Every cloud provider has something vexing that they just won’t fix.
AWS has its obnoxious billing surprise problem. Google Cloud struggles to talk to customers who aren’t spending a fortune with them already. Oracle Cloud stubbornly refuses to set Larry Ellison adrift on an ice floe. And Microsoft Azure just will not get with the program around security.
Azure has suffered a number of serious vulnerabilities over the past year. By my count, five of those (ChaosDB, SynLapse, Azurescape, AutoWarp, and ExtraReplica) have breached the boundary between different Azure customer accounts. This is, needless to say, very bad. The entire premise and promise of cloud completely falls apart as soon as another customer can see or — good lord! — alter your data.
It’s official: Azure’s security culture is concerning
Let’s start with some empathy, because let’s face it: Nobody sets out to build something insecure except maybe a cryptocurrency exchange. The engineers responsible for a lapse no doubt feel crappy about it, and shaming people for their work isn’t great.
That said, there’s more than one engineer at Azure; security issues are the result of systemic failure rather than one person having a bad day.
We, by which I mean I, want companies to take security seriously. But when we take a look at the recently launched Open Cloud Vulnerability & Security Issue Database, it’s clear that the severity and frequency of Azure exploits significantly outweighs those of its hyperscale competitors. These issues are across different products — meaning that it’s extremely unlikely that all of these security problems are the result of one disaster-prone engineer floating around the company.
Given the cadence of exploits cropping up on Azure, it’s rather apparent that “build it now, patch it later” has been the approach for far too long. But security has to be built into software and platforms, like cloud providers, from the beginning. It’s not something you can buy or bolt on after the fact. This isn’t Windows 98; people expect better from their cloud providers than a monthly litany of cross-account access vulnerabilities.
Something is profoundly wrong with Azure’s security culture. I don’t know how to go about fixing it, but as an uninvolved observer, the problem is obvious.
Azure’s time to response is even more unacceptable
The systemic security issues are bad enough. But where my sympathy goes out the window is when I’m reading the disclosure timelines and realize just how little Azure apparently cares about the security of its platform or customers.
We’ve seen multiple cases where Microsoft takes more than a month just to give a security researcher an initial response to many of these issues. There are weeks of back-and-forth from that point onward. In a few notable instances, the initial patch that Microsoft rolled out to Azure was either trivially bypass-able or didn’t even fix the problem. In the most recent cross-tenant issue (as of this writing!),, Palo Alto Networks’ Unit 42 reports that they reported FabricScape to Microsoft on January 30, 2022. Azure patched the problem on June 14, 2022.
This stands in stark contrast to my own experiences reporting possible security issues. When I’ve passed on concerns that touch security to folks at Google Cloud and AWS, they respond with the same gravity as if I had reached out to complain about a fire in the building. Usually I’ve been wrong about the concern (a good reason to always frame a report as “I’m seeing something odd” as opposed to “You folks have a massive security problem” — you’ll eat far less crow!). On the rare occasions where I’ve been right, I’ve had nothing but positive, speedy experiences as a result.
The lacking quality of response to security concerns
This, of course, brings us to the quality of Azure’s responses when a security issue is reported.
For example, Azure’s response to the AutoWarp vulnerability: “Microsoft has not detected evidence of misuse of tokens.” You can read that as “We’ve conducted an exhaustive log analysis and determined conclusively that this has not been exploited,” “We have no evidence that this has been exploited,” or “What even are logs?”
Contrast this with the public statement AWS made during its Superglue exploit. It said unequivocally: “Analysis of logs going back to the launch of the service have been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher. No other customer’s accounts were impacted.”
As a customer, one of those two security responses fills me with confidence. The other does not.
The public (non)reaction to Azure’s vulnerability responses
I’ve been told repeatedly that I seem to be one of the only people expressing public concern about the subpar (read: crap) quality of Azure’s security responses. To that, all I can say is “no duh.” I’m not a security researcher, and I don’t partner with any company in this space. What’s Microsoft gonna do to me, hike the cost of my Office 365 licenses at renewal time?
On the other hand, security companies and almost everyone else who cares about cloud or even computers at all have to do business in various ways with the cloud providers, most particularly Microsoft. Other folks can’t afford to antagonize cloud providers, make them excessively mad, or editorialize about vulnerabilities, at risk of being shut out of future opportunities, conversations, or briefings.
But Azure shouldn’t read the public lack of reaction as a lack of concern. Not to turn this into “the lurkers support me in email,” but a number of folks who represent very large enterprise customers are appalled at this. They choose not to post about these concerns publicly (presumably preferring instead to drag Microsoft execs over the coals in more private settings), but they are very much aware of them — and they are not happy.
Azure needs to hold itself accountable — and so do we
I don’t have a particular horse in the cloud race. I cover AWS because, today, it’s where the expensive problems are that I know how to fix. Should the industry shift, I will as well.
What I want to see is a future in which there are multiple excellent options for cloud providers, rather than a monoculture or a duopoly. Issues like this make me fearful for the future of cloud as a whole, because “Azure is insecure” is indistinguishable from “the cloud is insecure” for folks who aren’t steeped in this world.
Azure’s gotta do better, and the rest of us need to get louder about Azure’s shortcomings until it does.