Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Love and agony: containers in government

Love and agony: containers in government

This talk chronicles the love story of two star-crossed protagonists, containers and bureaucrats. Root for the pair as they muddle their way through the trials and tribulations of procurement, compliance, and answering the question of “so a container is a VM, right?” Can regulation and policy be overcome to unite the two in glorious harmony? Or will this just end up being another technological missed connection?

Presented at:

* https://www.docker.com/government-summit-2018 - video: https://www.youtube.com/watch?v=Yuy5qDLNQKc&feature=youtu.be&list=PLkA60AVN3hh_GZao7bR_ySsUbdh8CFUR1
* https://www.meetup.com/DevOpsDC/events/jkpfmlyxgbnb/ - video: https://www.pscp.tv/victori_ousg/1ZkKzVkomWqKv?t=58m56s


Aidan Feldman

April 11, 2018

More Decks by Aidan Feldman

Other Decks in Technology


  1. Love and agony Containers in government @a d el n,

  2. Containers, shall I compare thee to a server’s bay? Thou

    art now all the rage and lighter weight. Compliance shakes the buds of the Beltway, But from an image one can recreate.
  3. Why government likes containers ♥ Vendor independence / portability ♥

    Dependency isolation ♥ Auditability ◦ Dependency specification ◦ Configuration as code ◦ Immutability ♥ Easy recovery
  4. Decision seems simple

  5. Do we want to use containers? ↓ Yes ↓

  6. Where are we at?

  7. 93% of all organizations are currently using cloud services McAfee,

    Jan 2017
  8. 47% of government organizations are actively using cloud services Gartner,

    Oct 2017
  9. 25% of companies using containers at some stage of deployment

    Cloud Foundry Foundation, Sept 2017
  10. 13%* 25% using containers / (93% using cloud / 47%

    govt using cloud) = *not an actual statistic
  11. Do we want to use containers? ↓ Yes ↓

  12. Great! Can we install a runtime for development? Do we

    want to use containers? Yes! Those sound scary Great! Do we have an authorized orchestrator? Security assessment Nope Great! Do we have licenses? Yes! You need tools for controls X, Y, and Z Procurement (dies) Yes! Yes! Nope Great! Is our software container-friendly? Yes! Nope
  13. Your software and the cloud, they may not fit, for

    the restrictions imposed might to physical hardware commit
  14. Problem 1 Container friendliness Container-unfriendly software: • Expects to be

    long-running • Expects only a single host/instance • Expects a fixed IP/MAC address • Requires manual installation, activation, or deactivation
  15. Once containerized, doth your app reside Floating in space, or

    for one to decide What host, what mem’ry, the network in place To direct traffic, save hassle, save space?
  16. Problem 2 Management

  17. Yet another layer to: • Procure • Learn • Integrate

    • Manage ◦ Monitoring ◦ Vulnerability scanning ◦ Logging Problem 2 Management
  18. I hold it true, whate'er befall; I feel it, when

    I sorrow most; Better to mire in ATO Than never modernize at all.
  19. • Development environments can be hard to come by •

    Containers are new to many assessors • Getting containers through an ATO process can be tough • Very few managed container environments authorized for government use Problem 3 Compliance
  20. None
  21. The good news ♥ There are secure ways to run

    containers ♥ Containers are being used in government ♥ Windows added support in 2016 ♥ Containers are preferable to servers ♥ Interest and demand are strong
  22. Source Image Container Vulnerability scanning (RA-5) Runtime scanning (AU, SI-4)

    Vulnerability scanning (RA-5) Registry (AU, CM-5)
  23. DevSecOps ^

  24. What’s needed? ♥ More sharing of best practices ♥ More

    help on the inside ♥ Secure by default
  25. None
  26. What’s needed from vendors? ♥ More turnkey solutions ♥ More

    auditable services ♥ More compliance-focused documentation
  27. None
  28. None
  29. Love is a smoke raised with the fume of sighs,

    Being purged, a fire sparkling in lovers' eyes, Being vexed, a sea nourished with lovers' tears. What is it else? A madness most discreet, A choking gall and a preserving sweet, So too are containers a chall’nge to meet
  30. Au revoir mon amour. @aidanfeldman, @18F aidan.feldman@gsa.gov

  31. Backup slides

  32. In case you’re lost...

  33. In case you’re lost ...is to a... Server : Truck

    Virtual machine (VM) : Car Container : Bike
  34. None
  35. None