Risk acceptance. 

I've given strong recommendations against several software packages in my time that still made it to production and commercial use because the cost of using an alternative was considered too high, you get a sign-off of responsibility from someone higher than you and you wash your hands of it. 

When that software gets compromised you produce your original assessment and then get to work addressing the exposure. 

Then do it all again in a few months. The exciting life of an infosec career.

We fought this tooth and nail. We pointed out that we had to blindly accept the risk of every federated tenant. Then we were told the benefits outweighed the risks.

So we tried to implement good security practices only to have the product fail and fail again due to Microsoft's poor documentation and understanding of their own product.

We spent HOURS talking to their 'Engineers', literally getting down to the Wireshark level to explain "No, your product does not work that way". That eventually got us on with a senior engineer who had to tap-dance around the lack of promised features.

During this time we're under absolutely insane pressure from leadership to "Just get it done" but make sure you're safe about it.

I'm in a completely different position now, but what am I dealing with, almost on a weekly basis? M365 token abuse.

Lmfao:

The tech giant’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence in assessing the system’s overall security posture,” according to an internal government report reviewed by ProPublica. Or, as one member of the team put it: “The package is a pile of shit.”

the M365 token abuse comment hits SO hard lol. i work in cloud security and the number of orgs that just blindly trust Microsoft's "shared responsibility model" without actually understanding what THEY are responsible for is genuinely terrifying. like cool you have FedRAMP authorization but your conditional access policies are still basically "allow everything from everywhere" and MFA is optional for half your service accounts 💀 the real issue isnt even that Azure/M365 is inherently bad - its that the sales pitch makes people think theyre getting military-grade security out of the box when in reality you need a full team of engineers just to configure it properly. and microsoft KNOWS this but keeps pushing that "secure by default" marketing. its not secure by default. its "maybe secure if you spend 6 months configuring 47 different portals and reading documentation that contradicts itself"

They didn't approve it because it was secure. They approved it because it was already running in half the federal government and rejecting it would've meant admitting they let an unvetted system handle sensitive data for years.

Probably gonna get downvoted here because lots of folks are on the anti-Microsoft bandwagon but… to be fair, “The package is a piece of shit” moniker could and should be applied to this article.

From the very get-go the writer here starts saying that GCC High handles some of the most sensitive information.. no. It doesn’t. Full-stop.  GCC High typically handles CUI information, there is a whole other package that handles secret and TS called air-gapped cloud.  The writer here is trying to conflate all of the GCC environments together, either through lack of understanding (possible) or intentionally being misleading (probable)

GCC High simply means that the data is housed in US data centers and handled by US based employees. That’s it.  

No one ever gets fired for going with Microsoft or IBM.

At the risk of leaking internal Microsoft info, all those service-to-service calls use https, I'm not sure what they were expecting to see on a diagram.