Federal Cyber Experts Called Microsoft's Cloud a “Pile of Sh*T,” Approved It Anyway
fliptop writes:
One Microsoft product was approved despite years of concerns about its security:
In late 2024, the federal government's cybersecurity evaluators rendered a troubling verdict on one of Microsoft's biggest cloud computing offerings.
The tech giant's "lack of proper detailed security documentation" left reviewers with a "lack of confidence in assessing the system's overall security posture," according to an internal government report reviewed by ProPublica.
Or, as one member of the team put it: "The package is a pile of shit."
For years, reviewers said, Microsoft had tried and failed to fully explain how it protects sensitive information in the cloud as it hops from server to server across the digital terrain. Given that and other unknowns, government experts couldn't vouch for the technology's security.
Such judgments would be damning for any company seeking to sell its wares to the US government, but it should have been particularly devastating for Microsoft. The tech giant's products had been at the heart of two major cybersecurity attacks against the US in three years. In one, Russian hackers exploited a weakness to steal sensitive data from a number of federal agencies, including the National Nuclear Security Administration. In the other, Chinese hackers infiltrated the email accounts of a Cabinet member and other senior government officials.
[...] Yet, in a highly unusual move that still reverberates across Washington, the Federal Risk and Authorization Management Program, or FedRAMP, authorized the product anyway, bestowing what amounts to the federal government's cybersecurity seal of approval. FedRAMP's ruling-which included a kind of "buyer beware" notice to any federal agency considering GCC High-helped Microsoft expand a government business empire worth billions of dollars.
[...] Today, key parts of the federal government, including the Justice and Energy departments, and the defense sector rely on this technology to protect highly sensitive information that, if leaked, "could be expected to have a severe or catastrophic adverse effect" on operations, assets, and individuals, the government has said.
Originally spotted on Schneier on Security.
Related:
- Microsoft, OpenAI Say U.S. Rivals Use Artificial Intelligence in Hacking
- Microsoft Network Breached Through Password-Spraying by Russian-State Hackers
- Opinion: Feds to Microsoft and Others - Clean Up Your Security Act
- Microsoft Azure Customer Hit by Largest 3.47 Tbps DDoS Attack
Read more of this story at SoylentNews.