Comment by axelriet
3 days ago
A former Azure Core engineer’s 6-part account of the technical and leadership decisions that eroded trust in Azure.
3 days ago
A former Azure Core engineer’s 6-part account of the technical and leadership decisions that eroded trust in Azure.
What's your assessment of AWS and GCP? Do you think it's likely they suffer from some of the same issues (eg the manual access of what should be highly secure, private systems, the instability, the lack of security)?
As a former GCP engineer, no, the systems are not generally unstable or insecure.
There is definitely manual access of data - it requires what was termed “break glass” similar to the JIT mechanism described by the author. However, it wasn’t quite so loose; there were eventually a lot of restrictions on who could approve what, what access you got after approval, and how that was audited.
It was difficult to get into the highest sensitivity data; humans reviewed your request and would reject it without a clear reason. And you could be 100% sure humans would review your session afterwards to look for bad behavior.
I once had to compile a large list of IP addresses that accessed a particular piece of data to fulfill a court order. It took me days of effort to get and maintain the elevated access necessary to do this.
I have a lot of respect for GCP as an engineering artifact, but a significantly less rosy opinion of GCP as an organization and bureaucratic entity. The amount of wasted effort expended on engaging with and navigating the bureaucracy is truly mind-boggling, and is the reason why a tiny feature that took a day to code could take months to release.
Insecure is a curious word as it entangles with what is or isn't known, more than informs about design.
A different way to put it is GCP architecture has made different tradeoffs. For example favoring operability over confidentiality*, or scalability over integrity.
This makes sense from its mono-tenant engineering origins. Those were the right calls. Google exported SRE not SecEng.
Frankly, for most cloud customers, it's what they need.
---
* Take this break glass process. It arguably shouldn't be possible. If clients need their CSP to be "NSL proof", unable to leak corporate info responding to a national security letter (or any less obligatory rationale) without the corporation knowing, GCP is not their cloud. CSPs mostly consider it more difficult than it's worth to design a cloud offering that can be proven unable to provide a client's data. On the contrary, customers yell if CSP can't restore lost data, like Apple users yell if Apple can't restore iCloud. iCloud Advanced Security is what happens when you build clients the choice -- witness the warnings.
Support drives design choices, not security.
Why do you speak about yourself in the third person?
Also, after this:
https://news.ycombinator.com/item?id=20341022
You continued to work at Microsoft and now there is this takedown?
I'm no friend of MS (to put it very mildly) but it seems to me your story is a bit inconsistent as well as the 7 year break between postings.
The comment comes from the input field on the post form. Not clear it would show up as a comment. The old thread you refer to had little to do with Microsoft per se. Let me known if I can help with the inconsistencies you mention?
> Why do you speak about yourself in the third person?
When you submit a link to HN, there is an entry field for text in addition to the url.
It does not really describe what the text is used for. For links, the content of that field is simply added as the first comment.
Someone who is unfamiliar with the submission process may assume this field should describe what they are submitting, and not format it like a comment.
Then that text gets posted as the first comment and tons of people downvote it, jumping to the conclusion that the weird summary comment is from an AI, and not the submitter describing their own submission.
(I also assumed these comments were AI until someone else pointed this out)
Could not have said it better myself. Thanks.
AH! Thanks, that's useful context!
I downvoted this comment for sounding like a summarizing LLM, not adding anything substantial beyond the title of the post, before realizing you were the poster and author.
I didn’t know that “subtitle” would appear as first comment.
huh, i didn't realise that's what that does either