"The package is a pile of shit," one member of a federal review team wrote — a blunt line tucked inside an internal government assessment that triggered alarm bells in late 2024. The subject was not a failed prototype or a boutique app, but one of Microsoft’s biggest cloud computing offerings. The report, reviewed by ProPublica and first disclosed publicly in reporting cited by the Schneier blog, concluded that the supplier’s documentation problems left evaluators unable to determine whether the cloud service could reliably protect sensitive information as it moved across servers.
What reviewers found
According to the internal government report reviewed by ProPublica, federal cybersecurity evaluators flagged a "lack of proper detailed security documentation" for a major Microsoft cloud product. That absence of documentation, the report said, produced a "lack of confidence in assessing the system’s overall security posture." Reviewers further said that, for years, Microsoft had tried and failed to fully explain how it protects sensitive information in the cloud "as it hops from server to server across the digital terrain." Given those gaps and other unknowns, government experts concluded they could not vouch for the technology's security.
How this matters: practical and policy implications
The findings in the report speak to a simple but consequential truth: security depends on clarity. For technology evaluators, documentation is not paperwork — it is the mechanism by which architects and operators explain trust boundaries, encryption practices, key management, data flows, and controls. When reviewers cannot trace those details, they cannot produce an authoritative judgment about risk.
For policymakers and procurement officials, the report raises procedural questions. Federal buying decisions and regulatory assessments often rely on external assurance — third‑party evaluations, certifications, and vendor-provided documentation — to determine whether a cloud service is appropriate for sensitive workloads. If that documentation is incomplete or opaque, decisionmakers face a choice between accepting risk blind, imposing burdensome compensating controls, or excluding a widely used product from critical tasks.
For end users — public agencies, private organizations, and citizens whose data is entrusted to cloud platforms — the gap matters because it affects the baseline they can expect. Absent clear, vetted descriptions of how data is protected in transit and at rest, organizations may be left uncertain about who controls cryptographic keys, how isolation between workloads is enforced, or how changes in infrastructure will be communicated and managed.
And for adversaries, whether state‑linked or criminal, ambiguity can be an operational advantage. Where documentation and transparency are weak, attackers may find unanticipated avenues to exploit misconfigurations or to inflate the cost of detection and response.
Different perspectives on the gap
- From the evaluator’s perspective: The internal report and the quoted team member show frustration and an inability to close the technical story the government needed to make an informed risk judgment.
- From the vendor’s perspective: While the reporting does not provide Microsoft’s explanation, the existence of multiple review cycles and repeated attempts to explain protections — as described by reviewers — suggests an ongoing dialogue that, in the view of evaluators, remained unresolved.
- From the public interest perspective: A cloud provider’s opacity complicates oversight and accountability. If a major supplier cannot convincingly document core security practices, regulators and customers must decide whether to demand remedial transparency or to rely on alternative controls.
Conclusion
The internal judgment was stark and unambiguous: without proper, detailed security documentation, evaluators lacked confidence in assessing the system’s security posture. That is not merely an academic finding; it is a practical impediment to using — and trusting — a major cloud offering for sensitive work. The essential question now is procedural as much as technical: will vendors supply the clarity that evaluators require, or will agencies and customers change how they select and constrain cloud services when the documentation is missing?
https://www.schneier.com/blog/archives/2026/04/on-microsofts-lousy-cloud-security.html




