75 comments

[ 2.6 ms ] story [ 74.3 ms ] thread
The original title is:

> Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.

Wow, Microsoft is really pushing the wrong boundaries in every direction, isn't it? Executives must be thinking, like many before them, that Microsoft is too big to fail.
> [...]And because federal agencies were allowed to deploy the product during the review, GCC High spread across the government as well as the defense industry. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.

This sounds like the crux of the issue. The combination of: "tool can be used during analysis" and "analysis takes long" shifts the barrier of rejection from "is this tool safe?" to "is this tool so unsafe that we're willing to start a fight with a lot of other government agencies to remove it, find an alternative, etc?".

Not criticizing FedRAMP. Proper security review takes time. And probably more when dealing with vendors.

> Not criticizing FedRAMP

Think it's very important to criticize FedRAMP. The FedRAMP board is extremely slow moving and continuously disregards industry feedback. As a result, FedRAMP is essentially a Palantir tax, where nearly every startup hoping to sell to government (including larger ones like Anthropic, xAI, Cognition AND OpenAI) is forced to pay Palantir to deploy in their FedRAMP enclave. This has a sticker price of 200-500k/y before we get into compute premiums.

Going through FedRAMP yourself requires a staff who is willing to put in a dedicated effort on the compliance paperwork (not the controls, which you could knock out in ~1mo easily, just the paperwork) for 6-8mo before getting into a line to hopefully get a 3PAO audit and then remediations followed by another audit which is followed by needing to get agency sponsorship for a FedRAMP board review. This costs $2-3M minimum including the amount of security software needed for evidencing and policy, which rules out nearly every small business. This process also can easily take 2-3 years of waiting, which forces out enterprise. So anyone entering the ecosystem is essentially forced to pay Palantir (or 2F which is a distant 2nd) a tax that is entirely enforced by government regulation.

They are not any kind of 'Federal Cyber Experts' either as that work is primarily outsourced to Schellman etc.

I dunno, but for me ensuring security means reducing the number of problematic parts, and making sure the ones that have control over the ones that exist.

The most secure thing I could think of is a cluster of servers running in my basement under lock and key, running a conservative set of well-tested software.

I think plenty of software is a pile of shit and still derive value from it.
I'm guessing the requirements were written in a way that only Microsoft's cloud could with the bid.

Thats why you have Windows in the Pentagon instead of something secure.

The Justice Department CIO who pressured FedRAMP to approve GCC High was hired by Microsoft the next year. I wonder if this shouldn't invalidate the authorization in the first place?
No. We live in a democracy. Everyone can work where he wants. See Poettering. Or US generals who went to work for Pentagon contractors. Or politicians who work/have worked/will work for private companies which benefitted from laws enacted by those politicians.
> By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.

The article talks a lot about conflicts of interest, but this is the line I went looking for. A bureaucracy fighting itself over goal prioritization, and what's a necessary roadblock vs red tape is the less sexy but more meaningful problem at the core of this.

Once the government decided they wanted the product, they were going to find a patsy.

The government does most things poorly and with little regard to budget or quality. They can't solve problems that are much simpler than cloud computing, so why should I expect them to perform better at a more complex problem?
Recently tried using Entra ID. There are 12 ways to enforce MFA, 20 days ways to disable users, 4 ways to authenticate users, Add conditional access stuff with 50 variables and templates etc.

You can customize the way you want. After configuring it, my colleagues could not log in. Thats one way to secure your organization.

The sheer amount of conflict of interest with folk involved in this later getting employed by Microsoft is a bit crazy.
It's not very clear from the article, but I get the feeling from the context that the 'pile of shit' quote referenced the package of documentation about the service rather than the service itself.

(That seems to be the main complaint, that Microsoft never provided the clear information required to conduct the assessment properly).

That’s a perfectly valid reason to reject a security solution, and is one of my top complaints about Microsoft in this decade.

They fired all of their technical documenters, so their security critical systems, APIs, tools, and SDKs now have only auto-generated docs that are just the function names with spaces added between the words.

Like this:

    Overrides the authorization for an identity.

    AuthorizationOveride( string identity );
Good luck figuring out what anything important to your own security does, how it works, and what the consequences of small configuration changes might be.
Basically exactly what my org did. The momentum of being a Microsoft shop is hard to fight against.
Azure is easily the most expensive, least reliable and worst cloud available. It's borderline scam. An example today, I provisioned high IOPS SSDs (supposedly) and what is actually connected to the instance? A spinning hard drive! I didn't even know they were still made, but I guess Azure uses them and scams their users into thinking you're getting an SSD for $700/mo when its really an old hard drive.

I would warn anyone far and wide to avoid Azure at all costs, especially if you are a startup. And especially if you are doing any kind of AI because the only GPUs they have available are ancient and also crazy over-priced.

If I cared more, I'd try to migrate away from Azure. But I don't, and that's probably Azure's business model at this point.

Frustrating that FedRAMP is both a pain to get compliant with and also apparently is not a strong signal of actual security.
Maybe the gaps are a frature or benefit at the same time.
Given the scale and scope of the Federal Government. what are the alternatives to Microsoft?

Building in house.

Outsourcing to consultants.

Is this just a case of MS needing to merge a lot of platforms, and there are gaps and overlaps.?

Maybe the critical question, are they making continuing improvements? Especially to merge conflicting functions.

Like when they bought Minecraft, or Skype. Each already had user management. Xbox was a mess. Merging them all took a lot of years.

Microsoft has never been good at security, and that is why their centralization to cloud is absolutely terrifying.

I'm reminded of Storm-0558 [1] where a stolen signing key was able to forge authentication tokens for any MSA / Azure AD / Government AD user. They downplayed the severity. Just imagine if that level of access was used to pull a Stryker on a nation-wide scale. That is an economic disaster waiting to happen.

[1] https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...

Exactly, and that is the moat- a pile of shit that everyone can smell from afar.
Little has changed since Bill Gates tried to install Movie Maker.
its as funny as the IA research reports from DORA dev which all seem to be sponsored AI provider ads instead....
The experts were correct. Azure is the biggest pile of shit I've ever had to work with. Everything feels evolutionary. In other words, a new product in azure is barely a product at all, but a small appendage which totally inherits a bunch of preexisting Azure "stuff." And all this preexisting stuff may not really make sense for the product, and it might inherit stuff that makes the product much worse. But, it doesn't matter. To even think about using the product, you need to learn way more about the larger Azure ecosystem than you ever bargained for, and of course deal with Microsoft products that do not really integrate well because the teams don't talk to each other. Log formats, conventions, everything will be different as you float around to different parts of Azure. Basic security concepts, such as a SIEM will be implemented in such strange ways that you wonder if Microsoft has any idea what a SIEM even is.
Did someone say Active Directory?