johnaweiler
commented
6 years ago It would be more helpful to respond to the specific questions rather than promoting a specific commercial solutions.
Open jkraden-gsa opened 6 years ago
johnaweiler
commented
6 years ago It would be more helpful to respond to the specific questions rather than promoting a specific commercial solutions.
konklone
commented
6 years ago [Inlining attached PDF comment. Missing a couple links from the original PDF.]
Docker, Inc official public comment
Policy: https://itmodernization.cio.gov/ Deadline: September 20, 2017 Points of contact: Andrew Weiss | anweiss@docker.com, Chris Cyrus | chris.cyrus@docker.com
Title of response: Enabling Federal IT modernization with containers
Response:
On behalf of Docker, Inc, we are providing these comments in response to the Report to the President on Federal IT Modernization and in regards to the use of container technologies. Container technologies should be included in this report as a core tenet of Federal IT Modernization efforts. Containers are rapidly becoming the industry standard for secure software development and delivery.1 In both deployment operations and development, containers help to reduce the number of virtual machines required for an environment, transform legacy applications with no changes to existing code and enhance the security posture of the software supply chain.
For context, a container is a way to package software that runs in isolation on a shared operating system (OS). Whereas software on virtual machines or on bare-metal hardware must be written for and be dependent on a traditional operating system (e.g. Windows, Linux), containers bundle the core libraries and runtime capabilities on which the software depends. Various container runtimes (like Docker) also allow for many containers to run on a single shared OS.
We’ve outlined how this technology maps to the report as follows:
What are major attributes that are missing from the targeted vision?
In regards to the foundational capabilities required in a modernization effort, containers address key elements for reducing the overhead in patching software and enabling the deployment of applications to least privileged runtime environments. Applications packaged in containers are described by a simple manifest (or text file) used to build and update software in a repeatable fashion. Instead of patching software in place on VMs/bare-metal, one simply modifies the applicable sections in the manifest, and redeploys new containers based on this updated manifest. This helps to eliminate the risk of failed updates and patches and makes rolling-back a an update as simple as re-deploying the container based on a previous version of the manifest.
Furthermore, containers can be deployed to least-privileged infrastructures both on-premises and in the cloud supported by various container orchestration tools.
The isolation capabilities of containers gives application development and security teams the ability to build and deploy software that meets the most stringent government security standards. These best practices can be enhanced by way of agency-/Federally-approved (whitelisted) container images stored in secure, centralized container registries that incorporate vulnerability scanning technologies.
Securing the software supply chain is paramount to any IT modernization efforts. Containers are infrastructure- and operating system-agnostic which mitigates the challenges that exist today in multi-infrastructure operations (e.g. on-premises, private cloud, public cloud, etc). The immutability aspects of a container also help to prevent compromised application components from impacting external systems or other containers.2
To help agencies adhere to FISMA requirements, applications running in containers can inherit a greater number of security controls from underlying infrastructure which results in a faster authorization cycles for IT applications and services.
NIST SP 800-190 (in Draft) covers container security benefits in greater depth.
Cost Consolidation and cloud portability:
Running applications and services in containers results in greater compute densities on fewer bare-metal hardware components, virtual machine and cloud infrastructure resources. Not only can containers help agencies meet DCOI mandates by consolidating hardware and VM dependencies, but they can also help agencies control their cloud spend as they move workloads off-premises. By containerizing legacy applications as-is, agencies are even able to free themselves from their existing infrastructure constraints and more seamlessly move these workloads to one or more cloud providers; thus leveraging financial, security, speed, redundancy and portability advantages that various providers deliver.
[1] https://portworx.com/wp-content/uploads/2017/04/Portworx_Annual_Container_Adoption_Survey_2017_Report.pdf https://www.datadoghq.com/docker-adoption/
[2] NIST SP 800-190 - Section 2.1
Hi,
On behalf of Docker, attached is our response as part of the current public comment period for the Report on Federal IT Modernization. For any questions or requests for clarification on this content, please reach out to the points of contact as indicated in the response.
Thanks,
Andrew Weiss Lead Federal Sales Engineer | Docker, Inc Docker Reponse to Report to the President on Federal IT Modernization RFC (1).pdf