Forgot your password?
typodupeerror
Cloud Government Microsoft Security IT

Microsoft Azure Platform Certified "Secure" By Department of Defense 90

Posted by timothy
from the until-proven-otherwise dept.
cagraham writes "Microsoft's cloud storage platform Azure received their first government certification yesterday, less than 24 hours before the official shutdown. The certification, which grants Azure 'Provisional Authority to Operate,' should make it easier for Microsoft to compete with rivals like IBM and Amazon Web Services for government contracts. The certification signifies that the Department of Defense, Homeland Security, and US General Services Administration have all deemed Azure safe from external hackers. Government cloud contracts are a lucrative market, as seen by Amazon's recent tussle with IBM over a $600M contract for a private CIA cloud."
This discussion has been archived. No new comments can be posted.

Microsoft Azure Platform Certified "Secure" By Department of Defense

Comments Filter:
  • by StefanJ (88986) on Tuesday October 01, 2013 @12:09PM (#45003731) Homepage Journal

    . . . the backdoor for the NSA is really well protected.

    • Since this certification is one step towards allowing government agencies to use Azure, your comment isn't relevant. No backdoor needed.
      • This is the 'carrot' side. You get a nice juicy gov't contract if you remain helpful in our fight against evil terrorists and child molesters!

    • by dmbasso (1052166)

      [...]have all deemed Azure safe from external hackers.

      Yep, the internal hackers are assured.

      • by farrellj (563) *

        How many hours/days will it be before they are pwned?

        That is, pwned by someone other than the NSA...:-)

    • by oodaloop (1229816)
      Um, why would they put a backdoor in a platform they were going to use for themselves?
      • by gmuslera (3436)
        Because they are "sure" that they are the only ones that could exploit it. And backdoor could mean only in place access, as they having a machine in that network with privileged acces to everywhere. Also, probably the government uses plenty of Windows in their desktops, with backdoor or not.
      • by gl4ss (559668)

        so that they don't have to bother with things like permits, court orders etc things that tie up la.. investigators time.

    • by Hoi Polloi (522990) on Tuesday October 01, 2013 @12:53PM (#45004239) Journal

      The certification makes it easy for foreign entities to avoid it like the plague.

    • by steelfood (895457)

      This is Microsoft. Their data center is in the U.S. The only backdoor any three-letter agency needs to gain entry is the loading dock.

      • by mendax (114116)

        This is Microsoft. Their data center is in the U.S. The only backdoor any three-letter agency needs to gain entry is the loading dock.

        The only three-letter agency I'd choose to trust is IBM.

    • I heard that the full report was on WikiLeaks; last week.
    • exactly... a DoD certification might not be a good thing any more. It was once a mark of pride. Something a company could point to as a feather in their cap. But now? It means the feds have gone through it. And that might mean they left something behind.

      • by anubi (640541)
        I think it has everything to do with "plausible deniability"; that is Microsoft has a design legacy of products needing a heck of a lot of security related patches.

        Any government worker who knowingly specified a product with known security issues might be held personally accountable for his actions

        This whole rating is like the Wall Street ratings - I see it as a useless metric, as it is more a mechanism to let someone who specified its use off the hook for the ramifications of his decision. These ratin
        • I agree. Beyond that, I would say some of these ratings might have hidden costs. If MS was just paying money for it then that might be one thing. But what if the condition is having a back door put into the product. At this point, who trusts them?

  • by arthurpaliden (939626) on Tuesday October 01, 2013 @12:09PM (#45003735)
    So the Microsoft has finally got all their systems working properly with the government requested backdoors and decryption methodologies.
  • by zlives (2009072) on Tuesday October 01, 2013 @12:10PM (#45003741)

    muhahaha, i believe, is the correct response

    • Well, it is. The billionaire bankers and HFT guys are doing very well.
      • by Anonymous Coward

        Well, it is. The billionaire bankers and HFT guys are doing very well.

        Unfortunately, in some schools of economic thought, that is how you measure a healthy economy.

        It's a lie, but that's how it's interpreted. The rest of us can eat cake, that is, if we could afford cake.

        According to some Republicans, if corporate profits are up and the populace is unemployed, they're winning.

        It's a theory which can only bankrupt the rest of us, and speed us along to becoming corporate serfs who are accustomed to government

        • by Jawnn (445279)
          Damn right, you socialist slacker. Privatize the profits and socialize the expense, whenever and wherever possible. Oh, and you forgot the part about cutting taxes for the wealthy... er..., I mean the "job creators". Joe Sixpack will just hear "tax cuts" and think that we meant that for him.
  • This must be part of the Open Government Initiative that the US administration has been promising: http://www.whitehouse.gov/open [whitehouse.gov]

  • by Anonymous Coward on Tuesday October 01, 2013 @12:18PM (#45003839)

    So it's only the ones already in the box that we have to worry about.

  • That's just funny for so many reasons!

  • I think Microsoft should advertise this. Outside hackers will love the challenge. Locks only keep the honest people out.

  • Who defines "secure". Who performed the audit to ensure the security? How often will audits be performed to ensure that Azure stays secure? What happens what Microsoft goes bankrupt?

    Call me cynical, but I have no confidence that anyone who has the credentials and capabilities to ensure that Azure is secure actually did so for the Government. Sure there are really bright people at the DoD but I'm sure more bureaucrats were involved than engineers.

    Also, what's the plan for when Microsoft goes bankrupt?
    • by mlts (1038732) *

      Part of FISMA compliance are audits, both scheduled and random. There are many, many different controls that are checked, and and too many exceptions might get the authority to operate revoked.

      As for MS getting out of the cloud business, I'm sure there is a contractor who is more than willing to take over the data center and keep the operations going.

      This compliance sounds like a lot of rubric, but it is overall a good thing. Beats just depending on the "trust me" words on a cloud provider's web page show

    • by dbIII (701233)
      One day each leap year you get an air gap so it cannot possibly be any more secure :)
      You'd think after the Zune they wouldn't make the same mistake with Azure and disable an entire product for a day worldwide, but that's what happened. It makes me wonder what else is wrong with it since there was such an obvious lack of attention to detail.
  • Microsoft is. NSAbox1. No start menu. Technet dead. And now this. This is just so sad it is funny.
  • Seriously, how can anything be secure when there's nobody securing it?

    • by Anonymous Coward

      I guess I'm not at work then. Oh wait, I am.

      You should probably do some research before making such statements. The only thing I've heard shutdown that affected someone I know is that our shooting range is closed because the civilian range officers are not here. Yes, the army where all of the computers are still running, but where we no longer actually do any training to shoot. I would love to see Patton's rant about how the wimp in chief has ruined the military.

      • Biomedical engineers are shut down at the Army Base near Seattle.

        They just make sure the medical instruments are safe.

        I think they're more essential, but that's just my view.

        And the correct term is Commander in Chief, you REMF.

  • I saw a talk this past summer about Microsoft's security architecture for Azure. The devil is in the details, of course. I am only really familiar with AWS but Microsoft's approach is quite different. In AWS, security is really up to you when you deploy an application to Amazon's cloud. Azure is tilting the other way -- they are providing an environment where security services are part of the platform.

    For those who are interested in a technical discussion instead of Microsoft-bashing and snarky remarks abou

    • The problem is that security is ALWAYS your problem. Always. Because if you hand it over to someone else, that implies that you completely trust the entity you entrust your data to. You just shift the problem, from having to secure something to having to trust someone.

      Now, essentially you're doing that all the time. Even if you have someone in house instead of "outsourcing" it to a third party. But unlike with the third party, you can take a closer look at the person or the people you entrust it to. You can

  • by ducomputergeek (595742) on Tuesday October 01, 2013 @01:38PM (#45004741)

    ...when I worked in "Academic Computing" on the campus of the college I went to. What that really meant was I was one of five students allowed to touch the AS/400 we had. I remember my boss in a presentation where he boasted that AIX had never been hacked and I snorted. He looked at me puzzled and I said, "Is it available for export?" Answer was yes, "Well it has a backdoor that the NSA can use. Furthermore, how many of their premiere tech support staff, you know the people they send out in the field, work for IBM and draw a nice second paycheck from (insert 3 letter agency here)?" After that's how the CIA spied on the Soviet Embassy. They sent in a Xerox employee who also worked for the CIA to do maintenance on their Xerox machine...

    Of course this was back at a time where very few outside of the military even knew the NSA existed or what they did. I was aware of them because I was following their Security Enhanced Linux developments at the time.

    He didn't believe me. Recently got an email from him stating that it appears the arrogant 20 year old kid 13 years ago turned out to be largely correct about NSA capabilities....

    It also didn't hurt that my father as an executive at one of the major defense contractors (hint they built fighter planes like the F-15 & F-18 & AV-8B). All my neighbors were engineers at the same company. I grew up in that world I remember asking what happened if we sold F-15's to country X and they used them against us: see Iran and the 1970's. The response I got was, "There's contingencies built into the systems", i.e. there was another reason the Israeli air force remained grounded during the first gulf war...

    • by roc97007 (608802)

      Fascinating. Mod up. I'm aware of some of that stuff, (a part for which I wrote code is in the F16, or at least was in the late seventies) but I never connected it to warning our allies to keep their US-supplied planes grounded during certain offensives. Makes total sense.

  • ok, so.. (Score:5, Interesting)

    by roc97007 (608802) on Tuesday October 01, 2013 @02:11PM (#45005175) Journal

    ...having worked for a company that did this type of stuff for the government, and seeing the process first hand, what I observe is that the certification is not necessary done by someone with a deep knowledge of security. It's done by a bored inspector with some training, checking off line items, sometimes for political reasons, sometimes for business reasons, or sometimes because the inspector wants to make his flight back to Virginia. So, great, it passed. Until it gets pwned. Then starts the long process of plugging an individual hole, getting pwned again, plugging another hole, getting pwned again. You know, the usual Microsoft patch cycle.

  • Its given the green light from NSA folks
  • from what..and from whom?

    -Hackus

  • "The FedRAMP security assessment process defines a set of controls for low and moderate impact level systems based on NIST SP 800-53 controls." (FedRAMP Website) The key words here are "for LOW AND MODERATE impact level systems." Low and medium robustness are what the government usually accepts. All kinds of stuff that was routinely compromised fits that profile too. The Shapiro [1] paper on the Window's EAL4 evaluation illustrated why it actually meant "certified insecure" and sadly still applies to this
  • "The FedRAMP security assessment process defines a set of controls for low and moderate impact level systems based on NIST SP 800-53 controls." (FedRAMP Website) The key words here are "for LOW AND MODERATE impact level systems." Low and medium robustness are what the government usually accepts. All kinds of stuff that was routinely compromised fits that profile too. The Shapiro [1] paper on the Window's EAL4 evaluation illustrated why it actually meant "certified insecure" and sadly still applies to this
  • That alone is a dead giveaway that it's anything but secure for anyone else.

  • Of course Azure is secure - nobody uses it.

  • Against popular beliefs and press releases from Microsoft and/or AWS, FedRAMP *DOES NOT* imply a system is "secure". Don't believe me? Read the FedRAMP CONOP. (http://tinyurl.com/op6lz2o). You'll notice the CONOP doesn't state a CSP is "secure" just because the system has been reviewed for compliance. FedRAMP is all about ensuring a cloud solution is assessed and the results are shared. This makes it easier for the gov't to procure CSP services and make risk based decisions. Don't be fooled by the marketi
  • This is what will happen to you if you don't cooperate: http://rt.com/usa/qwest-ceo-nsa-jail-604/ [rt.com]

I use technology in order to hate it more properly. -- Nam June Paik

Working...