Azure’s Terrible Security Posture Comes Home to Roost
I’ve been giving Azure a fair bit of grief lately for some embarrassing information security lapses, and I think it’s only fair for me to explain in a format beyond “some tweets” exactly why that is. The write-ups I’ve seen have all been deeply technical and more or less bury the lede, so let me begin with a quick summary of the three issues that have pivoted my impression of Azure from “serious contender, albeit one that targets a different market than the ones I talk to” to “this is a security clownshow that should be actively avoided.”
In September, Palo Alto Networks identified the Azurescape vulnerability. This is important because it’s the first documented case of a hyperscale cloud provider that “could enable one user of a public cloud service to break out of their environment and execute code on environments belonging to other users in the same public cloud service.”
Let me be very clear here: This is the terrifying outcome when it comes to cloud security. I, as a customer, getting read, write, and execute permissions to your cloud environment is the stuff of absolute nightmares. It validates every crapass “the cloud isn’t secure” take we’ve heard for the last 15 years.
