On Microsoft’s Lousy Cloud Security

ProPublica has a scoop:

In late 2024, the federal government’s cybersecurity evaluators rendered a troubling verdict on one of Microsoft’s biggest cloud computing offerings.

The tech giant’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence in assessing the system’s overall security posture,” according to an internal government report reviewed by ProPublica.

Or, as one member of the team put it: “The package is a pile of shit.”

For years, reviewers said, Microsoft had tried and failed to fully explain how it protects sensitive information in the cloud as it hops from server to server across the digital terrain. Given that and other unknowns, government experts couldn’t vouch for the technology’s security.

[…]

The federal government could be further exposed if it couldn’t verify the cybersecurity of Microsoft’s Government Community Cloud High, a suite of cloud-based services intended to safeguard some of the nation’s most sensitive information.

Yet, in a highly unusual move that still reverberates across Washington, the Federal Risk and Authorization Management Program, or FedRAMP, authorized the product anyway, bestowing what amounts to the federal government’s cybersecurity seal of approval. FedRAMP’s ruling—which included a kind of “buyer beware” notice to any federal agency considering GCC High—helped Microsoft expand a government business empire worth billions of dollars.

Tags: , , , ,

Posted on April 9, 2026 at 6:51 AM9 Comments

Comments

Clive Robinson April 9, 2026 8:23 AM

@ Bruce, ALL,

As noted in the article,

The tech giant’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence in assessing the system’s overall security posture,” according to an internal government report reviewed by ProPublica.

Or, as one member of the team put it: “The package is a pile of shit.”

Do others remember a few months back, a small company doing “lesser crimes” got the full “Go to Jail do not pass Go” treatment?

But “Big’old Micro$haft” just gets handed “mucho dineros” by the container load for their much worse crimes…

Talk about,

“It’s not What you know, but Who you know, to pay off, that counts”

Kind of tells you why the government wants to “nickel and dime” every last tax payer…

Winter April 9, 2026 10:39 AM

The GCC case is like every other “product” of MS. It was built by cobbling together every piece of program code they had.

Think the OOXML standard which is nothing but a serialized memory dump of MS word data structures. Even MS have no idea what’s really in there.

So MS ended up with linking up all network able applications into GCC. However, there was never any attempt to document anything. Encryption was used whenever they felt like it.

So when FedRAMP asked for a flow chart of encrypted information in GCC, there was no way MS could ever deliver that. They simply have no documentation of how and when information is encrypted.

This is no surprise. MS have always put products on the market the moment they could sell them, whatever the state of the product. Quality is just a loss.

Trevor April 9, 2026 11:11 AM

It got pushed through approval because the government was desperate to have a second source over Amazon.

mark April 9, 2026 12:14 PM

I have several issues: first, was the approval in ’24, or ’25 (after the Idiot’s inauguration, and DOGE)?

Second, does this mean that they are not even following PCI-DSS rules, to have all communication between two computers encrypted?

I’ll also note that a few years ago, I think it was the UK who said “no, thanks” to cloud, because they could not be guaranteed that government data would remain solely on their country’s soil.

Winter April 9, 2026 12:48 PM

While we are talking about MS Quality Assurance:

Microsoft locks out VeraCrypt and WireGuard devs, blames verification process
No emails, no warnings, no humans – just bots, catch-22s, and a 60-day appeals queue

https://www.theregister.com/2026/04/09/microsoft_dev_account_deactivations/

Mounir Idrassi and Jason Donenfeld, the developers behind VeraCrypt and WireGuard respectively, both recently reported that Microsoft locked them out of their developer accounts for reasons unknown to them.

Idrassi publicized his experience on March 30, saying: “Microsoft did not send me any emails or prior warnings. I have received no explanation for the termination and their message indicates that no appeal is possible.

Obviously, MS blame it on the victims:

Microsoft claims WireGuard and Veracrypt account termination was merely due to not verifying an email: ‘Not everything is a conspiracy, sometimes it’s literally paperwork’
https://www.pcgamer.com/hardware/microsoft-claims-wireguard-and-veracrypt-account-termination-was-merely-due-to-not-verifying-an-email-not-everything-is-a-conspiracy-sometimes-its-literally-paperwork/

It seems like the catalyst for this problem came in the form of an account verification system for the Windows Hardware Program that began in October last year. With this, the partner would have to review and update legal information and verify their account. As such, one must have a work email address and must verify their identity via a government-issued ID.

Now, we all know how diligently MS check all their communications with developers and customers and how “sloppy” these victims are in their work.
[/Satire, just to make sure]

Myootnt April 9, 2026 3:45 PM

Trevor suggests that the reason they have MS is that they wanted a second source. While that may be the official stance, the reality is there is a massive push to hyperconverge on MS in some departments. Migrate servers and storage to Azure, convert to Teams Phone, OneDrive, Sharepoint, Outlook and the list goes on. When Microsoft hiccups, work stops. Security encompasses availability of services and resources. Single point failure is effectively a complete auto-DoS.

ResearcherZero April 10, 2026 3:18 AM

Using Microsoft’s Government Community Cloud High at the Department of Defense and other areas of government that deal with sensitive information, or interact with vendors and contractors, probably leaves a number of gaping holes in the security of networks. This is troubling given how much of Americans’ sensitive private information is being scooped up.

Trump administration plans to harvest private medical records of millions of Americans.

‘https://kffhealthnews.org/news/article/trump-opm-federal-workers-medical-records-privacy/

Rontea April 11, 2026 1:05 PM

We used to think of security theater as the exclusive territory of the TSA—an elaborate performance designed to make us feel safe while doing little to actually improve security. But lately, it feels like Microsoft is auditioning for a starring role. Security theater is no longer confined to airports; now it’s streaming directly into our operating systems.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.