Before you freak out too much, this bug has been closed. See below from the finders Twitter feed. Before you relax too much, this was horrifying and you should seriously consider rolling managed identities as well as auditing their usage in your tenants.
"The issue was found and reported all in the same day. Microsoft fixed it within 4 days, classified it with critical severity and awarded a $40,000 #BugBounty"
One of the top cloud companies who everybody assumes are supposed to have security and security experts beyond what you can deploy, which is one of the main reasons given for why you should move to cloud deployment, sold a critical administration service implying it had high security [1] to unsuspecting customers. Where as, in reality, it took a single researcher who had never heard of the product before and who is unfamiliar with the tech stack used in its creation less than one day to completely compromise it. By the internationally recognized Common Criteria standard [2], this would constitute a attack far below even Basic, the lowest certifiable level.
This has happened time and time again to the point where their repeatable security design, process, and validation is demonstrably systemically incapable of rejecting even grossly insecure systems. The benefit of the doubt for the quality of their systems should not be extended to a process that consistently produces abject failures. To assume anything other than the level of quality they produce regularly is an extraordinary claim that requires extraordinary evidence and independent objective verification. So actually, yes, you should freak out if you rely on the security of Azure (or any other cloud for that matter) without independently verifying the quality of every single service you use since their pattern of grossly incompetent security process means you should default to assuming their systems are terrible.
> One of the top cloud companies who everybody assumes are supposed to have security and security experts beyond what you can deploy, which is one of the main reasons given for why you should move to cloud deployment,
I’d say your assumptions are wrong there. Security is not one of the main reasons for moving to the cloud. It’s not even _a_ reason to. Delegating responsibility for security might be cited as a reason but that’s not the same as saying the cloud is “more” secure. That’s just saying you are you don’t want to pay for security yourselves. Which is a whole different thing to what you’re claiming.
You’re conflating sales pitches with actual business decisions that management make. I’ve been on the decision making board for a few companies and the pragmatic reality is the only time people cite security as the reason for moving to the cloud is when:
1. They’ve lost all their sysadmins / security staff and thus need to outsource that governance
2. When they’re looking to delegating responsibility (ie say to the customers “it’s an Azure issue, they’re fixing it”).
In both instances it’s not about Azure / AWS / GCP being more secure, it’s about _WHO_ owns the responsibility for securing.
The difference is important.
More often the actual reasons for migrating to the cloud are cited as cost saving (which is often misunderstood too but that’s another topic) and quicker deployment times (this is probably the strongest valid argument in my opinion)
"The issue was found and reported all in the same day. Microsoft fixed it within 4 days, classified it with critical severity and awarded a $40,000 #BugBounty"