Federal Cyber Experts Called Microsoft's Cloud "A Pile of Shit", yet Approved It

The experts were correct. Azure is the biggest pile of shit I've ever had to work with. Everything feels evolutionary. In other words, a new product in azure is barely a product at all, but a small appendage which totally inherits a bunch of preexisting Azure "stuff." And all this preexisting stuff may not really make sense for the product, and it might inherit stuff that makes the product much worse. But, it doesn't matter. To even think about using the product, you need to learn way more about the larger Azure ecosystem than you ever bargained for, and of course deal with Microsoft products that do not really integrate well because the teams don't talk to each other. Log formats, conventions, everything will be different as you float around to different parts of Azure. Basic security concepts, such as a SIEM will be implemented in such strange ways that you wonder if Microsoft has any idea what a SIEM even is.

> [...]And because federal agencies were allowed to deploy the product during the review, GCC High spread across the government as well as the defense industry. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.

This sounds like the crux of the issue. The combination of: "tool can be used during analysis" and "analysis takes long" shifts the barrier of rejection from "is this tool safe?" to "is this tool so unsafe that we're willing to start a fight with a lot of other government agencies to remove it, find an alternative, etc?".

Not criticizing FedRAMP. Proper security review takes time. And probably more when dealing with vendors.

Recently tried using Entra ID. There are 12 ways to enforce MFA, 20 days ways to disable users, 4 ways to authenticate users, Add conditional access stuff with 50 variables and templates etc.

You can customize the way you want. After configuring it, my colleagues could not log in. Thats one way to secure your organization.

Microsoft has never been good at security, and that is why their centralization to cloud is absolutely terrifying.

I'm reminded of Storm-0558 [1] where a stolen signing key was able to forge authentication tokens for any MSA / Azure AD / Government AD user. They downplayed the severity. Just imagine if that level of access was used to pull a Stryker on a nation-wide scale. That is an economic disaster waiting to happen.

[1] https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...

The Justice Department CIO who pressured FedRAMP to approve GCC High was hired by Microsoft the next year. I wonder if this shouldn't invalidate the authorization in the first place?

It's not very clear from the article, but I get the feeling from the context that the 'pile of shit' quote referenced the package of documentation about the service rather than the service itself.

(That seems to be the main complaint, that Microsoft never provided the clear information required to conduct the assessment properly).

I'm guessing the requirements were written in a way that only Microsoft's cloud could with the bid.

Thats why you have Windows in the Pentagon instead of something secure.

The sheer amount of conflict of interest with folk involved in this later getting employed by Microsoft is a bit crazy.

Just like everyone else tasked with buying Microsoft

Frustrating that FedRAMP is both a pain to get compliant with and also apparently is not a strong signal of actual security.

Microsoft has been selling piles of shit since the beginning of time. The fact that they keep selling is the biggest triumph of sales/marketing over decent engineering.

Was this approval before or after evaluators discovered this?

> Microsoft on Friday revised its practices to ensure that engineers in China no longer provide technical support to U.S. defense clients using the company’s cloud services.

Ref: https://www.cnbc.com/2025/07/18/microsoft-china-digital-esco...

> Potential Conflict of Interest: The government relies, in part, on third-party firms to vet cloud technology, but those firms are hired and paid by the company being assessed.

Hah. First time looking at FedRAMP?

The real reason for this, of course, is accounting, it moves it off of the government's books.

Little has changed since Bill Gates tried to install Movie Maker.

> These highlights were written by the reporters and editors who worked on this story.

It's unfortunate that people have to claim the authenticity, rather than the users of AI having to disclose use of AI/LLM. I wish it was the other way around.

Wow, Microsoft is really pushing the wrong boundaries in every direction, isn't it? Executives must be thinking, like many before them, that Microsoft is too big to fail.

This fits perfectly with traditional Microsoft strategies of getting a foot in the door and then having the users’ internal pressure on the organization to help get the Microsoft product established.

Decades ago, Lotus 1-2-3 on top of MSDOS was the lever; today it’s GCC High.

Given the scale and scope of the Federal Government. what are the alternatives to Microsoft?

Building in house.

Outsourcing to consultants.

This is my opinion only, I'm sure some have had different experiences - but:

Azure's success as a cloud provider is mostly a result of their sales team and having an existing relationship with non-technical leadership. "We already pay them for Office and Exchange, let's just buy this new 'cloud' thing from them too".

Azure is barely considered an option at all within tech companies, yet is surprisingly widely adopted by non-technical companies that don't know any better (ie, that don't have a technical / engineering voice or representation within leadership).

AWS = Likely technically the best, for now. Mostly unreasonable pricing, and less motivation to seriously negotiate given they are the 'default' cloud provider for most of the industry. Kind of feels like they have peaked though, and are slipping more recently. Inevitable, or bad leadership changes?

OCI = New-comer, attractive pricing and hungry for business. Might be able to avoid mistakes other providers have made? Reliability struggles though. Parent company has a bad reputation in some circles - but probably not with decision makers. Making huge (unwise?) investments - that will either come crashing down in 5 years, or seriously pay off. Layoffs, but going for massive growth...huh?

GCP = Notably different underlying technical choices than other providers. Folks are maybe a bit less pragmatic, and more academic. This helps them in unique services (Spanner?) but hurts in most other areas. They've matured, and are btwn AWS and OCI in reliability. They are probably not as hungry for business as they should be given how far behind they are.

Basically exactly what my org did. The momentum of being a Microsoft shop is hard to fight against.

The original title is:

> Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.

> By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.

The article talks a lot about conflicts of interest, but this is the line I went looking for. A bureaucracy fighting itself over goal prioritization, and what's a necessary roadblock vs red tape is the less sexy but more meaningful problem at the core of this.

Once the government decided they wanted the product, they were going to find a patsy.

Azure is easily the most expensive, least reliable and worst cloud available. It's borderline scam. An example today, I provisioned high IOPS SSDs (supposedly) and what is actually connected to the instance? A spinning hard drive! I didn't even know they were still made, but I guess Azure uses them and scams their users into thinking you're getting an SSD for $700/mo when its really an old hard drive.

I would warn anyone far and wide to avoid Azure at all costs, especially if you are a startup. And especially if you are doing any kind of AI because the only GPUs they have available are ancient and also crazy over-priced.

If I cared more, I'd try to migrate away from Azure. But I don't, and that's probably Azure's business model at this point.

the product got deployed across the government while the security review was still in progress. then fedramp approved it because it was already everywhere. seem like i saw a lobbyist or two with a broom sweeping something under a rug...

I think plenty of software is a pile of shit and still derive value from it.

all clouds are.

Azure is bad. But to be fair, every security summary of IT services I’ve ever read — or written! — for over 25 years has also been a “pile of shit”. It seems to be inherent to the cybersecurity game that everything is judged based on meaningless check boxes and nonsensical explanations. Meanwhile the actual security posture is obscured and ignored.

Microsoft is great at greasing palms

A pile of shit you have leverage over is better than a pile of diamonds you don’t.

A rigged RFP, and some very happy lobbyists, chortling into their single malt all the way to the bank.

Is this just a case of MS needing to merge a lot of platforms, and there are gaps and overlaps.?

Maybe the critical question, are they making continuing improvements? Especially to merge conflicting functions.

Like when they bought Minecraft, or Skype. Each already had user management. Xbox was a mess. Merging them all took a lot of years.

okay what the hell is a "cyber expert"?

Maybe the gaps are a frature or benefit at the same time.

I mean, they also bought the F-35.

Is there a big cloud platform that isn't a pile of shit?

I fucking hate microsoft, i'm so sick of this retarded fucking bullshit

Exactly, and that is the moat- a pile of shit that everyone can smell from afar.

its as funny as the IA research reports from DORA dev which all seem to be sponsored AI provider ads instead....

Yeah, but this is how things work at that level.

Microsoft can be abhorrent. They will always get the contracts. Why? Corporate welfare.

Microsoft will drive the rules. Why? Too big to fail.

Microsoft will push their slop. Why? Cause they have contractors after contractors in the federal government pushing MS solutions. Doesnt matter if they're bad.

And, who'd pay for a 3PAO audit of a Linux distro? Ubuntu and Redhat have. Its a $120k moat.

[dead]

[dead]

[dead]

[flagged]

The government does most things poorly and with little regard to budget or quality. They can't solve problems that are much simpler than cloud computing, so why should I expect them to perform better at a more complex problem?

Suddenly everyone on HN is an expert on Azure infrastructure.

it isn't the best but it's really great at a lot of things feature-wise. top-notch documentation as well (despite what these "experts" said).

Most companies literally run on Azure these days. Persistent hackers will get into any network, that's a guarantee, that's APT 101. It's law of averages. If it truly is "a pile of shit" given how it is probably the most used cloud platform by the most customers, including governments, and endless plethora of features and services it offers, shouldn't there be more compromises? 2-3 in a decade is hardly above what you expect for law of averages right?

Screw ups happen, but if it is systemic, you can't use one instance as evidence, you must establish a pattern of mishaps.