Containers in the Cloud: An Executive Level Explainer

By Hayden Smith

Software container adoption is growing across the Department of Defense (DoD) and the federal government. The benefits of containers span application modernization, security and the cloud. Today, I’ll give you a high-level, mostly non-technical explanation that will open your eyes to the potential of containers and where they fit into your IT strategy.

First, some container basics

Software containers virtually package code and expedite the development of software applications you can run in the cloud or on-premises. A container encapsulates an application into a single executable package that bundles application code plus all the related configuration files, libraries and dependencies the application requires to run. Containerized applications run in isolation because they don’t include a copy of the operating system.

Containers are the answer to many problems when teams of people are developing code because they promote the reuse of software code across systems. They enable the use of different code bases, allow for sharing code across different systems and in different environments, security and versioning.

Containers versus virtual machines

Using a container offers an advantage over a virtual machine (VM):

• VMs run software that acts like a particular hardware system on top of physical servers. Each virtual machine runs its own guest operating system, with the ability to consolidate several applications onto a single system.
• Containers sit on top of a physical server and its host operating system – sharing the host operating system kernel. Compared to VMs, containers are “light” because they are smaller in size and take just seconds to start, versus gigabytes and minutes. Containers are also easier to manage because they share part of the operating system, and any patches or fixes can be done simply by replacing the container in the system.

Because of their ease of use and ability to deploy applications in multiple operating systems, containers are becoming increasingly important in hybrid and multi-cloud environments, replacing VMs. Running containers in the cloud is essential to DevOps and DevSecOps. Containers also play an integral role in application migration to the cloud.

Containers have a significant impact in the public sector where mission-critical timelines press developers to “fail fast and fix.” They are immutable and unable to be changed.

Containerized applications are also extremely portable and can run both on-premise and in the cloud, making them more accessible than other applications.

Containers and FedRAMP

Containers help manage software security so protecting them is a priority for the federal government’s cybersecurity posture. While the Federal Risk and Authorization Management Program (FedRAMP) provides clear guidance on many aspects of container security, it does not tell organizations how to implement the guidance. Solutions that automate compliance are a good choice for agencies who need to get compliant fast and stay on top of changing security requirements.

Currently, the public sector has heard FedRAMP’s guidelines, digested what they mean and started implementing solutions. After all, compliance deadlines are approaching. The benefits of FedRAMP to individual organizations – making cloud-based containers more secure – is often obscured by the hassle of implementing the guidance.

To stay motivated, organizations can look to the future of containers. Just like in the public sector, we will see more workloads being transferred to containers and hosted in a cloud environment. Agencies may only have a few different tools or applications running on a FedRAMP platform now. Over time – and once security frameworks are built out – they can continue to migrate monolithic and traditional applications from virtual machines to containers. The process will follow the trends already seen in commercial organizations but at a slower pace and in phases – in part because these organizations will first need to build the secondary and tertiary infrastructure required.

Containers and the DoD

Container security is critical and their use is covered by requirements from the Defense Information Systems Agency (DISA) and the National Institute of Standards and Technology (NIST).

DISA’s Container Image Creation and Deployment Guide is a phenomenal piece that can be viewed as a DoD standard for container security, pointing back to other documentation that DISA has published. It can be leveraged to meet other, newer standards, like the Cybersecurity Maturity Model Certification (CMMC). Because the security standards are being ironed out today, I believe we’ll see a lot of growth and evolution surrounding container use in the government. The Air Force’s Platform One is using Iron Bank to harden containers across the DoD. The Iron Bank model demonstrates how the federal government can use cloud-based, containerized software development to increase velocity in an increasingly data-driven and application-fueled environment.

We’re in an exciting developmental stage of container adoption with huge potential for software development done faster and built more secure. While it will take time for agencies to invest in all the resources needed to run containers at scale, I believe the best approach is to “learn how to fish” rather than being given a fish. And, there are many sources for tools and automation that can accelerate the process.

For related content, please see “Why Containers are Key to Boosting Software Innovation” and “Embracing a Containers Approach for Service Delivery.”

Hayden Smith is a senior engineer with Anchore, a software container security company. Currently, Smith leads developer projects across the Defense Department (DoD) and numerous federal agencies to help government organizations adopt DevSecOps best practices. His work includes building and automating Platform One, a collection of hardened and approved containers for use across agencies.

Smith’s dedication to advancing safe cloud-native development practices has been able to guide, empower, equip and accelerate DoD programs through their DevSecOps journeys. Prior to joining Anchore, Smith was a DevOps and infosecurity technologist with Booz Allen Hamilton, where he worked extensively on FedRAMP compliance. You can connect with Anchore on Twitter and LinkedIn.

Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected]. And to read more from our summer/fall 2021 Cohort, here is a full list of every Featured Contributor during this cohort and a link to their stories.