Sounds like a good idea for the new SaaS product that could keep blame resolutions in the blockchain and give NFT certificates to the interested parties with how has been assigned the blame for what.
A hole in a US military email server operated by Microsoft left more than a terabyte of sensitive data exposed to the internet less than a month after Office 365 was awarded a higher level of government security accreditation. According to security researcher Anurag Sen, who discovered the blunder and reported it, the openly …
If you think the DoD has the technical chops to build it's own distributed, resilient network, you're the fool. The military doesn't build it's own tanks. Or make its own uniforms, bullets, or toilets.
Now, if in fact this was done on Azure proper, and not some isolated, dedicated network purpose-built for the DoD, then yeah, that's a problem.
Doesn't matter where it is, at some point a meatbag with an opinion might get access to it and leak it.
The best kind of security is the kind that restricts the amount of data collected in one place and the access required to access all of it at a given time.
Person: I needs only to find out someones blood type.
Same Person: *pulls the whole fucking file*
Top secret information was hosted only on computers behind secure doors, and only connected to each other over direct link circuits that were encrypted on either side of the circuit before it hit a circuit access point. And, the crypto key was changed very regularly. And now they're using the regular internet and Microsoft servers maintained by foreigners? Somebody put their wallets ahead of national security, and it's already been compromised. How special. Whoever authorized this should be put away and never see the light of day again.
But don't proper OSes prevent acess over the internet for any username that has no password set. ie, you can login without a password but only from a seat in front of the box?
How does Windows get issued any sort of security certificate if it lets you be so stupid as to allow remote access to insecure accounts.
"I thought Azure actually ran more Linux stuff than Windows?"
So did I. But, if they don't offer Office365 Server standlone for Linux (as far as I can see when googling how to set it up) are they likely to run it on the Cloud?
Maybe someone administering Office365 could help out here.
Because for the likes of of the DoD there exists a pre-hardened version of Windows and some super hardened GPOs that can be deployed, they are locked down by default to the point that all you can do is login, you can't even launch notepad. They are made specifically for organisations like DoD and are produced by a consortium of companies...Cisco, Microsoft, Oracle et al. They are not publically available and provide a much deeper level of control over the OS.
Those of us that have worked with these GPOs before know how much of a pain in the ass they are...to allow an application to even launch through them you have to use a bunch of sysinternals tools to figure out each and every file the application needs to run (DLLs, assets etc), which registry keys they need access to etc etc...it's a long, boring and tedious exercise. I would bet my left nut that in situations where high pressure management exists, to get things done quickly, corners are cut.
First rule of keeping anything secure is that you minimise the number of people who have access. When buildings like the Pentagon are constructed, that means the electricians, the plasterers - even the bloke pouring the concrete for the foundations - all have to be vetted to some level. This is done because the information contained therein is sensitive. To then outsource the storage or manipulation of said data to a cloud platform means that all their people need to be security vetted too - from the foundation-builders through to the daily ops teams and all in between.
Errors in configuration that do things like, say, expose sensitive data are that much more difficult to manage when the host platform is outside your control.
Going with a public (well, GovCloud) provisioning approach has the following effects:
Costs may or may not be lower.
Availability may improve.
Integrity may improve.
Confidentiality will be almost certainly be less.
- All connections, including administrative connections, will be remote and they'll be controlled by external 3rd party admins.
- As you outsource your cyber and administrative expertise and experience, your internal cyber competence will be less.
>As you outsource your cyber and administrative expertise and experience, your internal cyber competence will be less.
So justifying more spending on outsourcing. Its a Death Spiral.
The equivalent in the commercial sector results in a situation where the people that do the outsourced work wake up one morning and realize that they don't really need the operation that's outsourcing the work, you can just take it over.