×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Azure Platform Certified "Secure" By Department of Defense

timothy posted about 7 months ago | from the until-proven-otherwise dept.

Cloud 90

cagraham writes "Microsoft's cloud storage platform Azure received their first government certification yesterday, less than 24 hours before the official shutdown. The certification, which grants Azure 'Provisional Authority to Operate,' should make it easier for Microsoft to compete with rivals like IBM and Amazon Web Services for government contracts. The certification signifies that the Department of Defense, Homeland Security, and US General Services Administration have all deemed Azure safe from external hackers. Government cloud contracts are a lucrative market, as seen by Amazon's recent tussle with IBM over a $600M contract for a private CIA cloud."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

90 comments

"Secure" meaning . . . (5, Insightful)

StefanJ (88986) | about 7 months ago | (#45003731)

. . . the backdoor for the NSA is really well protected.

Re:"Secure" meaning . . . (2)

Bill_the_Engineer (772575) | about 7 months ago | (#45003879)

Since this certification is one step towards allowing government agencies to use Azure, your comment isn't relevant. No backdoor needed.

Re:"Secure" meaning . . . (0)

Anonymous Coward | about 7 months ago | (#45004071)

Yes it is relevant. The US Government consists of many entities besides the NSA. In order to effectively protect us, the NSA needs to be able to effectively spy on other parts of the US Government; not just on other agencies.

Re:"Secure" meaning . . . (1, Insightful)

Bill_the_Engineer (772575) | about 7 months ago | (#45004313)

Straw man? There is no need for backdoors for governmental computing since oversight mechanisms are already in place. Back doors are for private entities which is outside this certification's scope.

Re:"Secure" meaning . . . (0)

Anonymous Coward | about 6 months ago | (#45010541)

Oh "Bill_the_Engineer", ether you are just trying to troll up a flame war or you just don't really
see the big picture. You are ether one of the ones that will be embraced by the new order
or purged. History seems to supports me on that. Its about human nature not policies.

This is a necessary debate (1)

LostMyBeaver (1226054) | about 6 months ago | (#45011077)

What happens when news papers choose to use azure, aws, etc... Because the sales people convince news paper CEOs that they should use U.S. based cloud services because the U.S. government dubs the service secure?

I hate stupid litigation, but I would sue any news paper for failure to take measures to properly protect their sources the moment they use a U.S. based cloud.

How about medical records?

How about psychological records?

How about juvenile records?

How about adoption records?

How about engineering designs?

Companies all over the world are using Amazon, Google, DropBox, Microsoft and more to store their data. This is because CxOs are signing agreements without properly understanding that they are illegally making their data more or less freely available to the American government.

People need to make noise and inform the decision makers that just because the DoD says a service is secure, it doesn't mean that their data is safe.

Want to see the worst one? How about SAP cloud services? This system is actually able to topple countries if the U.S. decides to make use of "legal taps" to launch "cyber warfare" against some countries.

Note, I know I'm blowing it a bit out of proportion, but I'm intentionally making these points to make others think about it and hopefully dig deeper.

Re:This is a necessary debate (1)

Bill_the_Engineer (772575) | about 6 months ago | (#45015369)

I'm not saying you don't have a concern. What I am saying is that the certification mentioned in the article has nothing to do with your concerns. The certification has everything to do with the government contracting services from Microsoft Azure, but has nothing to do with the security of non-governmental (more accurately non-US governmental) users.

Re:"Secure" meaning . . . (0)

Anonymous Coward | about 6 months ago | (#45012929)

You see it wrong... Who will oversee the oversight mechanisms? There is ALWAYS a need for back doors.

Re:"Secure" meaning . . . (2)

davester666 (731373) | about 6 months ago | (#45005523)

This is the 'carrot' side. You get a nice juicy gov't contract if you remain helpful in our fight against evil terrorists and child molesters!

Re:"Secure" meaning . . . (0)

Anonymous Coward | about 6 months ago | (#45008539)

It's the same with Hollywood war/action movies. If you want to make a movie that involves American military equipment (not CGI), the military will ask to see your script first and they'll lend you equipment and expert advisors only if the script makes the American military look good.

Re:"Secure" meaning . . . (1)

dmbasso (1052166) | about 7 months ago | (#45003935)

[...]have all deemed Azure safe from external hackers.

Yep, the internal hackers are assured.

Re:"Secure" meaning . . . (1)

farrellj (563) | about 7 months ago | (#45005295)

How many hours/days will it be before they are pwned?

That is, pwned by someone other than the NSA...:-)

Re:"Secure" meaning . . . (1)

oodaloop (1229816) | about 7 months ago | (#45003963)

Um, why would they put a backdoor in a platform they were going to use for themselves?

Re:"Secure" meaning . . . (2)

gmuslera (3436) | about 7 months ago | (#45004145)

Because they are "sure" that they are the only ones that could exploit it. And backdoor could mean only in place access, as they having a machine in that network with privileged acces to everywhere. Also, probably the government uses plenty of Windows in their desktops, with backdoor or not.

Re:"Secure" meaning . . . (2)

gl4ss (559668) | about 7 months ago | (#45004245)

so that they don't have to bother with things like permits, court orders etc things that tie up la.. investigators time.

Re:"Secure" meaning . . . (0)

Anonymous Coward | about 7 months ago | (#45004399)

After working for a Prime Contractor for a Federal Department, I recognize that the Federal Government ("The System", the "Suits", Management, the people) trust No One--especially other Federal Government workers. Backdoors help the watchers watch the other watchers. This is not the corporate world with all of its paranoia, it is the Federal Government with Paranoia at the highest levels possible for humans or machines.

Re:"Secure" meaning . . . (1)

mlts (1038732) | about 6 months ago | (#45006905)

Realistically, I wish more data centers had this criteria. It means that they can get audited at any time for security or process. Of course, this sounds like needless paperwork and red tape, but this is a good thing overall. It beats having a data center where security is an afterthought at best. It also means that there are people actively watching the IDS/IPS installations.

For example, parts of this compliance even mean that all the data on the hard disks are encrypted (DAR or data at rest protection.) This sounds silly, but it does guard against data loss if physical drives are stolen [1] and it also helps when servers get decommissioned in ensuring that data stays destroyed.

[1]: What good it would do without knowing how the RAID controller stores data is secondary, of course.

Re:"Secure" meaning . . . (0)

Anonymous Coward | about 7 months ago | (#45004617)

You think the NSA doesn't want to spy on DoD employees?

Re:"Secure" meaning . . . (1)

AHuxley (892839) | about 6 months ago | (#45010211)

Re doesn't want to spy on ... employees?
It can be an interesting saga. Fly in weapons and support for 'freedom' fighters via front companies but can your 'wage' legally exist?
Wage rich, tax statement poor. Any outside agency with that kind insight has long term power over individuals.

Re:"Secure" meaning . . . (0)

Anonymous Coward | about 7 months ago | (#45003987)

No need to over state it "Administration have all deemed Azure safe from external hackers" is perfectly accurate.

Re:"Secure" meaning . . . (4, Interesting)

Hoi Polloi (522990) | about 7 months ago | (#45004239)

The certification makes it easy for foreign entities to avoid it like the plague.

Re:"Secure" meaning . . . (2)

steelfood (895457) | about 7 months ago | (#45004849)

This is Microsoft. Their data center is in the U.S. The only backdoor any three-letter agency needs to gain entry is the loading dock.

Re:"Secure" meaning . . . (1)

mendax (114116) | about 6 months ago | (#45010533)

This is Microsoft. Their data center is in the U.S. The only backdoor any three-letter agency needs to gain entry is the loading dock.

The only three-letter agency I'd choose to trust is IBM.

Re:"Secure" meaning . . . (1)

Karmashock (2415832) | about 6 months ago | (#45005775)

exactly... a DoD certification might not be a good thing any more. It was once a mark of pride. Something a company could point to as a feather in their cap. But now? It means the feds have gone through it. And that might mean they left something behind.

Re:"Secure" meaning . . . (1)

anubi (640541) | about 6 months ago | (#45010789)

I think it has everything to do with "plausible deniability"; that is Microsoft has a design legacy of products needing a heck of a lot of security related patches.

Any government worker who knowingly specified a product with known security issues might be held personally accountable for his actions

This whole rating is like the Wall Street ratings - I see it as a useless metric, as it is more a mechanism to let someone who specified its use off the hook for the ramifications of his decision. These ratings, like laws approved by lobbied Congressmen, are a purchasable commodity - a tool to be used to provide plausible deniability for shifting responsibility to a hard-to-pin-down entity.

Re:"Secure" meaning . . . (1)

Karmashock (2415832) | about 6 months ago | (#45012107)

I agree. Beyond that, I would say some of these ratings might have hidden costs. If MS was just paying money for it then that might be one thing. But what if the condition is having a back door put into the product. At this point, who trusts them?

Finally it works to Gov. Specs. (5, Insightful)

arthurpaliden (939626) | about 7 months ago | (#45003735)

So the Microsoft has finally got all their systems working properly with the government requested backdoors and decryption methodologies.

Re:Finally it works to Gov. Specs. (1)

Anonymous Coward | about 7 months ago | (#45004455)

"We got your back" is short form for "We got your backdoors".

Keep your friends close and you enemy closer. The government agencies are like one big dysfunctional family. They don't necessarily like each other.

Re:Finally it works to Gov. Specs. (0)

Anonymous Coward | about 7 months ago | (#45004471)

Why do reactionary, stupid comments like the above get uprated to 5, Insightful? Is the current Slashdot readership really that confused?

Re:Finally it works to Gov. Specs. (1)

westlake (615356) | about 7 months ago | (#45004921)

So the Microsoft has finally got all their systems working properly with the government requested backdoors and decryption methodologies.

The certification means that the Azure platform can be used by the DoD, Homeland Security and the GSA. If those agencies are compromised to the point where a backdoor can be unlocked, you have bigger problems than Azure.

Re:Finally it works to Gov. Specs. (1)

deanpole (185240) | about 6 months ago | (#45010759)

LOL. When Microsoft got Windows NT certified for encryption (FIPS 140-2), the certification didn't include a network connection. Installing a network card, never-mind a cable, voided the certification.

NSA Stub (0)

Anonymous Coward | about 7 months ago | (#45003745)

Please make all NSA related comments here.

Thanks.

Re:NSA Stub (1)

Anonymous Coward | about 7 months ago | (#45003787)

Please make all NSA related comments here.

Thanks.

Robert:

We've been watching your comments here and on other internet sites and we want you to stop it.

-NSA

Oh! And stop playing with yourself! And MILF Bestiality? You got issues!

'Secure'?!! Ha! (0)

Anonymous Coward | about 7 months ago | (#45003749)

Errr...ummm...just sayin'

LOL! :)
http://yro.slashdot.org/story/13/10/01/1238216/former-microsoft-privacy-chief-doesnt-trust-company-uses-open-source-software

That means the NSA finally validated the backdoor? (-1)

Anonymous Coward | about 7 months ago | (#45003767)

That means the NSA finally validated the backdoor?

US government assures economy is recovering (1)

smash (1351) | about 7 months ago | (#45003777)

... also.

Re:US government assures economy is recovering (2)

NoNonAlphaCharsHere (2201864) | about 7 months ago | (#45003895)

Well, it is. The billionaire bankers and HFT guys are doing very well.

Re:US government assures economy is recovering (1)

Anonymous Coward | about 7 months ago | (#45004197)

Well, it is. The billionaire bankers and HFT guys are doing very well.

Unfortunately, in some schools of economic thought, that is how you measure a healthy economy.

It's a lie, but that's how it's interpreted. The rest of us can eat cake, that is, if we could afford cake.

According to some Republicans, if corporate profits are up and the populace is unemployed, they're winning.

It's a theory which can only bankrupt the rest of us, and speed us along to becoming corporate serfs who are accustomed to government spying.

Because Republicans only want the parts of the government they disagree with smaller, and the rest ramped up to obscene levels.

Re:US government assures economy is recovering (2)

Jawnn (445279) | about 6 months ago | (#45006515)

Damn right, you socialist slacker. Privatize the profits and socialize the expense, whenever and wherever possible. Oh, and you forgot the part about cutting taxes for the wealthy... er..., I mean the "job creators". Joe Sixpack will just hear "tax cuts" and think that we meant that for him.

"... SAFE from EXTERNAL hackers..." (5, Insightful)

Anonymous Coward | about 7 months ago | (#45003839)

So it's only the ones already in the box that we have to worry about.

DoD vs. Former Microsoft Privacy Chief (0)

Anonymous Coward | about 7 months ago | (#45004021)

It's funny seeing this headline less than 1.5 hours after the "Former Microsoft Privacy Chief Doesn't Trust Company, Uses Open Source Software" story was posted.

Which party should I trust?

Re:DoD vs. Former Microsoft Privacy Chief (1)

WillAffleckUW (858324) | about 7 months ago | (#45004521)

It's funny seeing this headline less than 1.5 hours after the "Former Microsoft Privacy Chief Doesn't Trust Company, Uses Open Source Software" story was posted.

Which party should I trust?

Trust the Computer, Citizen!

(yes, it's a game reference)

"Secure" meaning . . . (-1)

Anonymous Coward | about 7 months ago | (#45004143)

. . . the backdoor for the NSA is really well protected.

New Target (1)

X-Ray Artist (1784416) | about 7 months ago | (#45004369)

I think Microsoft should advertise this. Outside hackers will love the challenge. Locks only keep the honest people out.

Big Bad Wolf (0)

Anonymous Coward | about 7 months ago | (#45004413)

Certifies that straw house is secure.

Who defines "secure" (1)

EMG at MU (1194965) | about 7 months ago | (#45004431)

Who defines "secure". Who performed the audit to ensure the security? How often will audits be performed to ensure that Azure stays secure? What happens what Microsoft goes bankrupt?

Call me cynical, but I have no confidence that anyone who has the credentials and capabilities to ensure that Azure is secure actually did so for the Government. Sure there are really bright people at the DoD but I'm sure more bureaucrats were involved than engineers.

Also, what's the plan for when Microsoft goes bankrupt? It sounds far fetched but on a 20 to 30 year time frame Microsoft's continued existence seems questionable.

Re:Who defines "secure" (1)

mlts (1038732) | about 6 months ago | (#45007027)

Part of FISMA compliance are audits, both scheduled and random. There are many, many different controls that are checked, and and too many exceptions might get the authority to operate revoked.

As for MS getting out of the cloud business, I'm sure there is a contractor who is more than willing to take over the data center and keep the operations going.

This compliance sounds like a lot of rubric, but it is overall a good thing. Beats just depending on the "trust me" words on a cloud provider's web page showing how secure they are.

Re:Who defines "secure" (1)

dbIII (701233) | about 6 months ago | (#45010779)

One day each leap year you get an air gap so it cannot possibly be any more secure :)
You'd think after the Zune they wouldn't make the same mistake with Azure and disable an entire product for a day worldwide, but that's what happened. It makes me wonder what else is wrong with it since there was such an obvious lack of attention to detail.

What DOD - it's all shut down (1)

WillAffleckUW (858324) | about 7 months ago | (#45004509)

Seriously, how can anything be secure when there's nobody securing it?

Re:What DOD - it's all shut down (1)

Anonymous Coward | about 7 months ago | (#45004817)

I guess I'm not at work then. Oh wait, I am.

You should probably do some research before making such statements. The only thing I've heard shutdown that affected someone I know is that our shooting range is closed because the civilian range officers are not here. Yes, the army where all of the computers are still running, but where we no longer actually do any training to shoot. I would love to see Patton's rant about how the wimp in chief has ruined the military.

Re:What DOD - it's all shut down (1)

WillAffleckUW (858324) | about 7 months ago | (#45004897)

Biomedical engineers are shut down at the Army Base near Seattle.

They just make sure the medical instruments are safe.

I think they're more essential, but that's just my view.

And the correct term is Commander in Chief, you REMF.

Microsoft's approach (0)

SirGarlon (845873) | about 7 months ago | (#45004577)

I saw a talk this past summer about Microsoft's security architecture for Azure. The devil is in the details, of course. I am only really familiar with AWS but Microsoft's approach is quite different. In AWS, security is really up to you when you deploy an application to Amazon's cloud. Azure is tilting the other way -- they are providing an environment where security services are part of the platform.

For those who are interested in a technical discussion instead of Microsoft-bashing and snarky remarks about the NSA (how original!), I found a PDF [microsoft.com] that explains what they're doing. This is quite similar to the talk I attended. Some of it is over my head and some of it is not really spelled out in detail, but I can tell it is quite divergent from AWS's approach of saying "here's your cloud, now security is your problem."

Given how hard it is to securely configure a server on the Internet, I can see value in the cloud provider doing {some,most} of the work for you. My exposure to other cloud providers is limited -- is there another company out there who is trying to provide security as a ready-made feature of their platform offerings?

Re:Microsoft's approach (0)

Anonymous Coward | about 7 months ago | (#45004857)

If you're really need security you wouldn't be using any public cloud service. You'd do it yourself or you'd do it the way the CIA are planning to do- hire others (Amazon or IBM) to build a "private cloud" for them: http://fcw.com/articles/2013/03/18/amazon-cia-cloud.aspx [fcw.com]
http://seattletimes.com/html/businesstechnology/2021649799_amazonciaxml.html [seattletimes.com]

So why didn't Microsoft bid for the CIA project and win it?

Whatever it is, public cloud stuff isn't secure enough for a significant amount of the CIA's needs. At least USD600 million worth.

Re:Microsoft's approach (1)

lgw (121541) | about 6 months ago | (#45009441)

For moderate security, you should always assume the attacker is already in your datacenter, behind your firewall. Once you have that mindset, there's no harm per se in having the server in the cloud. The interesting question is "how precisely does that cloud work"; merely grunting "cloud bad" isn't helpful.

For high security it's about how many tanks and machine guns protect the bunker with your servers, so "cloud" can only be the "hire a company to do it in our datacenter" approach.

Re:Microsoft's approach (1)

Opportunist (166417) | about 6 months ago | (#45009963)

The "security for dummies" approach says simply, ensure the data is well encrypted as long as it is not on a machine that is close enough for you to kick it. :)

Re:Microsoft's approach (1)

Opportunist (166417) | about 6 months ago | (#45009949)

The problem is that security is ALWAYS your problem. Always. Because if you hand it over to someone else, that implies that you completely trust the entity you entrust your data to. You just shift the problem, from having to secure something to having to trust someone.

Now, essentially you're doing that all the time. Even if you have someone in house instead of "outsourcing" it to a third party. But unlike with the third party, you can take a closer look at the person or the people you entrust it to. You can check and double check their background, screen them thoroughly, depending on your country even go as far as snooping in their private life and finding out whether or not they are trustworthy on a very personal level. You can NOT do that when you hand security over to a third party since you will not have any chance to find out what person or what group of people will be responsible to handle your data. Worse, the personal responsibility is way lower. If your security officer fucks up, you can fire him and it's pretty certain that his career takes a nose dive. Imagine his motivation to do whatever is necessary to keep your security at level. Now compare that to a company like MS, IBM or the like. Do you think anyone there needs to worry about his job over a data breech? Or even his career?

Who do you think is a lot more motivated to keep it from happening, if necessary at his own expense? Who will go to whatever lengths it takes to ensure your data is protected, integer and available no matter the cost? Who will most definitely spend every penny of a budget you hand him on security rather than some job perks?

In a nutshell, security is something I would not hand over to a third party unless you're SO small as a company that it simply isn't feasible to have a dedicated security officer on your staff. And then I'd rather hire one person at a hourly base rather than handing it to some corporation who doesn't care about your security beyond the monthly bill they send you.

Reminds me of a conversation... (5, Interesting)

ducomputergeek (595742) | about 7 months ago | (#45004741)

...when I worked in "Academic Computing" on the campus of the college I went to. What that really meant was I was one of five students allowed to touch the AS/400 we had. I remember my boss in a presentation where he boasted that AIX had never been hacked and I snorted. He looked at me puzzled and I said, "Is it available for export?" Answer was yes, "Well it has a backdoor that the NSA can use. Furthermore, how many of their premiere tech support staff, you know the people they send out in the field, work for IBM and draw a nice second paycheck from (insert 3 letter agency here)?" After that's how the CIA spied on the Soviet Embassy. They sent in a Xerox employee who also worked for the CIA to do maintenance on their Xerox machine...

Of course this was back at a time where very few outside of the military even knew the NSA existed or what they did. I was aware of them because I was following their Security Enhanced Linux developments at the time.

He didn't believe me. Recently got an email from him stating that it appears the arrogant 20 year old kid 13 years ago turned out to be largely correct about NSA capabilities....

It also didn't hurt that my father as an executive at one of the major defense contractors (hint they built fighter planes like the F-15 & F-18 & AV-8B). All my neighbors were engineers at the same company. I grew up in that world I remember asking what happened if we sold F-15's to country X and they used them against us: see Iran and the 1970's. The response I got was, "There's contingencies built into the systems", i.e. there was another reason the Israeli air force remained grounded during the first gulf war...

Re:Reminds me of a conversation... (2)

roc97007 (608802) | about 7 months ago | (#45005229)

Fascinating. Mod up. I'm aware of some of that stuff, (a part for which I wrote code is in the F16, or at least was in the late seventies) but I never connected it to warning our allies to keep their US-supplied planes grounded during certain offensives. Makes total sense.

Re:Reminds me of a conversation... (0)

Anonymous Coward | about 6 months ago | (#45005847)

Israel uses alot of custom electronics, in particular those for encrypted communications.
Perhaps it is just that the US didn't provide the codes to identify as a friendly.

Re:Reminds me of a conversation... (0)

Anonymous Coward | about 6 months ago | (#45010925)

No parents or friends in the defense industry, but if you look around at weapons sales, like what Russia will or will not sell Syria, it seems like there are some deals between the major players to never sell technology that would put the big players military at any risk. Also if they do sell the technology it seems likely that some critical components are degraded. Syria, again, as an example was supposed to have a great Russian supplied air defense system but somehow it just totally failed when Israel decided to do some bombing.

ok, so.. (4, Interesting)

roc97007 (608802) | about 7 months ago | (#45005175)

...having worked for a company that did this type of stuff for the government, and seeing the process first hand, what I observe is that the certification is not necessary done by someone with a deep knowledge of security. It's done by a bored inspector with some training, checking off line items, sometimes for political reasons, sometimes for business reasons, or sometimes because the inspector wants to make his flight back to Virginia. So, great, it passed. Until it gets pwned. Then starts the long process of plugging an individual hole, getting pwned again, plugging another hole, getting pwned again. You know, the usual Microsoft patch cycle.

Secure for who? (0)

Anonymous Coward | about 6 months ago | (#45005567)

Certainly not for anyone outside of the US organs of State. And certainly for nobody outside of the borders of the US.
You would have to be insane if you were a non-US government, to use M$ crap now, or Crapple for that matter, either that or a US lapdog.

Hahahahahahaha (0)

Anonymous Coward | about 6 months ago | (#45005595)

Well...Since the NSA certified it...

"Azure Secure" says Government. (0)

Anonymous Coward | about 6 months ago | (#45005615)

"Secure" meaning . . . . . . the backdoor for the NSA is really well protected.

So the Microsoft has finally got all their systems working properly with the government requested backdoors and decryption methodologies.

"... SAFE from EXTERNAL hackers..." So it's only the ones already in the box that we have to worry about.

Hey, HEY, HEY ... Look, Ballmer's almost gone [cnbc.com] -- give M$ a break already. It's all set up so that the week after the new guy starts, the NSA will be using Azure SharePoint [betanews.com]

(It's a shame that he wasn't the one being punched, though.)

MS secure LOL (0)

Anonymous Coward | about 6 months ago | (#45005869)

It don't mean MS will get a contract
Means M$ have been pulling some strings
Government Users of Linux
White House
U.S. Department of Defense
U.S. Navy Submarine Fleet
Federal Aviation Administration
U.S. Postal Service
U.S. Federal Courts
US Homeland Security

certified NOT secure (1)

Kishin (2859885) | about 6 months ago | (#45009595)

"The FedRAMP security assessment process defines a set of controls for low and moderate impact level systems based on NIST SP 800-53 controls." (FedRAMP Website) The key words here are "for LOW AND MODERATE impact level systems." Low and medium robustness are what the government usually accepts. All kinds of stuff that was routinely compromised fits that profile too. The Shapiro [1] paper on the Window's EAL4 evaluation illustrated why it actually meant "certified insecure" and sadly still applies to this one. At least the NIST standard has plenty of useful controls to keep out the riff raff attackers. The EAL7 or Orange Book A1 certification are very rigorous security standards. So few products reached that level that I could fit many of their names in a single tweet (97 characters actually). Cygnacom has a nice breakdown [2] of the assurance levels and extra work that must be done to verify the entire lifecycle to reach something resembling secure. Such solutions look... nothing like Azure. And Azure was neither built on such standards nor evaluated to one. It's not secure. QED. Nick P, Security Engineer, schneier.com contributer 1. http://www.eros-os.org/~shap/NT-EAL4.html/ [eros-os.org] 2. http://www.cygnacom.com/labs/cc_assurance_index/CCinHTML/PART3/PART36.HTM/ [cygnacom.com]

Re:certified NOT secure (1)

akh (240886) | about 6 months ago | (#45011435)

FYI, both pages are 404s because of the trailing slash. These links work:

http://www.eros-os.org/~shap/NT-EAL4.html [eros-os.org]
http://www.cygnacom.com/labs/cc_assurance_index/CCinHTML/PART3/PART36.HTM [cygnacom.com]

Re:certified NOT secure (1)

Kishin (2859885) | about 6 months ago | (#45019333)

Thanks for that! :) The funny thing is that I put trailing slashes in there because that's how the Slashdot advice said to do it: "(markuptag here) will auto-link a URL." It had a trailing slash in the URL. Those darned documentation writers...

certified NOT secure (1)

Kishin (2859885) | about 6 months ago | (#45009657)

"The FedRAMP security assessment process defines a set of controls for low and moderate impact level systems based on NIST SP 800-53 controls." (FedRAMP Website) The key words here are "for LOW AND MODERATE impact level systems." Low and medium robustness are what the government usually accepts. All kinds of stuff that was routinely compromised fits that profile too. The Shapiro [1] paper on the Window's EAL4 evaluation illustrated why it actually meant "certified insecure" and sadly still applies to this one. At least the NIST standard has plenty of useful controls to keep out the riff raff attackers. The EAL7 or Orange Book A1 certification are very rigorous security standards. So few products reached that level that I could fit many of their names in a single tweet (97 characters actually). Cygnacom has a nice breakdown [2] of the assurance levels and extra work that must be done to verify the entire lifecycle to reach something resembling secure. Such solutions look... nothing like Azure. And Azure was neither built on such standards nor evaluated to one. It's not secure. QED. Nick P, Security Engineer, schneier.com contributer 1. http://www.eros-os.org/~shap/NT-EAL4.html/ [eros-os.org] 2. http://www.cygnacom.com/labs/cc_assurance_index/CCinHTML/PART3/PART36.HTM/ [cygnacom.com] (Note: I originally posted this comment in the wrong spot. Reposting it here. Rarely use this comment system so my bad.)

Title is *MISLEADING* (1)

otterit (736116) | about 6 months ago | (#45010555)

Against popular beliefs and press releases from Microsoft and/or AWS, FedRAMP *DOES NOT* imply a system is "secure". Don't believe me? Read the FedRAMP CONOP. (http://tinyurl.com/op6lz2o). You'll notice the CONOP doesn't state a CSP is "secure" just because the system has been reviewed for compliance. FedRAMP is all about ensuring a cloud solution is assessed and the results are shared. This makes it easier for the gov't to procure CSP services and make risk based decisions. Don't be fooled by the marketing material.

"Secure from 'External Hackers'" (0)

Anonymous Coward | about 6 months ago | (#45010665)

Security doublespeak is some of the funniest doublespeak of all. "We hereby certify that this system is secure from the set of attacks that it is secure from."

Clown storage - for those who like to store their data in the clown.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...