Slashdot Mirror
Microsoft Azure Platform Certified "Secure" By Department of Defense
cagraham writes "Microsoft's cloud storage platform Azure received their first government certification yesterday, less than 24 hours before the official shutdown. The certification, which grants Azure 'Provisional Authority to Operate,' should make it easier for Microsoft to compete with rivals like IBM and Amazon Web Services for government contracts. The certification signifies that the Department of Defense, Homeland Security, and US General Services Administration have all deemed Azure safe from external hackers. Government cloud contracts are a lucrative market, as seen by Amazon's recent tussle with IBM over a $600M contract for a private CIA cloud."
. . . the backdoor for the NSA is really well protected.
So the Microsoft has finally got all their systems working properly with the government requested backdoors and decryption methodologies.
Undetectable Steganography? Yep, there's an app fo
muhahaha, i believe, is the correct response
... also.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Please make all NSA related comments here.
Thanks.
Robert:
We've been watching your comments here and on other internet sites and we want you to stop it.
-NSA
Oh! And stop playing with yourself! And MILF Bestiality? You got issues!
This must be part of the Open Government Initiative that the US administration has been promising: http://www.whitehouse.gov/open
No sig. Move along - nothing to see here.
So it's only the ones already in the box that we have to worry about.
DOD's entire IT department retired today.
:)
Each to their own private island.
If I were God, wouldn't I protect my churches from acts of me?
It was always valid, we just needed better performance.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
That's just funny for so many reasons!
I think Microsoft should advertise this. Outside hackers will love the challenge. Locks only keep the honest people out.
I would have a sig but I am too busy updating programs and restarting my computer
Who defines "secure". Who performed the audit to ensure the security? How often will audits be performed to ensure that Azure stays secure? What happens what Microsoft goes bankrupt?
Call me cynical, but I have no confidence that anyone who has the credentials and capabilities to ensure that Azure is secure actually did so for the Government. Sure there are really bright people at the DoD but I'm sure more bureaucrats were involved than engineers.
Also, what's the plan for when Microsoft goes bankrupt? It sounds far fetched but on a 20 to 30 year time frame Microsoft's continued existence seems questionable.
Microsoft is. NSAbox1. No start menu. Technet dead. And now this. This is just so sad it is funny.
Seriously, how can anything be secure when there's nobody securing it?
-- Tigger warning: This post may contain tiggers! --
It's funny seeing this headline less than 1.5 hours after the "Former Microsoft Privacy Chief Doesn't Trust Company, Uses Open Source Software" story was posted.
Which party should I trust?
Trust the Computer, Citizen!
(yes, it's a game reference)
-- Tigger warning: This post may contain tiggers! --
Thank God!
...when I worked in "Academic Computing" on the campus of the college I went to. What that really meant was I was one of five students allowed to touch the AS/400 we had. I remember my boss in a presentation where he boasted that AIX had never been hacked and I snorted. He looked at me puzzled and I said, "Is it available for export?" Answer was yes, "Well it has a backdoor that the NSA can use. Furthermore, how many of their premiere tech support staff, you know the people they send out in the field, work for IBM and draw a nice second paycheck from (insert 3 letter agency here)?" After that's how the CIA spied on the Soviet Embassy. They sent in a Xerox employee who also worked for the CIA to do maintenance on their Xerox machine...
Of course this was back at a time where very few outside of the military even knew the NSA existed or what they did. I was aware of them because I was following their Security Enhanced Linux developments at the time.
He didn't believe me. Recently got an email from him stating that it appears the arrogant 20 year old kid 13 years ago turned out to be largely correct about NSA capabilities....
It also didn't hurt that my father as an executive at one of the major defense contractors (hint they built fighter planes like the F-15 & F-18 & AV-8B). All my neighbors were engineers at the same company. I grew up in that world I remember asking what happened if we sold F-15's to country X and they used them against us: see Iran and the 1970's. The response I got was, "There's contingencies built into the systems", i.e. there was another reason the Israeli air force remained grounded during the first gulf war...
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
not from....for :D
I've always said English was my second language. Had Romeo and Juliet been written in C, I might have understood it.
Its given the green light from NSA folks
Fuck Beta
from what..and from whom?
-Hackus
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
For moderate security, you should always assume the attacker is already in your datacenter, behind your firewall. Once you have that mindset, there's no harm per se in having the server in the cloud. The interesting question is "how precisely does that cloud work"; merely grunting "cloud bad" isn't helpful.
For high security it's about how many tanks and machine guns protect the bunker with your servers, so "cloud" can only be the "hire a company to do it in our datacenter" approach.
Socialism: a lie told by totalitarians and believed by fools.
"The FedRAMP security assessment process defines a set of controls for low and moderate impact level systems based on NIST SP 800-53 controls." (FedRAMP Website) The key words here are "for LOW AND MODERATE impact level systems." Low and medium robustness are what the government usually accepts. All kinds of stuff that was routinely compromised fits that profile too. The Shapiro [1] paper on the Window's EAL4 evaluation illustrated why it actually meant "certified insecure" and sadly still applies to this one. At least the NIST standard has plenty of useful controls to keep out the riff raff attackers. The EAL7 or Orange Book A1 certification are very rigorous security standards. So few products reached that level that I could fit many of their names in a single tweet (97 characters actually). Cygnacom has a nice breakdown [2] of the assurance levels and extra work that must be done to verify the entire lifecycle to reach something resembling secure. Such solutions look... nothing like Azure. And Azure was neither built on such standards nor evaluated to one. It's not secure. QED. Nick P, Security Engineer, schneier.com contributer 1. http://www.eros-os.org/~shap/NT-EAL4.html/ 2. http://www.cygnacom.com/labs/cc_assurance_index/CCinHTML/PART3/PART36.HTM/
"The FedRAMP security assessment process defines a set of controls for low and moderate impact level systems based on NIST SP 800-53 controls." (FedRAMP Website) The key words here are "for LOW AND MODERATE impact level systems." Low and medium robustness are what the government usually accepts. All kinds of stuff that was routinely compromised fits that profile too. The Shapiro [1] paper on the Window's EAL4 evaluation illustrated why it actually meant "certified insecure" and sadly still applies to this one. At least the NIST standard has plenty of useful controls to keep out the riff raff attackers. The EAL7 or Orange Book A1 certification are very rigorous security standards. So few products reached that level that I could fit many of their names in a single tweet (97 characters actually). Cygnacom has a nice breakdown [2] of the assurance levels and extra work that must be done to verify the entire lifecycle to reach something resembling secure. Such solutions look... nothing like Azure. And Azure was neither built on such standards nor evaluated to one. It's not secure. QED. Nick P, Security Engineer, schneier.com contributer 1. http://www.eros-os.org/~shap/NT-EAL4.html/ 2. http://www.cygnacom.com/labs/cc_assurance_index/CCinHTML/PART3/PART36.HTM/ (Note: I originally posted this comment in the wrong spot. Reposting it here. Rarely use this comment system so my bad.)
That alone is a dead giveaway that it's anything but secure for anyone else.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That's like making recommendations from noteworthy burglars the selling point for a lock.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Of course Azure is secure - nobody uses it.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
The problem is that security is ALWAYS your problem. Always. Because if you hand it over to someone else, that implies that you completely trust the entity you entrust your data to. You just shift the problem, from having to secure something to having to trust someone.
Now, essentially you're doing that all the time. Even if you have someone in house instead of "outsourcing" it to a third party. But unlike with the third party, you can take a closer look at the person or the people you entrust it to. You can check and double check their background, screen them thoroughly, depending on your country even go as far as snooping in their private life and finding out whether or not they are trustworthy on a very personal level. You can NOT do that when you hand security over to a third party since you will not have any chance to find out what person or what group of people will be responsible to handle your data. Worse, the personal responsibility is way lower. If your security officer fucks up, you can fire him and it's pretty certain that his career takes a nose dive. Imagine his motivation to do whatever is necessary to keep your security at level. Now compare that to a company like MS, IBM or the like. Do you think anyone there needs to worry about his job over a data breech? Or even his career?
Who do you think is a lot more motivated to keep it from happening, if necessary at his own expense? Who will go to whatever lengths it takes to ensure your data is protected, integer and available no matter the cost? Who will most definitely spend every penny of a budget you hand him on security rather than some job perks?
In a nutshell, security is something I would not hand over to a third party unless you're SO small as a company that it simply isn't feasible to have a dedicated security officer on your staff. And then I'd rather hire one person at a hourly base rather than handing it to some corporation who doesn't care about your security beyond the monthly bill they send you.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The "security for dummies" approach says simply, ensure the data is well encrypted as long as it is not on a machine that is close enough for you to kick it. :)
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Against popular beliefs and press releases from Microsoft and/or AWS, FedRAMP *DOES NOT* imply a system is "secure". Don't believe me? Read the FedRAMP CONOP. (http://tinyurl.com/op6lz2o). You'll notice the CONOP doesn't state a CSP is "secure" just because the system has been reviewed for compliance. FedRAMP is all about ensuring a cloud solution is assessed and the results are shared. This makes it easier for the gov't to procure CSP services and make risk based decisions. Don't be fooled by the marketing material.
What happens when news papers choose to use azure, aws, etc... Because the sales people convince news paper CEOs that they should use U.S. based cloud services because the U.S. government dubs the service secure?
I hate stupid litigation, but I would sue any news paper for failure to take measures to properly protect their sources the moment they use a U.S. based cloud.
How about medical records?
How about psychological records?
How about juvenile records?
How about adoption records?
How about engineering designs?
Companies all over the world are using Amazon, Google, DropBox, Microsoft and more to store their data. This is because CxOs are signing agreements without properly understanding that they are illegally making their data more or less freely available to the American government.
People need to make noise and inform the decision makers that just because the DoD says a service is secure, it doesn't mean that their data is safe.
Want to see the worst one? How about SAP cloud services? This system is actually able to topple countries if the U.S. decides to make use of "legal taps" to launch "cyber warfare" against some countries.
Note, I know I'm blowing it a bit out of proportion, but I'm intentionally making these points to make others think about it and hopefully dig deeper.
This is what will happen to you if you don't cooperate: http://rt.com/usa/qwest-ceo-nsa-jail-604/