Slashdot Mirror
Microsoft Azure Platform Certified "Secure" By Department of Defense
cagraham writes "Microsoft's cloud storage platform Azure received their first government certification yesterday, less than 24 hours before the official shutdown. The certification, which grants Azure 'Provisional Authority to Operate,' should make it easier for Microsoft to compete with rivals like IBM and Amazon Web Services for government contracts. The certification signifies that the Department of Defense, Homeland Security, and US General Services Administration have all deemed Azure safe from external hackers. Government cloud contracts are a lucrative market, as seen by Amazon's recent tussle with IBM over a $600M contract for a private CIA cloud."
. . . the backdoor for the NSA is really well protected.
So the Microsoft has finally got all their systems working properly with the government requested backdoors and decryption methodologies.
Undetectable Steganography? Yep, there's an app fo
muhahaha, i believe, is the correct response
Please make all NSA related comments here.
Thanks.
Errr...ummm...just sayin'
LOL! :)
http://yro.slashdot.org/story/13/10/01/1238216/former-microsoft-privacy-chief-doesnt-trust-company-uses-open-source-software
... also.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
This must be part of the Open Government Initiative that the US administration has been promising: http://www.whitehouse.gov/open
No sig. Move along - nothing to see here.
So it's only the ones already in the box that we have to worry about.
It's funny seeing this headline less than 1.5 hours after the "Former Microsoft Privacy Chief Doesn't Trust Company, Uses Open Source Software" story was posted.
Which party should I trust?
DOD's entire IT department retired today.
:)
Each to their own private island.
If I were God, wouldn't I protect my churches from acts of me?
It was always valid, we just needed better performance.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
That's just funny for so many reasons!
I think Microsoft should advertise this. Outside hackers will love the challenge. Locks only keep the honest people out.
I would have a sig but I am too busy updating programs and restarting my computer
Certifies that straw house is secure.
Who defines "secure". Who performed the audit to ensure the security? How often will audits be performed to ensure that Azure stays secure? What happens what Microsoft goes bankrupt?
Call me cynical, but I have no confidence that anyone who has the credentials and capabilities to ensure that Azure is secure actually did so for the Government. Sure there are really bright people at the DoD but I'm sure more bureaucrats were involved than engineers.
Also, what's the plan for when Microsoft goes bankrupt? It sounds far fetched but on a 20 to 30 year time frame Microsoft's continued existence seems questionable.
Microsoft is. NSAbox1. No start menu. Technet dead. And now this. This is just so sad it is funny.
Seriously, how can anything be secure when there's nobody securing it?
-- Tigger warning: This post may contain tiggers! --
I saw a talk this past summer about Microsoft's security architecture for Azure. The devil is in the details, of course. I am only really familiar with AWS but Microsoft's approach is quite different. In AWS, security is really up to you when you deploy an application to Amazon's cloud. Azure is tilting the other way -- they are providing an environment where security services are part of the platform.
For those who are interested in a technical discussion instead of Microsoft-bashing and snarky remarks about the NSA (how original!), I found a PDF that explains what they're doing. This is quite similar to the talk I attended. Some of it is over my head and some of it is not really spelled out in detail, but I can tell it is quite divergent from AWS's approach of saying "here's your cloud, now security is your problem."
Given how hard it is to securely configure a server on the Internet, I can see value in the cloud provider doing {some,most} of the work for you. My exposure to other cloud providers is limited -- is there another company out there who is trying to provide security as a ready-made feature of their platform offerings?
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
Thank God!
...when I worked in "Academic Computing" on the campus of the college I went to. What that really meant was I was one of five students allowed to touch the AS/400 we had. I remember my boss in a presentation where he boasted that AIX had never been hacked and I snorted. He looked at me puzzled and I said, "Is it available for export?" Answer was yes, "Well it has a backdoor that the NSA can use. Furthermore, how many of their premiere tech support staff, you know the people they send out in the field, work for IBM and draw a nice second paycheck from (insert 3 letter agency here)?" After that's how the CIA spied on the Soviet Embassy. They sent in a Xerox employee who also worked for the CIA to do maintenance on their Xerox machine...
Of course this was back at a time where very few outside of the military even knew the NSA existed or what they did. I was aware of them because I was following their Security Enhanced Linux developments at the time.
He didn't believe me. Recently got an email from him stating that it appears the arrogant 20 year old kid 13 years ago turned out to be largely correct about NSA capabilities....
It also didn't hurt that my father as an executive at one of the major defense contractors (hint they built fighter planes like the F-15 & F-18 & AV-8B). All my neighbors were engineers at the same company. I grew up in that world I remember asking what happened if we sold F-15's to country X and they used them against us: see Iran and the 1970's. The response I got was, "There's contingencies built into the systems", i.e. there was another reason the Israeli air force remained grounded during the first gulf war...
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Certainly not for anyone outside of the US organs of State. And certainly for nobody outside of the borders of the US.
You would have to be insane if you were a non-US government, to use M$ crap now, or Crapple for that matter, either that or a US lapdog.
Well...Since the NSA certified it...
"Secure" meaning . . . . . . the backdoor for the NSA is really well protected.
So the Microsoft has finally got all their systems working properly with the government requested backdoors and decryption methodologies.
"... SAFE from EXTERNAL hackers..." So it's only the ones already in the box that we have to worry about.
Hey, HEY, HEY ... Look, Ballmer's almost gone -- give M$ a break already. It's all set up so that the week after the new guy starts, the NSA will be using Azure SharePoint
(It's a shame that he wasn't the one being punched, though.)
not from....for :D
I've always said English was my second language. Had Romeo and Juliet been written in C, I might have understood it.
It don't mean MS will get a contract
Means M$ have been pulling some strings
Government Users of Linux
White House
U.S. Department of Defense
U.S. Navy Submarine Fleet
Federal Aviation Administration
U.S. Postal Service
U.S. Federal Courts
US Homeland Security
Its given the green light from NSA folks
Fuck Beta
from what..and from whom?
-Hackus
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
"The FedRAMP security assessment process defines a set of controls for low and moderate impact level systems based on NIST SP 800-53 controls." (FedRAMP Website) The key words here are "for LOW AND MODERATE impact level systems." Low and medium robustness are what the government usually accepts. All kinds of stuff that was routinely compromised fits that profile too. The Shapiro [1] paper on the Window's EAL4 evaluation illustrated why it actually meant "certified insecure" and sadly still applies to this one. At least the NIST standard has plenty of useful controls to keep out the riff raff attackers. The EAL7 or Orange Book A1 certification are very rigorous security standards. So few products reached that level that I could fit many of their names in a single tweet (97 characters actually). Cygnacom has a nice breakdown [2] of the assurance levels and extra work that must be done to verify the entire lifecycle to reach something resembling secure. Such solutions look... nothing like Azure. And Azure was neither built on such standards nor evaluated to one. It's not secure. QED. Nick P, Security Engineer, schneier.com contributer 1. http://www.eros-os.org/~shap/NT-EAL4.html/ 2. http://www.cygnacom.com/labs/cc_assurance_index/CCinHTML/PART3/PART36.HTM/
"The FedRAMP security assessment process defines a set of controls for low and moderate impact level systems based on NIST SP 800-53 controls." (FedRAMP Website) The key words here are "for LOW AND MODERATE impact level systems." Low and medium robustness are what the government usually accepts. All kinds of stuff that was routinely compromised fits that profile too. The Shapiro [1] paper on the Window's EAL4 evaluation illustrated why it actually meant "certified insecure" and sadly still applies to this one. At least the NIST standard has plenty of useful controls to keep out the riff raff attackers. The EAL7 or Orange Book A1 certification are very rigorous security standards. So few products reached that level that I could fit many of their names in a single tweet (97 characters actually). Cygnacom has a nice breakdown [2] of the assurance levels and extra work that must be done to verify the entire lifecycle to reach something resembling secure. Such solutions look... nothing like Azure. And Azure was neither built on such standards nor evaluated to one. It's not secure. QED. Nick P, Security Engineer, schneier.com contributer 1. http://www.eros-os.org/~shap/NT-EAL4.html/ 2. http://www.cygnacom.com/labs/cc_assurance_index/CCinHTML/PART3/PART36.HTM/ (Note: I originally posted this comment in the wrong spot. Reposting it here. Rarely use this comment system so my bad.)
That alone is a dead giveaway that it's anything but secure for anyone else.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Of course Azure is secure - nobody uses it.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Against popular beliefs and press releases from Microsoft and/or AWS, FedRAMP *DOES NOT* imply a system is "secure". Don't believe me? Read the FedRAMP CONOP. (http://tinyurl.com/op6lz2o). You'll notice the CONOP doesn't state a CSP is "secure" just because the system has been reviewed for compliance. FedRAMP is all about ensuring a cloud solution is assessed and the results are shared. This makes it easier for the gov't to procure CSP services and make risk based decisions. Don't be fooled by the marketing material.
Security doublespeak is some of the funniest doublespeak of all. "We hereby certify that this system is secure from the set of attacks that it is secure from."
Clown storage - for those who like to store their data in the clown.
What happens when news papers choose to use azure, aws, etc... Because the sales people convince news paper CEOs that they should use U.S. based cloud services because the U.S. government dubs the service secure?
I hate stupid litigation, but I would sue any news paper for failure to take measures to properly protect their sources the moment they use a U.S. based cloud.
How about medical records?
How about psychological records?
How about juvenile records?
How about adoption records?
How about engineering designs?
Companies all over the world are using Amazon, Google, DropBox, Microsoft and more to store their data. This is because CxOs are signing agreements without properly understanding that they are illegally making their data more or less freely available to the American government.
People need to make noise and inform the decision makers that just because the DoD says a service is secure, it doesn't mean that their data is safe.
Want to see the worst one? How about SAP cloud services? This system is actually able to topple countries if the U.S. decides to make use of "legal taps" to launch "cyber warfare" against some countries.
Note, I know I'm blowing it a bit out of proportion, but I'm intentionally making these points to make others think about it and hopefully dig deeper.
This is what will happen to you if you don't cooperate: http://rt.com/usa/qwest-ceo-nsa-jail-604/