Spill the IT Ep11: Containerisation – the deep dive

Intro (00:05):

Welcome to the Fasthosts ProActive Podcast: Spill the IT. Each episode, we'll sit down with some of the amazing ProActive team and chat through their experiences of the ups and downs of IT infrastructure management in small businesses. There's always plenty to chat about.

Graham (00:26):

Welcome back everyone. My name's Graham and I'm your host again today for this week's Fasthosts ProActive Podcast session. So one of the subjects we get asked so many times on these podcasts is, what tech should I be looking for with a cloud-managed services provider? And we get lots of that coming through on the questions and the Q&As and things. And so we thought it'd be a really good idea today to run a podcast on it. With me today, I have Terry Hurcombe, who's head of systems engineering at Fasthosts ProActive. Good morning, Terry.

Terry Hurcombe (00:55):

Good morning.

Graham (00:56):

Hi. And I assume, like last time when Mark was here, is this your first podcast?

Terry Hurcombe (01:02):

It is indeed, yes.

Graham (01:03):

Fantastic. We're going to make you podcast stars. That's what we hope for anyway. You are going to do a far better job of just telling everybody a little bit more about yourself. Why don't you just give us a little bit of a short synopsis about what you do here at Fasthosts ProActive?

Terry Hurcombe (01:16):

Sure. So I've worked in this industry longer than I care to remember, getting on now, but I started my career back in late nineties working for what was a startup, a Gloucestershire based startup, who were kind of first on the scene in terms of providing email based threat detection. Of course back then, internet was very different to how it looks today. None of the big cloud players really existed in the capacity they do today. But back in the nineties, of course email was seeing huge adoption. And as is the way, the darker side of the internet saw an opportunity there. So back then we started to see mass mailing email viruses come out. So they would infect your system and then go through your address book and then send it out to all your contacts with a very convincing email trying to infect those systems as well.

(02:04):

Moving forward a few years, and I find myself at Fasthosts. I joined the company back in 2018, it seems like just yesterday, but of course in the blink of an eye we're five years on and here I am. I started with the company as a senior cloud engineer in the systems engineering team. And over the years I've moved up into the head of systems engineering team. My primary focus for the team is secure container hosting platforms and powered service offerings in our cloud.

Graham (02:32):

Yeah, fascinating. Well, we're going to talk about that just a little bit later as well. With me today also I have Simon Yeoman, who is the CEO of Fasthosts and Fasthosts ProActive. Good morning, Simon.

Simon Yeoman (02:42):

Morning, good to be here.

Graham (02:43):

Hi. Nice to have you back. And also as well we have Mark O'Hare, who's the lead architect here at Fasthosts. So again, Mark-

Mark O'Hare (02:49):

Hi, morning.

Graham (02:50):

Yeah, hi, yeah, welcome back. So I have here a recent report that was published by Pluralsight, stated 70% of organisations report more than half of their infrastructure is in the cloud. And 44% of organisations adopt the latest cloud products as soon as they're available. I thought that was an interesting stat. And 65% of organisations say their cloud environment is multi-cloud. And the final stat is 27% of leaders say their cloud strategies enable them to drive customer value. So everything's moving towards the cloud. We are in cloud heaven, excuse the pun.

(03:31):

But obviously technology plays a massive role in how cloud is managed. And we have had so many questions regarding the 'must haves' around what are the top technologies to have when working in the cloud. So Terry, this is where I hope your expertise is going to be really important, really interesting for the listeners this time. So take us through what you see are the essentials and why.

Terry Hurcombe (03:54):

Yeah, I mean, obviously with my background, one of my driving factors is containerization. And not everybody's in a place where they can adopt containerization at this point. Probably needs some work on their side to look at microservice architecture, taking those huge monolithic applications that they used to have and splitting them up, so they function in a Kubernetes or a container-based orchestrator.

(04:17):

Other things to consider, the foundations need to be there. So there's more of a shift towards zero trust security models now, which is a concept that assumes no implicit trust. In a zero trust model, we're not concerned about the location of the user or the device, but multiple factors such as the user identity, the device's health, is it patched and up to date, does it run an AV software, anti-malware software? The context of the request that the user is making and the overall security posture.

(04:48):

Implementing zero trust requires a combination of technology process and some cultural shifts as well. And the key steps, defining access policies, deploying identity and access management, which most of the big cloud providers give you out of the box. And leveraging things like network segmentation, so making those networks smaller and more isolated are all really good things.

(05:10):

You also want to consider additional services that the cloud provider offers. So right now if you're on-prem and you are hosted maybe on a Microsoft SQL server or Postgres database, well, maybe you want to consider actually does my cloud provider offer that as a service? Because there are multiple benefits there. So the configuration of that database engine is not your concern, it's handled by the cloud provider. Things like backups and continuity are all kind of covered for you.

Graham (05:37):

Interesting. Obviously when you talk about zero trust, that's a really big out there sort of statement. Are customers, is that the lead thing when they say, "Right, technologies, take us through that process." Are the customers leading that that you talk to here at ProActive or is it something that you are making sure that's top of that list?

Terry Hurcombe (05:57):

Yeah, I think it's bigger customers in the industry are on that journey right now. Security is a hot topic. We've already said we could consume multiple podcasts talking about security aspects.

Graham (06:07):

Of course we could, yeah.

Terry Hurcombe (06:08):

I think as, Simon referred to earlier, perhaps some of the smaller customers or newer customers to the cloud scene probably need a little bit of handholding on that.

Graham (06:18):

Yeah. Do you ever get caught out? Do people come to you and say, "Right, okay, we must have this technology configuration, we must have things done in this certain way." Does that ever surprise you? Or do you have to deconstruct that and say, "Actually we don't think that's the best way, we think you should be looking at this environment or doing things this way."

Terry Hurcombe (06:34):

Yeah, I mean, there are no surprises in this game, we deal with lots of customers at different levels of maturity. And that's where those surprises spring up, customers that aren't day-to-day in this space.

Graham (06:44):

Mark, what have you seen in relation to technology demands from people, where's the big hot topics?

Mark O'Hare (06:52):

Well, a lot of the complexity in building applications can obviously come not only just in running the container workloads, but what we call the backing services that go behind them. So storage, you might need very efficient caching strategy so you can get a lot of performance out of an application. Or as like Terry was talking about databases, but we might have things like object storage and things like that where we need these additional services to go round the actual computational workloads that you're going to run. And they can form quite a challenge.

(07:30):

Often the reason they become more challenges is because they need more management around them because they might have information that you don't want to lose. And you certainly don't want to expose when ... hence like the zero trust, making sure that you've locked down, you've got the right kind of security in place.

Graham (07:50):

So Simon, obviously the proposition that you've taken to market here at Fasthosts, Fasthosts ProActive, how much of the time here at Fasthosts is actually used in interfacing with those technologies, correcting things that might be looking like they're going to go wrong? Because that's obviously the premise, the whole thing around Fasthosts ProActive, you're cutting things off before they go wrong. How much of those technologies are you having to tamper with as an ... I say tamper, but correct or foresee things are going to fall over?

Simon Yeoman (08:20):

Manage proactively. So, not as often as you might think, but it requires a lot of close monitoring and we are available to intervene where we need to. I think a couple of observations of the conversation. Containerization is the future, and that is an ambition of a lot of clients that we need to speak to.

(08:42):

But as Terry alluded to, some of our clients aren't working in that way yet. They're not a more traditional provider and they don't work with microservices within a container yet. And so there's some journey and some education to go down. And probably businesses will need to contemplate what they need to change about their business to fully take advantage of containerization.

(09:06):

And the other thing I would say is, it needs to go hand in hand with a good talent management and recruitment type policy. These are new cutting edge technologies and the resource and expertise that you need to manage that is in short supply. And I would encourage anybody thinking about making that step or having ambitions to make that step to start to work with their existing resource and talent now, education, training, development. And developing them in that right way because it is a different way of managing your technology to more traditional technology providers. And I would encourage anybody that has ambitions to move to a more containerized environment to start thinking about how they take their organisation, in particular their people, on that journey with them.

(09:52):

With regard to Fasthosts ProActive, we do offer those services. So anybody that has that future ambition, we are able to handhold them in that process and we are able to introduce those technologies. And it might be, because it's such a new technology, we're able to just do it for part of their environment or something like that. And I would encourage organisations out there to think about which part of their technology stack is most relevant to containers. And maybe use that as an education and development step.

Graham (10:25):

So Terry, what would you suggest, if they were going to take the first steps into setting up containers in their business, what would be the first steps that you would advise people to take? What sort of applications would they be running? What sort of business process would it support?

Terry Hurcombe (10:40):

Well, first I think it's important to assess the workload and its suitability for containerization. Now in most cases that's going to work fine. As I said, in most cases you're going to find that that application is a huge monolith and you're going to start analysing that and how do you break it out and how do you split that up into the different microservices and deliver it.

(10:57):

I just wanted to go back though to something that you were talking to Simon about, configuration management, how often we need to get involved in correcting things. I think one of the benefits of the ProActive management solution that sits behind everything is infrastructure as code. So everything is deployed in a repeatable, consistent fashion. And then we have configuration management that's always aiming to get you to our desired configuration state.

(11:25):

And the same is true of containers and container orchestration. I mean, essentially at a high level, Kubernetes is just trying to get your application into the desired state that you've set.

(11:35):

I think the other thing is there's a tendency for businesses to say, "Okay, containerization, that's the thing, we need to adopt it."

Graham (11:41):

Everybody runs to it, it's the latest thing.

Terry Hurcombe (11:43):

They rush into it. And one of the things again that we come back to is container security. And there are some pretty scary statistics. I don't want to scare people away.

Graham (11:52):

It's good to talk about it, yeah, we need to let them know.

Terry Hurcombe (11:53):

But it paints a picture about how you need to focus on these areas. So around 87% of container images running in production contain critical high severity vulnerabilities. And around 85% of those can be fixed. And mostly that normally comes down to misconfigurations in your CI/CD pipelines. Where perhaps you haven't set that build to update the OS packages installed inside the container. So it might just be as simple as that.

(12:20):

The other thing is permissions management. So 90% of permissions granted are unused and remain unused, not required. And then your risk comes if you get a compromise in that application, then suddenly you've potentially got elevated permissions. When realistically the workload that was running there didn't need that level of permission in the first place.

(12:39):

And the other thing to consider, and again it's something that we would keep on top of in the ProActive world, is resource utilisation. We see this with external Kubernetes customers, but also internally as well. Lots of resource is allocated and unused, so 70% of CPU and 18% of memory resources are allocated to container workloads but never used. That obviously leads to increased costs, over-provisioning and under-utilisation. And we even see 60% of containers run with no limit set or 60% with no CPU limit. And 49% of containers are running without a memory limit. And whilst day-to-day it's probably not an issue. If all those containers suddenly get busy, then you've potentially put your entire cluster at risk from overload.

(13:27):

And the other big thing, and I think it's a big ticket item that organisations are struggling with it right now, is supply chain attacks. So things like previous Log4j, which I won't get into massive detail here, but any dependencies, libraries that you are pulling in, you need to know that they're quality and they've not been exploited in any way.

Graham (13:45):

So looking at the cost of running these containers, is it easier to manage that cost within those individual environments? To be able to report back to the customers and say, "Actually, look, across the whole portfolio of your suite here, look, we've got some areas here that you really need to address because you are not utilising what you've allocated," And things like that. Is that the type of conversation that customers want to have? Because obviously under utilisation is a big subject.

Terry Hurcombe (14:09):

Yeah, sure. Wherever you can save costs, right? We have great observability stacks in the container hosting platforms. And it's really easy for us to see, get a view on how much has actually been allocated versus what's currently being used.

(14:22):

And for sure containerization paves the way to eke a bit more out of your infrastructure. So not everything's running at peak demand at the same time, so you have peaks and troughs and you can take advantage of that with your Kube cluster.

(14:36):

The other thing that Kubernetes and containerization paves the way for is serverless, functions as a service technologies. Again, getting a little bit more out of your infrastructure because those containers only exist for the duration of that request and then they're gone.

Graham (14:50):

Interesting. Mark, we obviously have been on a podcast talking to you about migration. So coming back to that subject, talking about migration, and then obviously setting up these containers, how difficult is that? Does anything get in the way in relation to if that's going to be the preferred process of setting things up?

Mark O'Hare (15:10):

Well, around migration, when you move into using ... A lot of this technology is open source technology, which means that a big wide community can contribute into that. It also means there's, if you pick the right kind of technology, there's a lot of eyes on it. Hence why these vulnerabilities get identified in software that is running on these kind of stacks.

(15:37):

So the important thing to do is to make sure you've got a process where you are actually monitoring everything that is running on those platforms. So we do an awful lot of work in making sure that we're monitoring any of the containers, the images that go on. We deconstruct them to understand all the different components that are in there. And then we monitor all those different parts that make up that container image and we find out what kind of vulnerabilities they are. And then have a reporting mechanism where we can flag up and get people to correct any of those vulnerabilities that we're not happy with that are running in those images.

(16:20):

And it's important to have those ... those are a continual process because things are discovered all the while. It's not like, I did it one day, forget about it. You need to have ... it's a permanent operational activity, new things get discovered all the while. As we often read about in the press.

Graham (16:39):

Absolutely. So if we're looking at hybrid, if we're looking at on-prem and cloud, is there any additional complexities around these containers and Kubernetes and how that's being managed?

Terry Hurcombe (16:51):

Yeah, I mean, obviously the benefit of containerization is the portability of that container. So Mark could be developing for that application on his laptop, ship that container to me, I can run that, it's guaranteed to work as long as I've got a compatible container runtime engine. So in terms of moving the workload between different cloud providers, yeah, I mean, it reduces that vendor lock in.

(17:13):

I guess, there's more complexity around how you manage those deployments. We can talk about hybrid management interface, which are basically tools that talk to the APIs of each of your cloud providers and can provide a consolidated view and configuration platform. There are numerous offerings, probably needs research and consideration on each use case, but there's Flexera, CloudBolt, Zscaler, RightScale, all products that can manage multiple clouds for you.

(17:42):

Some cloud providers have their own offerings for multi-cloud management. That's definitely one of the challenges, along with observability, because now you need to suddenly pull metrics from containers running in multiple cloud providers. But again, in the containerization world, we have standard cloud native monitoring stacks, so that's Prometheus, Grafana and Alert Manager, which we use heavily here.

Graham (18:06):

Yeah, a really interesting and a hot topic, I guess, for assuring customers that you've got that observability and that top level of reporting. Simon, do you see that as a big thing where the whole industry's going and what customers are demanding?

Simon Yeoman (18:20):

Yeah, I've picked up on a couple of things that Mark and Terry have suggested, and I think something where we can help out, but is really important across the board, is transparency. We talked about managing costs and utilisation, but also when you're looking at vulnerabilities, and a lot of that comes to providing that information in a consumable way so that your client or key stakeholders in your client's organisation can understand it as well. Because the type of detail and data that Terry or Mark might be working at is probably different to the level of detail that I'm working on for instance.

Graham (18:59):

Yeah, and what your customers [inaudible 00:19:00]

Simon Yeoman (18:59):

Yeah, and it's really important that we summarise that for our customers. And that key decision makers within our client's business understand what's going on. And we provide them with the necessary data so that they can make decisions. Because I work with a lot of technology people that are far superior technology-wise to me, and they can spin up lots of environments and do lots of things, but it's very important that there's some transparency or oversight on what's going on. And that's where your provider in this space should be able to help provide that level of transparency.

Graham (19:35):

Yeah, really, really interesting subject. And I have to say this morning, guys, I've really learned a lot about this subject. Terry, you've been absolutely great. Thank you so much.

Terry Hurcombe (19:43):

Thank you.

Graham (19:44):

Mark and Simon, thank you very much for joining us today.

Simon Yeoman (19:46):

Thank you.

Graham (19:47):

So what's coming next time I hear you say? Well, we've got Mark O'Hare who's going to talk about those migration strategies and ongoing applications into the cloud. What applications are more likely to break when you migrate to the cloud or multi-cloud. And Mark's going to be here next time and he's going to tell us all about that.

(20:07):

So for now, we'll let you get back to the day job. Thanks for joining us and listening. I hope you all found that quite interesting. And we'll see you next time. Thank you.

Simon Yeoman (20:15):

Thank you.

Graham (20:15):

Bye.

Simon Yeoman (20:15):

Bye.

Terry Hurcombe (20:15):

Bye.

Outro (20:17):

Thank you for listening. We hope you enjoyed this episode. You can subscribe on Spotify or Apple Podcasts or visit proactive.fasthosts.co.uk for more info. See you next time.