CybersecurityCloud Security

Microsoft Cloud Security Falls Short in Government Review

Analyst 207||Source: Schneier
Ominous cloud looms over government building with broken lock and shadowy device displaying sensitive data.

"The package is a pile of shit," one reviewer wrote — blunt, unvarnished, and hard to ignore. In late 2024, federal cybersecurity evaluators reached a stark conclusion about one of Microsoft’s largest cloud offerings: they could not confidently assess its security because of missing, inadequate documentation, according to an internal government report reviewed by ProPublica.

What the evaluators found

The internal report, seen by ProPublica, concluded that Microsoft provided a "lack of proper detailed security documentation" for the cloud product under review. That gap left assessors with a "lack of confidence in assessing the system’s overall security posture," the report said. Reviewers told ProPublica that for years Microsoft had tried and failed to fully explain how it protects sensitive information as that data moves from server to server across the cloud environment.

How the problem presents itself

At its core, the issue described in the report is not a single technical bug but an absence of clarity: documentation that should explain design choices, controls, and data handling practices was insufficient. Without those details, the government evaluators said, they could not form a reliable judgement about the system’s security. That judgment gap is the reason the evaluators declined to vouch for the product’s security posture.

Why this matters

  • Trust and procurement: When government cybersecurity reviewers say they lack confidence in a product, that finding affects how officials, agencies, and other large customers make buying and deployment decisions.
  • Risk assessment: Detailed documentation is a fundamental input for assessing whether sensitive information is protected as it moves through cloud infrastructure; without it, assessors must treat the unknowns as potential vulnerabilities.
  • Vendor accountability: The report describes repeated attempts over years by the vendor to explain protections for data in motion; according to reviewers, those efforts fell short.

Different perspectives on the finding

Technologists focused on security engineering will read such a report as a warning about the limits of assurance without clear, verifiable documentation. Policymakers and procurement officials will see a practical problem: how to approve or reject a critical cloud service when evaluators report an inability to assess its security. For users of cloud services, the report underscores a basic expectation — transparency about how sensitive data is protected as it moves across systems. And for any party looking to exploit gaps, obscurity and unclear documentation can create opportunities where they otherwise might not exist.

ProPublica’s reporting and the government’s own internal review converge on a simple but consequential point: the absence of proper, detailed security documentation prevented expert reviewers from endorsing the security of a major cloud product. That gap is not merely administrative; it is a practical impediment to measuring and managing risk.

When a product that moves sensitive information across many servers cannot be clearly described by its maker, who, then, can confidently say it is safe?

https://www.schneier.com/blog/archives/2026/04/on-microsofts-lousy-cloud-security.html

Cloud SecurityEmerging ThreatsMicrosoftNational SecurityNistFederal CybersecurityDocumentation GapsGovernment ReviewCloud Offerings
Related Intelligence

Continue Reading

Diverse high school students gather around a table with laptops and cybersecurity equipment in a brightly-lit classroom.

Cybersecurity Language Excludes Talent

The language used in cybersecurity can be a major turn-off, as one panelist discovered when a high school student sniggered at the term "penetration tester" - a reaction that sparked a thought-provoking question about who this language invites into the field, and who it inadvertently shuts out. This moment highlights a broader cultural issue in cybersecurity's approach to attracting new talent.

Analyst 207
Circuit board on a lab bench with blurred technical instruments in the background.

Autonomous AI Tool Exposes 2-Year-Old Redis RCE Flaw

A 2-year-old vulnerability in Redis, tracked as CVE-2026-23479, went undetected until a cutting-edge autonomous AI tool uncovered it, revealing a critical remote code execution flaw that had been hiding in plain sight. This shocking discovery highlights the power of AI in uncovering even the most elusive security threats.

Analyst 207
Smartphone on a neutral surface with a blurred mobile app interface and a hint of a cityscape through a nearby window.

Microsoft 365 Android Apps Expose Account Tokens Due to Debug Flag Oversight

A single line of code, "setIsDebugMode(true)," inadvertently left in multiple Microsoft 365 Android apps, created a gaping security hole that allowed other apps on the same phone to access sensitive account tokens without user permission. This tiny oversight, discovered by Enclave's Yanir Tsarimi and Ofek Levin, exposed users to potential security risks.

Analyst 207
Researcher examines radio frequency demonstration setup in laboratory.

Researchers Expose Vulnerability in Anti-Jamming Tech

Researchers have uncovered a shocking weakness in anti-jamming technology, revealing that curved radio beams can outsmart even the most advanced direction-finding defenses. In lab tests, this vulnerability led to disastrous errors, leaving traditional safeguards useless.

Analyst 207