“All cloud security failures are IAM failures, and all IAM failures are governance failures.”

— me on Twitter (too many years ago to find)

CISA just released their report on the big Summer 2023 Microsoft Exchange Online Intrusion. You could call it blistering, but I call it more of a third degree plasma burn. It’s also the kind of validation I wish never had to happen.

Like many other cloud security professionals, I have been concerned with the security of Microsoft’s cloud (Azure/Office). When I first started using Azure I noticed it tended towards more-open and less-secure defaults. For example, the default for running a VM in a VNet was… no Network Security Groups. The VM would be wide open to the Internet for both inbound and outbound traffic. In AWS and GCP you can’t even deploy anything without an SG attached. (The portal does now try to get you to deploy with an NSG). Other examples? The Azure activity log doesn’t record Read activity, so you can’t identify reconnaissance.

Then there are the series of security flaws discovered by the teams and Wiz, Orca, and others.

The report has great detail, but the structural issues and recommendations are the real highlights. Here are the ones I think stand out — which have implications (both good and bad) beyond Microsoft.

  • It’s a governance failure: The Board concluded that Microsoft’s security culture was inadequate (page 17).
  • Because features and innovation are prioritized over security: as written in stone by the first cave dwellers.
  • Other CSPs have better security practices: Don’t blame me, it’s item 3 on page 17, and no surprise to those of us who do this for a living.
  • Microsoft did not correct inaccurate information and still does not know what happened: This means multiple failures at multiple levels. Page 17, again.
  • There has been more than one nation-state breach: We knew this, and they refer to Midnight Blizzard. The mistakes there are also… troubling.
  • The Board believes Microsoft has deprioritized security and risk management: Bottom of page 18.
  • The Board recommends Microsoft slow innovation until they fix security: It’s been done before, but I’m not sure how Copilot feels about that.

The report then mentions the Microsoft Secure Future Initiative. I wrote on LinkedIn when that came out that it seemed inadequate. It’s like a Band-Aid when you need a tourniquet. The report goes into more detail on some specific security practices it recommends changing; but also seems to indicate they consider other cloud providers to be doing a better job with security around keys, tokens, and credentials. I can only assume they also know about SAS tokens.

I mean, this report is rough, and anyone using Azure and Office needs to read it. And yes, I do use both myself for various things, but I’m not… a bank or the United States Government.

Outside Microsoft specifically, there are some things in the report that make us cloud security types scream “I KNEW IT! I TOLD YOU SO!!!” at our screens:

  • NIST needs to update 800-53 for cloud: Page 21, and if you know me you’ve heard me complaining about that for years.
  • M&A is a security risk: Okay, Chris Farris and I are literally days from publishing a thing which might just call M&A a threat.
  • CSPs need to stop charging for security-relevant logs: I’m screaming religious words right now. Which is weird, since I’m an atheist.
  • CSPs should be transparent and report incidents and ALL vulnerabilities: Another one that’s an issue beyond Microsoft.
  • CSPs and the government should have better victim notification: This is interesting and unexpected. They straight up call for non-spoofable mobile notifications.
  • The government is watching and should use FedRAMP and its buying power to incentivize change: The original Trustworthy Computing Initiative was largely the result of serious government… threats?… to look at alternative operating systems. It’s time for a replay.

It’s time for a Microsoft Trustworthy Cloud Initiative. Especially if they want us to trust them to be the leading AI provider. And FREE THE LOGS!!!

Adding link to Joseph Menn’s Washington Post article. He’s banned in Russia so you know you can trust him.