Love and agony: containers in government

Transcript

1. Love and agony Containers in government @a d el n,

   @18F

2. Containers, shall I compare thee to a server’s bay? Thou

   art now all the rage and lighter weight. Compliance shakes the buds of the Beltway, But from an image one can recreate.

3. Why government likes containers ♥ Vendor independence / portability ♥

   Dependency isolation ♥ Auditability ◦ Dependency specification ◦ Configuration as code ◦ Immutability ♥ Easy recovery

4. Decision seems simple

5. Do we want to use containers? ↓ Yes ↓

6. Where are we at?

7. 93% of all organizations are currently using cloud services McAfee,

   Jan 2017

8. 47% of government organizations are actively using cloud services Gartner,

   Oct 2017

9. 25% of companies using containers at some stage of deployment

   Cloud Foundry Foundation, Sept 2017

10. 13%* 25% using containers / (93% using cloud / 47%

    govt using cloud) = *not an actual statistic

11. Do we want to use containers? ↓ Yes ↓

12. Great! Can we install a runtime for development? Do we

    want to use containers? Yes! Those sound scary Great! Do we have an authorized orchestrator? Security assessment Nope Great! Do we have licenses? Yes! You need tools for controls X, Y, and Z Procurement (dies) Yes! Yes! Nope Great! Is our software container-friendly? Yes! Nope

13. Your software and the cloud, they may not fit, for

    the restrictions imposed might to physical hardware commit

14. Problem 1 Container friendliness Container-unfriendly software: • Expects to be

    long-running • Expects only a single host/instance • Expects a fixed IP/MAC address • Requires manual installation, activation, or deactivation

15. Once containerized, doth your app reside Floating in space, or

    for one to decide What host, what mem’ry, the network in place To direct traffic, save hassle, save space?

16. Problem 2 Management

17. Yet another layer to: • Procure • Learn • Integrate

    • Manage ◦ Monitoring ◦ Vulnerability scanning ◦ Logging Problem 2 Management

18. I hold it true, whate'er befall; I feel it, when

    I sorrow most; Better to mire in ATO Than never modernize at all.

19. • Development environments can be hard to come by •

    Containers are new to many assessors • Getting containers through an ATO process can be tough • Very few managed container environments authorized for government use Problem 3 Compliance
20. None

21. The good news ♥ There are secure ways to run

    containers ♥ Containers are being used in government ♥ Windows added support in 2016 ♥ Containers are preferable to servers ♥ Interest and demand are strong

22. Source Image Container Vulnerability scanning (RA-5) Runtime scanning (AU, SI-4)

    Vulnerability scanning (RA-5) Registry (AU, CM-5)

23. DevSecOps ^

24. What’s needed? ♥ More sharing of best practices ♥ More

    help on the inside ♥ Secure by default
25. None

26. What’s needed from vendors? ♥ More turnkey solutions ♥ More

    auditable services ♥ More compliance-focused documentation
27. None
28. None

29. Love is a smoke raised with the fume of sighs,

    Being purged, a fire sparkling in lovers' eyes, Being vexed, a sea nourished with lovers' tears. What is it else? A madness most discreet, A choking gall and a preserving sweet, So too are containers a chall’nge to meet

30. Au revoir mon amour. @aidanfeldman, @18F [email protected]

31. Backup slides

32. In case you’re lost...

33. In case you’re lost ...is to a... Server : Truck

    Virtual machine (VM) : Car Container : Bike
34. None
35. None