I have come to believe that most security audits, even ones conducted through widely-reputed groups or under strict standards, are much worse than useless.
Audits are a thing that can theoretically be done well/in a value-adding way, but rarely are, for the same reasons that most private-sector security teams I’ve worked with are effective only at generating internal badwill, and ineffective at increasing security above a very low baseline.
For example, they won't create for me an MS Entra ID App Registration for our internal project Because Security Reasons (they literally won't tell me why). So instead, I use Integrated Windows Authentication, which is about as secure as a hotel bar patron charging to "his" room.
They are insisting everyone start RDPing into a VM in Azure to do development work. Won't be able to get to the new source control system without it. Old system is losing its license, etc, etc. Oh, but the new system is not approved for storing CUI. So... what the actual fuck are our AFSIM developers supposed to do?
These VMs are 1/4 the hardware specs of my laptop in almost every dimension, yet still somehow car 50% more to rent per year than the entire purchase price of my laptop. Plus they are timesharing is in them, 4 developers per VM. It's not like we live in majorly different timezones. We're either all going to be on from 9am - 5pm EST or we're not.
Within these VMs, I have absolutely zero ability to install any software or modify any settings. Even the god damn clock is set to GMT+0 and I can't change it to local time. Sure would be nice if the must visible clock in my visual field accurately portrayed the current time when I have the RDP session running full screen, which is basically the only way to run it without wanting to hammer drill my brains out.
I have heard rumors that a lot of the other developers have started working from their personal devices, because otherwise they are at a complete work stoppage on their work computers due to the cockamamie IT setup. So congratulations, IT Security Team. Good job.
I still want to know why--when we're wanting to run services like Document Intelligence and Azure OpenAI in Azure GCC High, a FedRAMP-High approved environment with these services claiming DoD Impact Level 5 compliance--our IT Security department thinks that can't be used for CUI. They say we need to spend 2 years and $2 million doing some kind of review of Azure itself before it can be approved for CUI. Uhm, no? If it needs that, why would we spend that money and time? Why wouldn't Microsoft be the one to do that?
Don't you still have to get program-specific authorization for IL5?
We have plenty of program contracts that require IL5. I think you only need ATO to go to IL6 and above (which would be Secret and would require working in a SIPRNet connected network isolated from our corporate network). For just CUI data, I thought you didn't need special authorization.
What I really need is someone I can trust who can come in and tell me what we should be doing, because whatever our IT Security team is telling me sounds ludicrous. There are a whole host of problems with our IT systems that indicate to me that they don't really know what they are doing.