individual project teams maintain their own resources with simultaneous management of shared resources is only an efficient approach if sufficient capacity is available. In practice, however, this led to a patchwork of systems and solutions that was neither sustainable nor secure in the long term. We clearly needed a standardized, centralized solution.

In response to these challenges, we set up a dedicated platform team. It is tasked with providing a consistent, secure, and user-friendly platform that can be accessed by all project teams, who are themselves the users of this platform. This structure enables us to think about security and efficiency from the outset and to define clear responsibilities. At the same time, it ensures the autonomy of the project teams, who can decide which platform components or alternative solutions to use based on the project requirements.

1. Uniform structures: By providing standardized components and services, we avoid redundant work and inconsistencies.
2. Security focus: Security is integrated into the platform from the outset, which minimizes the risk of security vulnerabilities.
3. Clear responsibilities: The platform team is clearly responsible for maintaining and further developing the platform, while the project teams can concentrate on their specific applications.
4. Documentation and support: Comprehensive documentation and regular consultations ensure that all teams can make best use of the platform. The teams receive support with security analyses, for example.

Our platform team consists of three experienced developers with a total of 40 years of professional experience. The team engages regularly with the project teams to ensure that their needs and feedback are incorporated into further development of the platform. It holds office hours every two weeks, and there is a monthly exchange with all development teams to address accessible topics relating to development and security. Of course, the platform team is also available for ad hoc inquiries. Overall, the platform team’s approach is based on “helping people to help themselves” – it empowers the project teams to work independently and efficiently by providing the basic infrastructure and advising the teams on security.

Our platform offers basic services that can be used by all projects. These include:

• Pipelines: Standardized templates that define how our code is built and tested.
• Dashboard: A central interface that can be used to manage deployments.
• Secrets management: Secure management of access credentials and other sensitive information.
• Observability: Comprehensive monitoring and logging to identify and resolve problems quickly.
• Documentation: Teams can find out for themselves about the services on a website that includes best practices and guidelines.

These standardized services not only save costs, but also increase efficiency. For example, if developers join a team, they are dealing with the same infrastructure in their new team and can therefore get up to speed faster. This even scales to the launch of completely new projects, which we can usually bring online within a day with the help of the platform.

The platform team has officially been in place since summer 2023. We had introduced the first approaches at the beginning of 2023, but a lack of ownership and continuous updates meant we had to professionalize the process. Today, the platform is a stable component of our infrastructure, and all projects are based on it.

The platform team will focus next on the topic of cloud migration with the aim of creating a better and more cost-efficient experience. We intend to validate and improve our disaster recovery plans during the migration. We will also invest in better cost management and observability. We’ll provide an update on that here in this blog once those measures have been taken.