Ron BowesMar 18
Viss

https://www.propublica.org/article/microsoft-cloud-fedramp-cybersecurity-government

go to the cloud they said
it'll be fine they said

Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.

A federal program created to protect the government against cyber threats authorized a sprawling Microsoft cloud product, despite the company’s inability to fully explain how it protects sensitive data.

ProPublica
Mar 18 at 4:48pmWeb
Show threadVissMar 18

https://news.ycombinator.com/item?id=47426057

maybe uh

maybe stop using azure

Federal Cyber Experts Called Microsoft's Cloud "A Pile of Shit", yet Approved It | Hacker News

Show threadJason LefkowitzMar 18
@Viss The kind of security posture that assures client confidence
Show threadPaul_IPv6Mar 18

@Viss

i kind of appreciate the twist that EU is trying to get off US big tech because they're afraid the US govt will have access to their data, yet the other serious risk is that RU/CN will have access. :)

Show threadCybarbieMar 18
@Viss At old *pretend* job <plausibly denied redacted NDA bypass> spent literal tens of millions employing Microsoft directly to take an age to roll out this 'new' >cough< azure infrastructure as code yaml failed bollocks (not my idea, complained vociferously, board overruled) only for them to say when asked what they do instead "oh hell no we don't do that anymore..." heh most of their offerings are nerfed tf in a feeble effort to try keep it secure... guess what
Show threadVissMar 18
@nf3xn but they have your money now
Show threadTaffer 🇨🇦Mar 18
@Viss Gonna be sweet when GitHub is migrated, my company depends on that for basically everything in R&D.
Show threadVissMar 18
@Taffer i can help, if thats on the table
Show threadTaffer 🇨🇦Mar 18
@Viss Sadly we’re not even at the point of thinking about a contingency plan for when GitHub or GCP or Claude (*twitch*) go down. I’ve brought it up a couple of times. 🤷
Show threadVissMar 18
@Taffer well if you broach the topic and they ask, consider yourself "resourced" :D
Show threadPaul_IPv6Mar 18

@Viss

assuming FedRAMP is a stamp of approval of security has never been true but has been commonly accepted by various agencies.

FedRAMP is a paper chase exercise that shows that you can afford enough staff to do nothing more than get through the process.

every time i've been sucked into it, it's been a clusterfuck waste of time, merely a way to chase certain revenue opportunities.

Show threadVissMar 18
@paul_ipv6 occasionally i get asked if phobos does RFPs or does the GSA schedule thing and i literally tell them that - "we just arent staffed to handle the bureaucratic overhead of having 12 people on staff, full time, PURELY to deal with the government nonsense."
Show threadPaul_IPv6Mar 18

@Viss

just like filling out 171s is a skillset very different than making a CV/resume, GSA/FedRAMP/etc/ is a very different world. there is definitely a staffing step function to be able to do it.

i've been lucky enough to mostly avoid it (or contract at places big enough to have someone else do the suffering).