Show notes:
- The Dave and Gunnar Show
- OpenShift Container Platform
- Back to (Linux container) school: Four lessons learned from the University of North Carolina
- Introducing atomic scan – Container vulnerability detection
- Video demo: Black Duck and Red Hat Secure Container Delivery
- How Automation Can Unleash Government IT Innovation
- OpenSCAP and the SCAP Security Guide
- White House releases open source policy
- November 2: Red Hat Government Symposium
MP3 audio (18:01)
OGG audio (18:01)
[Transcript]
Gordon
Haff: Today I'm joined by David Egts who's the Chief Technologist for the
North American Public Sector at Red Hat. He's going to have some great insights
to share with us about how government, at various levels, is adopting cloud and
container technology.
Welcome,
David.
David
Egts: Hey, Gordon. Glad to be here. A big fan of the show, so it's
great to finally be on it after all the episodes I've listened to. Thanks for
having me.
Gordon:
I should mention at this point, and we'll have a link in the show notes,
that David is the co‑host with Gunnar Hellekson of his own podcast. Tell us a
little bit about your podcast.
David:
It's "The Dave and Gunner Show." If people go to dgshow.org you
could hear the podcast where I interview a bunch of people in the open source
community, people at Red Hat.
A
lot of the time Gunnar and I will just get on and we'll just talk about the
tech news of the day, and parenting, and all kind of other fun things like
that. I do have to admit, though, the podcast wouldn't exist if it wasn't for
yours being the inspiration to get things going, so thank you for all the work
you've done.
Gordon:
Thanks, David. We're going to talk about a number of cloud, and
government, and policy things on this show, but let's start talking about
something specific. Namely, that's container adoption in the government,
specifically around Red Hat OpenShift.
David:
In Public Sector, OpenShift interest taking off like crazy. I think the reason
for it is that the folks in government that I've been talking to, when we talk
about having a container strategy, they know they want to have one, but they
often don't have the time or the resources to be able to roll their own
container platform themselves.
They
see all of this really hot innovation coming out of open source communities and
all this hot software coming out of Silicon Valley from a lot of start‑ups.
Then they see products like OpenShift Container Platform, which builds upon
things like docker, builds on Kubernetes, and they see that as an integrated
solution. They really are flocking to embrace it.
They're
a bunch of customer success stories that we have that we can talk about that
are really fun.
Gordon:
Let's get to those in a second. I did want to just make one point to your
point about essentially making container adoption easy. This really is not just
a government type of thing. We see this at a lot of customers who start out,
"Whoa, if Google can do it themselves, we can do it ourselves, too."
They go through an iteration and find this isn't really that easy to do.
David:
No, absolutely. Then also you end up building this snowflake that you
can't put an ad in the paper and hire somebody to do this, or send them
somewhere for training. You incur all this technical debt. Whereas, if you have
an engineered solution that you can get training for or you could hire somebody
for, it's really, really powerful.
A
lot of people really focus on the mission of what they're working on.
Gordon:
Tell us some specific examples that you've been working on and that you
can talk about there, out in the field.
David:
Yeah, one of my favorite ones. I actually did a podcast on The Dave and
Gunner Show. We interviewed the Carolina CloudApps folks, the team at
University of North Carolina. They're providing OpenShift as a service to all
of the students, and faculty, and researchers at UNC.
It's
really neat to see a bunch of the things that they're doing with, as far as
container densities that they're getting. They're running over a hundred apps
per container host. Where, if you think about that in the traditional
virtualization base, getting like a 10:1 ratio of virtualized systems per
hypervisor was great, but to get 100:1 is just amazing.
Then
there are other things, too, as far as the range of people that they have to
work with where it's like 18‑year‑old students that are just brand new freshmen
to people approaching their retirement years in the faculty.
Being
able to come up with documentation, and building a community, and getting
people to adopt the software in a very easy way was a really neat challenge for
them, which I thought was pretty amazing. Then the last thing that I thought
was really neat was the whole thing.
For
any sort of IT organization, you need to be very, very compelling or risk being
replaced by Shadow IT by providing something like a container platform, like
Carolina CloudApps does.
That
allows them to be really relevant and deliver a lot of value to the students,
and faculty, and the researchers to prevent them from even considering going
with something from a third party or spinning up something in your dorm room.
Gordon:
What are some of the lessons that you would say that you've learned, that
Red Hat's learned, that the customers have learned as we've gone through this
process of what's rather a new set of technologies?
David:
I think security is one of the big things that I've found out. Just
because people are moving into containers and you're sticking everything into a
container, the security burden shifts from being mostly the responsibility of
the operations team to being a shared responsibility between the development
and the operations team.
You
can't just flip a container over the wall, hand it to ops, and then have it go
into production. It can't be these black box containers you give over. You need
to move some of that security discipline over to the development side, so in
the CICD processes the same way that you do unit tests to make sure that your
code behaves properly.
You
also want to do security tests as part of your unit test workloads.
Gordon:
As I've been writing about security over the last maybe six months or so ‑‑
and I've been doing a fair bit about it ‑‑ one of the things that's really
struck me is the evolution in thinking about security.
I
think we kind of came from a point where, on the one hand, you had people that
were like, "Oh, clouds are insecure. We can't use clouds." Then, on
the other hand, people would be like, "Oh. Well, we'll just use a public
cloud provider, and we don't need to worry about security any longer."
You
had these kind of extreme viewpoints, and I think it's actually good that ‑‑
from talking to people and reading things, and working through these
deployments ‑‑ most people, I won't say everyone ‑‑ but most people seem to be
thinking about security more intelligently and more thoughtfully.
David:
Yeah, and it's also one of the things that I see, too, is that in the
past, in the Federal government, you would have maybe annual audits or these
periodic audits where, "We're gonna see if we've drifted from our security
baseline."
The
reality is that your adversaries, they're not going to attack you once a year.
They're attacking you multiple times a day. Being able to automate your
scanning, and being able to make sure that you haven't drifted from your
security baseline, and being able to rapidly snap back into it is really,
really powerful.
That's
where tools like the atomic scan tools that we've integrated into our OpenShift
are really compelling where we work with partners like Black Duck and Sonatype,
even SCAP where we can do just DISA STIG for containers and make sure that
they're locked down properly. It's really, really exciting work.
Gordon:
You've mentioned automation. Let's talk a little bit more about
automation because, from what I've been seeing, automation is really the heart
of how a lot of these organizations are evolving. They're really starting to
think about, "What can I automate next? What's the next low‑hanging fruit
that I can basically...don't have to worry about any longer?"
David:
Yeah, and that's where, what is it, people spend 80 percent of their
budgets on keeping the lights on and that leaves 20 percent for innovation.
But, there's a lot of time when you have these patch‑Tuesdays, and everybody's
on this patching hamster wheel. It's like they spend all month patching and,
before you know it, it's patch‑Tuesday again.
You're
just doing this over, and over, and over again, and there's absolutely no time
for doing any sort of innovation at all. That's where, if you can, automate
things like security, automate your build processes. Whenever things can be
automated, they should be automated.
There's
an article that I wrote where I actually saw an interview that was done with
Terry Halvorsen, who's the CIO of the DoD. He was giving a press interview, saying
that the number one driver for data center consolidation in the DoD is labor
costs and that, basically, automation is the key to help drive down those labor
costs and if anything that can be automated should be automated.
That
really underscores that point of you really need to be able to automate as much
as possible if you want to do any sort of innovation.
Gordon:
That's really just the cost side of things. In areas like security, for
example, you can really increase the quality because not only is it taking you
less work to do these manual repeated tasks, but if it's automated you can be
pretty sure that it's going to happen the same way the hundredth time that it
happens the first time. You're not going to make a mistake in there that
creates a vulnerability for an attack.
David:
Yeah, and your checks could be a lot more robust and a lot richer, too.
If I had a human that is locking down a system, there's only so many checks
that that human can do per hour.
But,
if I can make it machine readable, where I'm using tools like SCAP or I'm using
tools like Ansible that can just go through, and I can have a lot more rules
and a lot more checks and have this defense in depth.
Gordon:
Let's switch gears a little bit here to talk about policy. One of the
really big changes in the last few years has been the fact that government, at
multiple levels, is really starting to think about open source systematically
and, in some ways, perhaps embracing it more systematically than many private
organizations.
David:
It'll be 10 years for me in February, when I joined Red Hat. I remember
10 years ago I would go into meetings and people were wondering if this whole
open source thing's going to take off to now, to the point where, back in the
day, open source was the insurgent, now it's the incumbent, where people in the
government are huge consumers of open source.
We're
proud to say that every tactical vehicle in the US Army is running at least one
piece of open source software from Red Hat. You can go down the line with every
agency. All 50 states are running Red Hat products or using open source
technologies in a commercially supported way. I think that the pendulum is even
swinging further from being a consumer to being a contributor and a
collaborator.
We've
done a lot of work as part of the open source community with the SCAP Security
Guide where we've partnered with NSA, and DISA, and NIST, and all kind of other
integrators, and government agencies, and folks from academia to do security
baselines in an open source way. That has been very exciting to be able to come
out with security baselines a lot faster than doing it yourself.
Also,
the other thing that I'm seeing, too, is that the White House just released the
OMB open source policy guidance where they talk about all of the custom‑written
code and that the government pays for. First off, it should be reusable by all
of the agencies.
They
also have the same goal over the next three years to open source 20 percent of
that code and then do an analysis to see if this is working out well and all
that. It was really neat to see the evolution of the draft policy come out in
the final policy where all of that glueware that the government is paying
government employees or integrators to implement.
They
really want to reuse that as much as possible instead of reinventing the wheel
over and over again. To me, that's really exciting.
Gordon:
Yeah, and, of course, a lot of the new policies even go beyond open
source in terms of having open data, in terms of research that's paid for with
taxpayer money, should be publicly available and so forth. Obviously, there's
still a lot of work that needs to go into many of those areas, but it's
certainly trending in a good direction.
David:
No, absolutely. I'm really excited by it.
Gordon:
If somebody wants to learn more about what Red Hat's doing in government,
what the government itself is doing in open source, how they can get involved,
what's one or two good next steps they can take.
David:
I think one of the things that they should do is check out the Red Hat
Government Symposium. If people go to redhatgov.com, that's a short link to get
to the registration site for that. That's our annual even that we have every
year in DC. This year it is on November 2nd at the Ritz‑Carlton in Pentagon
City.
This
is going to be really exciting where, if you think about it, the following week
is the presidential election. We have the open source policy that came out. There's
going to be a lot of people wondering what's going to happen over the next 12
months and how policies that are in place now will evolve over time.
It's
going to be a great opportunity to network with folks where we're going to have
Mike Hermus, who's the CTO of Department of Homeland Security, is going to give
a keynote. We're going to have a lot of executives from Red Hat giving
keynotes, like Tim Yeaton and Ashesh Badani. I'm really excited about the
events that are coming out. Please, come check that out.
Gordon:
That's great, Dave. I just find it so interesting. The government often
gets this reputation for being kind of a decade behind everyone else. In a lot
of respects an open source policy, open data policy opened organizational
openness in general. The government, in some ways, I think is ahead of a lot of
the private sector.
David:
I wouldn't argue that. A concrete example of that is the SCAP work that
we've been doing as part of the SCAP Security Guide. SCAP was something that
was started by NIST, the National Institute of Standards in Technology. There
are a lot of commercial organizations like Microsoft, and Red Hat, and others
that got along to come up with SCAP policy that's machine readable.
I
remember going back to our engineering organization and saying, "You know,
we got to get this inside of our products," and we get them saying,
"Oh, no. The addressable market for that is just government nerds."
Now
it's to the point where people are developing PCI compliance policy as part of
the SCAP Security Guide. We have contributions the world over. From what I
understand, Lufthansa will run an SCAP scan every time they turn their planes
on with the in‑flight entertainment system. It's really exciting to see that
type of change moving on.
At
the Red Hat Summit, over the past couple years, we would do SCAP sessions where
Shawn Wells, who would give the presentation. He would pull the audience over
the last couple years. It's like, "OK, how many people are from commercial
and how many people are from Public Sector?"
A
couple years ago it was like 80 percent Public Sector, and this year the poll
was 85 percent commercial. It's really interesting to see how a lot of this
innovation that has happened in government has actually made it for the benefit
of private industry, which, to me, is a really good use of taxpayer dollars.
No comments:
Post a Comment