Despite doubts, federal cyber experts approved Microsoft cloud service

hn_acker

The original title is: > Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.

robtherobber

Wow, Microsoft is really pushing the wrong boundaries in every direction, isn't it? Executives must be thinking, like many before them, that Microsoft is too big to fail.

jbombadil

> [...]And because federal agencies were allowed to deploy the product during the review, GCC High spread across the government as well as the defense industry. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington. This sounds like the crux of the issue. The combination of: "tool can be used during analysis" and "analysis takes long" shifts the barrier of rejection from "is this tool safe?" to "is this tool so unsafe that we're willing to start a fight with a lot of other government agencies to remove it, find an alternative, etc?". Not criticizing FedRAMP. Proper security review takes time. And probably more when dealing with vendors.

Eridrus

I think plenty of software is a pile of shit and still derive value from it.

exabrial

I'm guessing the requirements were written in a way that only Microsoft's cloud could with the bid. Thats why you have Windows in the Pentagon instead of something secure.

ovidev

The Justice Department CIO who pressured FedRAMP to approve GCC High was hired by Microsoft the next year. I wonder if this shouldn't invalidate the authorization in the first place?

dogleash

> By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington. The article talks a lot about conflicts of interest, but this is the line I went looking for. A bureaucracy fighting itself over goal prioritization, and what's a necessary roadblock vs red tape is the less sexy but more meaningful problem at the core of this. Once the government decided they wanted the product, they were going to find a patsy.

ddtaylor

The government does most things poorly and with little regard to budget or quality. They can't solve problems that are much simpler than cloud computing, so why should I expect them to perform better at a more complex problem?

debarshri

Recently tried using Entra ID. There are 12 ways to enforce MFA, 20 days ways to disable users, 4 ways to authenticate users, Add conditional access stuff with 50 variables and templates etc. You can customize the way you want. After configuring it, my colleagues could not log in. Thats one way to secure your organization.

gertrunde

The sheer amount of conflict of interest with folk involved in this later getting employed by Microsoft is a bit crazy.

gertrunde

It's not very clear from the article, but I get the feeling from the context that the 'pile of shit' quote referenced the package of documentation about the service rather than the service itself. (That seems to be the main complaint, that Microsoft never provided the clear information required to conduct the assessment properly).

yoyohello13

Basically exactly what my org did. The momentum of being a Microsoft shop is hard to fight against.

iamleppert

Azure is easily the most expensive, least reliable and worst cloud available. It's borderline scam. An example today, I provisioned high IOPS SSDs (supposedly) and what is actually connected to the instance? A spinning hard drive! I didn't even know they were still made, but I guess Azure uses them and scams their users into thinking you're getting an SSD for $700/mo when its really an old hard drive. I would warn anyone far and wide to avoid Azure at all costs, especially if you are a startup. And especially if you are doing any kind of AI because the only GPUs they have available are ancient and also crazy over-priced. If I cared more, I'd try to migrate away from Azure. But I don't, and that's probably Azure's business model at this point.

markstos

Frustrating that FedRAMP is both a pain to get compliant with and also apparently is not a strong signal of actual security.

j45

Maybe the gaps are a frature or benefit at the same time.

brudgers

Given the scale and scope of the Federal Government. what are the alternatives to Microsoft? Building in house. Outsourcing to consultants.

FrustratedMonky

Is this just a case of MS needing to merge a lot of platforms, and there are gaps and overlaps.? Maybe the critical question, are they making continuing improvements? Especially to merge conflicting functions. Like when they bought Minecraft, or Skype. Each already had user management. Xbox was a mess. Merging them all took a lot of years.

iscoelho

Microsoft has never been good at security, and that is why their centralization to cloud is absolutely terrifying. I'm reminded of Storm-0558 [1] where a stolen signing key was able to forge authentication tokens for any MSA / Azure AD / Government AD user. They downplayed the severity. Just imagine if that level of access was used to pull a Stryker on a nation-wide scale. That is an economic disaster waiting to happen. [1] https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...

dwa3592

Exactly, and that is the moat- a pile of shit that everyone can smell from afar.

jakubadamw

Little has changed since Bill Gates tried to install Movie Maker.