{"id":12001,"date":"2026-04-10T05:04:04","date_gmt":"2026-04-10T05:04:04","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/10\/on-microsofts-lousy-cloud-security-html\/"},"modified":"2026-04-10T05:04:04","modified_gmt":"2026-04-10T05:04:04","slug":"on-microsofts-lousy-cloud-security-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/10\/on-microsofts-lousy-cloud-security-html\/","title":{"rendered":"On Microsoft\u2019s Lousy Cloud Security"},"content":{"rendered":"\n<div>On Microsoft\u2019s Lousy Cloud Security<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>ProPublica has a <a href=\"https:\/\/arstechnica.com\/information-technology\/2026\/03\/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway\/\">scoop<\/a>:<\/p>\n<blockquote>\n<p>In late 2024, the federal government\u2019s cybersecurity evaluators rendered a troubling verdict on one of Microsoft\u2019s biggest cloud computing offerings.<\/p>\n<p>The tech giant\u2019s \u201clack of proper detailed security documentation\u201d left reviewers with a \u201clack of confidence in assessing the system\u2019s overall security posture,\u201d according to an internal government report reviewed by ProPublica.<\/p>\n<p>Or, as one member of the team put it: \u201cThe package is a pile of shit.\u201d<\/p>\n<p>For years, reviewers said, Microsoft had tried and failed to fully explain how it protects sensitive information in the cloud as it hops from server to server across the digital terrain. Given that and other unknowns, government experts couldn\u2019t vouch for the technology\u2019s security.<\/p>\n<p>[\u2026]<\/p>\n<p>The federal government could be further exposed if it couldn\u2019t verify the cybersecurity of Microsoft\u2019s Government Community Cloud High, a suite of cloud-based services intended to safeguard some of the nation\u2019s most sensitive information.<\/p>\n<p>Yet, in a highly unusual move that still reverberates across Washington, the Federal Risk and Authorization Management Program, or FedRAMP, authorized the product anyway, bestowing what amounts to the federal government\u2019s cybersecurity seal of approval. FedRAMP\u2019s ruling\u2014which included a kind of \u201cbuyer beware\u201d notice to any federal agency considering GCC High\u2014helped Microsoft expand a government business empire worth billions of dollars.<\/p>\n<\/blockquote>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Bruce Schneier<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/www.schneier.com\/blog\/archives\/2026\/04\/on-microsofts-lousy-cloud-security.html\">Go to bruce schneier<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>On Microsoft\u2019s Lousy Cloud Security ProPublica has a scoop: In late 2024, the federal government\u2019s cybersecurity evaluators rendered a troubling verdict on one of Microsoft\u2019s biggest cloud computing offerings. The tech giant\u2019s \u201clack of proper detailed security documentation\u201d left reviewers with a \u201clack of confidence in assessing the system\u2019s overall security posture,\u201d according to an [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,761,464,158,90,1061,1],"tags":[87],"class_list":["post-12001","post","type-post","status-publish","format-standard","hentry","category-bruce-schneier","category-cloud-computing","category-cybersecurity","category-microsoft","category-national-security-policy","category-security-theater","category-uncategorized","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12001"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12001"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12001\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12001"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}