On Microsoft’s Lousy Cloud Security
None
<p>ProPublica has a <a href="https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/">scoop</a>:</p><blockquote> <p>In late 2024, the federal government’s cybersecurity evaluators rendered a troubling verdict on one of Microsoft’s biggest cloud computing offerings.</p> <p>The tech giant’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence in assessing the system’s overall security posture,” according to an internal government report reviewed by ProPublica.</p> <p>Or, as one member of the team put it: “The package is a pile of shit.”</p> <p>For years, reviewers said, Microsoft had tried and failed to fully explain how it protects sensitive information in the cloud as it hops from server to server across the digital terrain. Given that and other unknowns, government experts couldn’t vouch for the technology’s security.</p> […] <p>The federal government could be further exposed if it couldn’t verify the cybersecurity of Microsoft’s Government Community Cloud High, a suite of cloud-based services intended to safeguard some of the nation’s most sensitive information.</p> <p>Yet, in a highly unusual move that still reverberates across Washington, the Federal Risk and Authorization Management Program, or FedRAMP, authorized the product anyway, bestowing what amounts to the federal government’s cybersecurity seal of approval. FedRAMP’s ruling—which included a kind of “buyer beware” notice to any federal agency considering GCC High—helped Microsoft expand a government business empire worth billions of dollars.</p> </blockquote><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/04/on-microsofts-lousy-cloud-security/" data-a2a-title="On Microsoft’s Lousy Cloud Security"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fon-microsofts-lousy-cloud-security%2F&linkname=On%20Microsoft%E2%80%99s%20Lousy%20Cloud%20Security" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fon-microsofts-lousy-cloud-security%2F&linkname=On%20Microsoft%E2%80%99s%20Lousy%20Cloud%20Security" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fon-microsofts-lousy-cloud-security%2F&linkname=On%20Microsoft%E2%80%99s%20Lousy%20Cloud%20Security" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fon-microsofts-lousy-cloud-security%2F&linkname=On%20Microsoft%E2%80%99s%20Lousy%20Cloud%20Security" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fon-microsofts-lousy-cloud-security%2F&linkname=On%20Microsoft%E2%80%99s%20Lousy%20Cloud%20Security" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.schneier.com/">Schneier on Security</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Bruce Schneier">Bruce Schneier</a>. Read the original post at: <a href="https://www.schneier.com/blog/archives/2026/04/on-microsofts-lousy-cloud-security.html">https://www.schneier.com/blog/archives/2026/04/on-microsofts-lousy-cloud-security.html</a> </p>