Microsoft Azure Platform Certified "Secure" By Department of Defense

cagraham writes "Microsoft's cloud storage platform Azure received their first government certification yesterday, less than 24 hours before the official shutdown. The certification, which grants Azure 'Provisional Authority to Operate,' should make it easier for Microsoft to compete with rivals like IBM and Amazon Web Services for government contracts. The certification signifies that the Department of Defense, Homeland Security, and US General Services Administration have all deemed Azure safe from external hackers. Government cloud contracts are a lucrative market, as seen by Amazon's recent tussle with IBM over a $600M contract for a private CIA cloud."

"Secure" meaning . . .

[StefanJ]

. . . the backdoor for the NSA is really well protected.

Re:

[Bill_the_Engineer]

Since this certification is one step towards allowing government agencies to use Azure, your comment isn't relevant. No backdoor needed.

Re:

[Bill_the_Engineer]

Straw man? There is no need for backdoors for governmental computing since oversight mechanisms are already in place. Back doors are for private entities which is outside this certification's scope.

This is a necessary debate

[LostMyBeaver]

What happens when news papers choose to use azure, aws, etc... Because the sales people convince news paper CEOs that they should use U.S. based cloud services because the U.S. government dubs the service secure?

I hate stupid litigation, but I would sue any news paper for failure to take measures to properly protect their sources the moment they use a U.S. based cloud.

How about medical records?

How about psychological records?

How about juvenile records?

How about adoption records?

How about engineering designs

Re:

[Bill_the_Engineer]

I'm not saying you don't have a concern. What I am saying is that the certification mentioned in the article has nothing to do with your concerns. The certification has everything to do with the government contracting services from Microsoft Azure, but has nothing to do with the security of non-governmental (more accurately non-US governmental) users.

Re:

[davester666]

This is the 'carrot' side. You get a nice juicy gov't contract if you remain helpful in our fight against evil terrorists and child molesters!

Re:

[dmbasso]

[...]have all deemed Azure safe from external hackers.

Yep, the internal hackers are assured.

Re:

[farrellj]

How many hours/days will it be before they are pwned?

That is, pwned by someone other than the NSA...:-)

Re:

[oodaloop]

Um, why would they put a backdoor in a platform they were going to use for themselves?

Re:

[gmuslera]

Because they are "sure" that they are the only ones that could exploit it. And backdoor could mean only in place access, as they having a machine in that network with privileged acces to everywhere. Also, probably the government uses plenty of Windows in their desktops, with backdoor or not.

Re:

[gl4ss]

so that they don't have to bother with things like permits, court orders etc things that tie up la.. investigators time.

Re:

[mlts]

Realistically, I wish more data centers had this criteria. It means that they can get audited at any time for security or process. Of course, this sounds like needless paperwork and red tape, but this is a good thing overall. It beats having a data center where security is an afterthought at best. It also means that there are people actively watching the IDS/IPS installations.

For example, parts of this compliance even mean that all the data on the hard disks are encrypted (DAR or data at rest protection

Re:

[AHuxley]

Re doesn't want to spy on ... employees?
It can be an interesting saga. Fly in weapons and support for 'freedom' fighters via front companies but can your 'wage' legally exist?
Wage rich, tax statement poor. Any outside agency with that kind insight has long term power over individuals.

Re:"Secure" meaning . . .

[Hoi Polloi]

The certification makes it easy for foreign entities to avoid it like the plague.

Re:

[steelfood]

This is Microsoft. Their data center is in the U.S. The only backdoor any three-letter agency needs to gain entry is the loading dock.

Re:

[mendax]

This is Microsoft. Their data center is in the U.S. The only backdoor any three-letter agency needs to gain entry is the loading dock.

The only three-letter agency I'd choose to trust is IBM.

Re:

[LifesABeach]

I heard that the full report was on WikiLeaks; last week.

Re:

[Karmashock]

exactly... a DoD certification might not be a good thing any more. It was once a mark of pride. Something a company could point to as a feather in their cap. But now? It means the feds have gone through it. And that might mean they left something behind.

Re:

[anubi]

I think it has everything to do with "plausible deniability"; that is Microsoft has a design legacy of products needing a heck of a lot of security related patches.

Any government worker who knowingly specified a product with known security issues might be held personally accountable for his actions

This whole rating is like the Wall Street ratings - I see it as a useless metric, as it is more a mechanism to let someone who specified its use off the hook for the ramifications of his decision. These ratin

Re:

[Karmashock]

I agree. Beyond that, I would say some of these ratings might have hidden costs. If MS was just paying money for it then that might be one thing. But what if the condition is having a back door put into the product. At this point, who trusts them?

Finally it works to Gov. Specs.

[arthurpaliden]

So the Microsoft has finally got all their systems working properly with the government requested backdoors and decryption methodologies.

In other news

[Capt.DrumkenBum]

DOD's entire IT department retired today.
Each to their own private island.
:)

Re:

[Anonymous Coward]

"We got your back" is short form for "We got your backdoors".

Keep your friends close and you enemy closer. The government agencies are like one big dysfunctional family. They don't necessarily like each other.

Re:

[AHuxley]

AC did you miss the news:
http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data [theguardian.com]
http://rt.com/usa/microsoft-nsa-snowden-leak-971/ [rt.com]

Re:

[westlake]

So the Microsoft has finally got all their systems working properly with the government requested backdoors and decryption methodologies.

The certification means that the Azure platform can be used by the DoD, Homeland Security and the GSA. If those agencies are compromised to the point where a backdoor can be unlocked, you have bigger problems than Azure.

Re:

[arthurpaliden]

What you don't think that the NSA doesn't spy on them as well?

Re:

[deanpole]

LOL. When Microsoft got Windows NT certified for encryption (FIPS 140-2), the certification didn't include a network connection. Installing a network card, never-mind a cable, voided the certification.

in all seriousness

[zlives]

muhahaha, i believe, is the correct response

Re:

[Anonymous Coward]

Please make all NSA related comments here.

Thanks.

Robert:

We've been watching your comments here and on other internet sites and we want you to stop it.

-NSA

Oh! And stop playing with yourself! And MILF Bestiality? You got issues!

Re:

[Behrooz Amoozad]

It was always valid, we just needed better performance.

US government assures economy is recovering

[smash]

... also.

Re:

[NoNonAlphaCharsHere]

Well, it is. The billionaire bankers and HFT guys are doing very well.

Re:

[Anonymous Coward]

Well, it is. The billionaire bankers and HFT guys are doing very well.

Unfortunately, in some schools of economic thought, that is how you measure a healthy economy.

It's a lie, but that's how it's interpreted. The rest of us can eat cake, that is, if we could afford cake.

According to some Republicans, if corporate profits are up and the populace is unemployed, they're winning.

It's a theory which can only bankrupt the rest of us, and speed us along to becoming corporate serfs who are accustomed to government

Re:

[Jawnn]

Damn right, you socialist slacker. Privatize the profits and socialize the expense, whenever and wherever possible. Oh, and you forgot the part about cutting taxes for the wealthy... er..., I mean the "job creators". Joe Sixpack will just hear "tax cuts" and think that we meant that for him.

Open Government Inituitive

[Antony T Curtis]

This must be part of the Open Government Initiative that the US administration has been promising: http://www.whitehouse.gov/open [whitehouse.gov]

"... SAFE from EXTERNAL hackers..."

[Anonymous Coward]

So it's only the ones already in the box that we have to worry about.

Re:

[WillAffleckUW]

It's funny seeing this headline less than 1.5 hours after the "Former Microsoft Privacy Chief Doesn't Trust Company, Uses Open Source Software" story was posted.

Which party should I trust?

Trust the Computer, Citizen!

(yes, it's a game reference)

Hahahahaha

[Threni]

That's just funny for so many reasons!

New Target

[X-Ray Artist]

I think Microsoft should advertise this. Outside hackers will love the challenge. Locks only keep the honest people out.

Who defines "secure"

[EMG at MU]

Who defines "secure". Who performed the audit to ensure the security? How often will audits be performed to ensure that Azure stays secure? What happens what Microsoft goes bankrupt?

Call me cynical, but I have no confidence that anyone who has the credentials and capabilities to ensure that Azure is secure actually did so for the Government. Sure there are really bright people at the DoD but I'm sure more bureaucrats were involved than engineers.

Also, what's the plan for when Microsoft goes bankrupt?

Re:

[mlts]

Part of FISMA compliance are audits, both scheduled and random. There are many, many different controls that are checked, and and too many exceptions might get the authority to operate revoked.

As for MS getting out of the cloud business, I'm sure there is a contractor who is more than willing to take over the data center and keep the operations going.

This compliance sounds like a lot of rubric, but it is overall a good thing. Beats just depending on the "trust me" words on a cloud provider's web page show

Re:

[dbIII]

One day each leap year you get an air gap so it cannot possibly be any more secure :)
You'd think after the Zune they wouldn't make the same mistake with Azure and disable an entire product for a day worldwide, but that's what happened. It makes me wonder what else is wrong with it since there was such an obvious lack of attention to detail.

Trolling hard

[darrellg1]

Microsoft is. NSAbox1. No start menu. Technet dead. And now this. This is just so sad it is funny.

What DOD - it's all shut down

[WillAffleckUW]

Seriously, how can anything be secure when there's nobody securing it?

Re:

[Anonymous Coward]

I guess I'm not at work then. Oh wait, I am.

You should probably do some research before making such statements. The only thing I've heard shutdown that affected someone I know is that our shooting range is closed because the civilian range officers are not here. Yes, the army where all of the computers are still running, but where we no longer actually do any training to shoot. I would love to see Patton's rant about how the wimp in chief has ruined the military.

Re:

[WillAffleckUW]

Biomedical engineers are shut down at the Army Base near Seattle.

They just make sure the medical instruments are safe.

I think they're more essential, but that's just my view.

And the correct term is Commander in Chief, you REMF.

Microsoft's approach

[SirGarlon]

I saw a talk this past summer about Microsoft's security architecture for Azure. The devil is in the details, of course. I am only really familiar with AWS but Microsoft's approach is quite different. In AWS, security is really up to you when you deploy an application to Amazon's cloud. Azure is tilting the other way -- they are providing an environment where security services are part of the platform.

For those who are interested in a technical discussion instead of Microsoft-bashing and snarky remarks abou

Re:

[lgw]

For moderate security, you should always assume the attacker is already in your datacenter, behind your firewall. Once you have that mindset, there's no harm per se in having the server in the cloud. The interesting question is "how precisely does that cloud work"; merely grunting "cloud bad" isn't helpful.

For high security it's about how many tanks and machine guns protect the bunker with your servers, so "cloud" can only be the "hire a company to do it in our datacenter" approach.

Re:

[Opportunist]

The "security for dummies" approach says simply, ensure the data is well encrypted as long as it is not on a machine that is close enough for you to kick it. :)

Re:

[Opportunist]

The problem is that security is ALWAYS your problem. Always. Because if you hand it over to someone else, that implies that you completely trust the entity you entrust your data to. You just shift the problem, from having to secure something to having to trust someone.

Now, essentially you're doing that all the time. Even if you have someone in house instead of "outsourcing" it to a third party. But unlike with the third party, you can take a closer look at the person or the people you entrust it to. You can

Government certified?!

[The_Star_Child]

Thank God!

Reminds me of a conversation...

[ducomputergeek]

...when I worked in "Academic Computing" on the campus of the college I went to. What that really meant was I was one of five students allowed to touch the AS/400 we had. I remember my boss in a presentation where he boasted that AIX had never been hacked and I snorted. He looked at me puzzled and I said, "Is it available for export?" Answer was yes, "Well it has a backdoor that the NSA can use. Furthermore, how many of their premiere tech support staff, you know the people they send out in the field, work for IBM and draw a nice second paycheck from (insert 3 letter agency here)?" After that's how the CIA spied on the Soviet Embassy. They sent in a Xerox employee who also worked for the CIA to do maintenance on their Xerox machine...

Of course this was back at a time where very few outside of the military even knew the NSA existed or what they did. I was aware of them because I was following their Security Enhanced Linux developments at the time.

He didn't believe me. Recently got an email from him stating that it appears the arrogant 20 year old kid 13 years ago turned out to be largely correct about NSA capabilities....

It also didn't hurt that my father as an executive at one of the major defense contractors (hint they built fighter planes like the F-15 & F-18 & AV-8B). All my neighbors were engineers at the same company. I grew up in that world I remember asking what happened if we sold F-15's to country X and they used them against us: see Iran and the 1970's. The response I got was, "There's contingencies built into the systems", i.e. there was another reason the Israeli air force remained grounded during the first gulf war...

Re:

[roc97007]

Fascinating. Mod up. I'm aware of some of that stuff, (a part for which I wrote code is in the F16, or at least was in the late seventies) but I never connected it to warning our allies to keep their US-supplied planes grounded during certain offensives. Makes total sense.

Re:

[bill_mcgonigle]

oooooooh.. Thanks for expanding on the thought - now I get it.

ok, so..

[roc97007]

...having worked for a company that did this type of stuff for the government, and seeing the process first hand, what I observe is that the certification is not necessary done by someone with a deep knowledge of security. It's done by a bored inspector with some training, checking off line items, sometimes for political reasons, sometimes for business reasons, or sometimes because the inspector wants to make his flight back to Virginia. So, great, it passed. Until it gets pwned. Then starts the long process of plugging an individual hole, getting pwned again, plugging another hole, getting pwned again. You know, the usual Microsoft patch cycle.

Re:

[Opportunist]

That's like making recommendations from noteworthy burglars the selling point for a lock.

Its only secure for the NSA to snoop

[tatman]

not from....for :D

secure my ass

[darkstar019]

Its given the green light from NSA folks

Secure...

[hackus]

from what..and from whom?

-Hackus

Re:

[Opportunist]

Considering the more recent past, probably secure from us finding the NSA backdoor.

certified NOT secure

[Kishin]

"The FedRAMP security assessment process defines a set of controls for low and moderate impact level systems based on NIST SP 800-53 controls." (FedRAMP Website) The key words here are "for LOW AND MODERATE impact level systems." Low and medium robustness are what the government usually accepts. All kinds of stuff that was routinely compromised fits that profile too. The Shapiro [1] paper on the Window's EAL4 evaluation illustrated why it actually meant "certified insecure" and sadly still applies to this

Re:

[akh]

FYI, both pages are 404s because of the trailing slash. These links work:

http://www.eros-os.org/~shap/NT-EAL4.html [eros-os.org]
http://www.cygnacom.com/labs/cc_assurance_index/CCinHTML/PART3/PART36.HTM [cygnacom.com]

Re:

[Kishin]

Thanks for that! :) The funny thing is that I put trailing slashes in there because that's how the Slashdot advice said to do it: "(markuptag here) will auto-link a URL." It had a trailing slash in the URL. Those darned documentation writers...

certified NOT secure

[Kishin]

"The FedRAMP security assessment process defines a set of controls for low and moderate impact level systems based on NIST SP 800-53 controls." (FedRAMP Website) The key words here are "for LOW AND MODERATE impact level systems." Low and medium robustness are what the government usually accepts. All kinds of stuff that was routinely compromised fits that profile too. The Shapiro [1] paper on the Window's EAL4 evaluation illustrated why it actually meant "certified insecure" and sadly still applies to this

The US government considers it "secure"

[Opportunist]

That alone is a dead giveaway that it's anything but secure for anyone else.

Of course it's secure

[Trogre]

Of course Azure is secure - nobody uses it.

Title is *MISLEADING*

[otterit]

Against popular beliefs and press releases from Microsoft and/or AWS, FedRAMP *DOES NOT* imply a system is "secure". Don't believe me? Read the FedRAMP CONOP. (http://tinyurl.com/op6lz2o). You'll notice the CONOP doesn't state a CSP is "secure" just because the system has been reviewed for compliance. FedRAMP is all about ensuring a cloud solution is assessed and the results are shared. This makes it easier for the gov't to procure CSP services and make risk based decisions. Don't be fooled by the marketi

Obey or go to prison

[Mr.CRC]

This is what will happen to you if you don't cooperate: http://rt.com/usa/qwest-ceo-nsa-jail-604/ [rt.com]