We need more Red Hat and less Microsoft in the on-prem enterprise business. These exploitable vulnerabilities are unacceptable when your customers are the likes of DoD.
No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."
So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?
"Why do Microsoft products enjoy a monopoly on the server ...?"
They don't. There's plenty, even a majority, of non-Windows servers in gov (I know, some depts are true MS shops).
Sharepoint is one of those things that snuck in via the desktop. It was touted by MS as an evolution of shared folders with "Intranet" features included. If you already ran a Windows Server for fileshares, Sharepoint was "free".
The initial few implementations were of extremely poor quality, even by MS standards, but SP was positioned in the MS channel as the future of MS server side application development. So all of the consultancy/sales channel jumped on the SP wagon for any custom server projects.
For developers, it was a nightmare. Underneat the platform was a frankensteinian horror of bits and pieces of resurected code from many departments and projects across MS crudely bolted together with chewing gum scraped of a park bench and bits of string recovered from old fish guts. Lists (SP's core structure for file directories with exposed metadata properties) could not work reliably, the system fell over under even light load, latency was totaly unaceptable even for basic operations, files did not rountrip through the server unchanged ...
Over the years MS cut it down from "the future platform for custom backoffice apps" to "out of the box Intranet with mainly cosmetic configuration options" to "cloud hosted office 365 shared folders".
" Isn't security the number one priority in those spaces?"
No. It's exacly like every other IT environment of comparable size. Security is considered important, but does not drive sales. Features and cost, but also available expertise from the supplier/channel partners dominates the choice. Security is covered by promises and certifications, but more often than not left to operations to patch up.
I was involved in a software startup that was aligned with MSFT 18 or so years ago. We built the web app side of our tool in Sharepoint precisely to be a good team player, and make ourselves more attractive to Redmond, even though it gave us no real benefits.
The support problems were INSANE. We ended up spending an entire release cycle pulling the web app out of Sharepoint and just doing a proper stand-alone web site. Support calls plummeted.
Sharepoint is something only a marketer could love.
Sharepoint’s problem, as parent alluded to, is that it’s three kids in a trenchcoat pretending to be an adult.
At no time did MS seem to say “Here’s our vision for Sharepoint as a complete product.”
Instead, you got coming on 25 years of random big customer feature asks + a home for lost MS product bits.
It would surprise no one that performance of that has been atrocious for most of its life (for those not old enough, think non-functional search and 20s page loads for on-prem instances), salvaged only semi-recently via the cloud managed version (that I’d guess runs on a ground-up backend reimplementation).
>> The initial few implementations were of extremely poor quality, even by MS standards, but SP was positioned in the MS channel as the future of MS server side application development. So all of the consultancy/sales channel jumped on the SP wagon for any custom server projects.
The gaslighting around this matter was intense. It destroyed any remaining trust I had at that point.
> In the private sector, there's a slightly more direct link between job underperformance and being fired.
Not in my experience. Connections are most important than competence in big corporations. The bigger the company the most is works like the old Soviet Union.
In most big companies you don’t really get fired for bad performance (as long as you try to do your job).
In my experience you only really get fired when the command from top comes to cut X% of the workforce (sometimes this is yearly due to stack ranking systems) but even then the best way to keep your job is not doing a good job. In actuality it is connections (being good friends with your boss)
Remember a lot of large mulinational companies are larger than many small countries so if you have a very large multinational company you're gonna have the same type of corruption and inefficiency as in countries and governments. Of course if you have a small startup with 10 people and the owners are very involved in the day-to-day business they can probably spot when there is underperformance but in a multinational company where you can barely know who is responsible for what probably not.
And if your strategy fails, you (usually) can't raise taxes to make up for lost revenue. So there is an even more direct link between underperformance and losing money.
I don't get such incomplete, selective, comparisons.
The country can't go bankrupt and you just found another one.
Yes, when a country messes up they have to actually fix things, there is no way around it. Except getting merged into another country - like my birth country, the GDR, ended up as West Germany's problem (but its people still had to do the work).
Also, if big enough companies (and banks) fail, it is the same. Not having a string government would not help either, in such cases the companies would be the government, as we saw in even wilder times of huge companies and much less state in the US some century or two ago.
At some point in the hierarchy you have to live with not having omniscience and accept that sometimes things don't work out, and that you can't just walk away from the consequences of those failures.
Oh boy. Haven't watched much US news since, like, Reagan, have we? Dumping the debt of your failures on future generations has become somewhat of a competitive sport in politics. Can't really do that in the private sector.
If your strategy fails the government bails you out, or you float away from the burning wreckage on your golden parachute until you land in a new job at another company which you can then ruin without meaningful consequences or you just retire with the millions you got in your severance package and live the rest of your life carefree.
But nobody gets fired to spend money on stuff made by giants such as IBM, Oracle or Microsoft, regardless of the issues than can arise, while choosing a less known competitor is a liability for the decision maker, even if the impact is much smaller.
Nope. That correlation disappears completely for enterprises of larger size. I have more often than not seen the least (or even negative) productive climb the promotional ladder in those environments.
Exactly. I worked for both public and private sector clients. For departments/companies of the same size, there is no difference in attitudes and behaviour. People seem to percieve a difference, but that is mostly because they compare big gov depts to smaller private companies, not equivalently sized enterprises.
For small companies, they just look at the "winner"'s operation, not including the "waste" of the other 39 "losers" that failed.
I do wonder if the fact that these vulnerabilities get exploited so often is because the customers are the likes of DoD. If DoD used Red Hat, maybe we'd see more large-scale linux/freedesktop exploits being discovered.
I think there's certainly an element of tall poppy syndrome here. Windows, for example, used to be targeted because its security was a complete joke until quite late in the XP era (SP3 IIRC). But there's always been, and still is, and element that it's targeted because it's a big, juicy target.
A huge portion of the desktop and server market are running Windows. It used to be almost all Windows, at least on the desktop. Nowadays mobile computing has become far more important so Windows doesn't have the end user dominance it once did, but there are still a huge portion of end user devices running Windows.
Same on the back end: it's just a big juicy target, and the bang for buck that hackers get from it is huge given how prevalent it remains in corporate and government environments.
I hate Microsoft products as much as the next person, but I don’t think your statement is entirely fair:
SharePoint isn’t Windows. It’s a Microsoft product that’s only available for Windows Server. But it’s not Windows.
The reason I make that distinction is because if you widen the scope of services available on Linux then you might come a lot closer to the same volume of issues.
For example, take a look at how frequently CVEs are raised against popular CMSs.
Sure, I get the point, a more apt comparison might actually be RedHat though, since they're doing E2E packaging for a product suite.
I mean, Linux isn't even Linux - At the risk of invoking a meme: Linux is actually GNU + Linux; and even then there's a web-server on top, and software that it runs.
So, a working comparison might be Wikipedia? As far as I understand it; that's the largest CMS on the planet.
The closest comparison to SharePoint is probably a combination of Zoho Connect, Zoho WorkDrive, and Zoho Flow. Zoho's office suite also integrates with WorkDrive and has collaborative editing. They even have a desktop app for Writer.
Even then, SharePoint is more of a platform. You can build SharePoint apps and extend it.
There isn't a comparison for SharePoint Server. There really isn't any single thing like it for on-premise.
ok, nginx+linux power nearly every website, is that close enough of a sizable target?
As mentioned, even if we exclude websites, Linux is a pretty enormous target. Much more enormous than microsoft - by an order of magnitude or more, yet: we don’t seem to have these kind of issues. Curious, don’t you think?
Very curious. Just based on the incidents we see, and analyze over time, almost all of them are compromised Windows systems. When I say "almost", I'll provide these stats: ~4500 Windows incidents over 5 years, vs. two Linux incidents.
Similarly, looking at vulnerability counts by vendor doesn't paint a rosy picture of our largest vendor Microsoft, either. But it pales in comparison to the incident statistics, which speak for themselves.
To Microsoft's credit, they've managed to turn their weaknesses into a secondary industry, wherein they now no longer sell just the disease, they also sell the cure. "Oh, your Windows systems have security problems? Have we told you about our expansive security solutions? They're only an additional $your_budget_doubled per year!"
Microsoft’s back office suite is massive. So you’re talking about Nginx + a CMS + online office suite + video conferencing + identity providers and so on and so forth.
There isn’t really a direct comparison in the FOSS world. It’s either smaller in scope or smaller in terms of high profile organisation adoption.
This is why I think it’s easier to ignore the “Linux” part. Not because Linux is technically a kernel, but because there isn’t a directly comparable solution that targets Linux / GNU or whatever other base OS moniker you want to use. Same is true for BSD, Darwin and so on.
The alternatives to Microsoft’s dominance are typically more narrow in scope and usually proprietary too (eg Okta for identities, Google Docs for O365, etc)
Does this mean that Microsoft products are secure? Not really. It just means we cannot make a fair comparison against FOSS when it comes to these specific types of attacks.
If every car in your neighborhood that gets broken into is manufactured by a single manufacturer, it is in your interest in asking why that is, and perhaps considering that fact when shopping for a new car.
That does happen though. Cars worth more are stolen while cards worth less are not.
The common factor there isn’t that 40 year old hatchbacks have better security. It’s that the risk vs reward isn’t there compared to the brand new luxury cars with higher resale value on the black market.
This isn’t something I’ve just made up either. This is what the police told us when my neighbours Merc was stolen while my Skoda, which was accidentally left unlocked, was not.
Thieves target the expensive cars because they’re worth more. It’s really that simple.
> Thieves target the expensive cars because they’re worth more. It’s really that simple.
They don't target the expensive cars. The most stolen cars in the US are cheap Hyundais And Kias. Before they claimed the top spot on the list of cars taken most often the winner was pick up trucks and old Toyotas.
Thieves target what's easy to take and easy to chop up and sell, not luxury cars with high resale value.
As I said earlier, I have firsthand experience of this being the case.
> Thieves target what's easy to take and easy to chop up and sell, not luxury cars with high resale value.
You’re just proving my point here though. Thieves target cars that have the highest resale value.
Whether that’s as a whole, or for parts where the supply chain for genuine parts has become extremely expensive.
Organised crime happens for money.
Yeah there will there will be a subsection of society that steal cars for shits and giggles. But those also aren’t the sort of motives for hackers who’d go after Microsoft Sharepoint. So if we are to compare like-for-like, then you have to discuss organised crime rather than bored teenagers.
———
By the way, I love how your username is accidentally appropriate for this conversation :D
If every car in your neighborhood that gets broken into is manufactured by Ford, but some people keep saying that their sneakers never get broken into, why don't you just walk everywhere, also they've never driven a car and don't really believe anyone else drives a car and keep implying it's just a status symbol...
and then they say "okay what if we consider everyone's sneakers all together, and how rarely they get stolen compared to cars" as if they've come up with a sensible comparison in complexity...
and then someone suggests "RedHat Linux" as an alternative to your car. Apparently they don't know what section of the world a car fits into, to suggest an alternative - but they're still convinced that you don't need a car and they are genuinely puzzled why more people aren't using "RedHat Linux" instead of cars...
... also only Ford make cars and the only real alternative is something completely different and then pay consultants to customise it and retrain your entire workforce at great cost and upheaval for little to no return, except hoping for an increase in security but not being able to prove same, or even clearly nail down what that means precisely.
One should be wary of anyone selling you a solution to your problems they know nothing about. Naturally, the only way to be entirely secure is to shutdown all the applications and decommission all the computers, a solution which the business side tends to finds unreasonable. Thus the tender balance between business needs and business risk emerges as the deciding principle.
But the numbers are the numbers in heterogenous environments, regarding security problems by platform. And if it rains perpetual Windows-based incidents on your security staff, and you don't consider the numbers when evaluating what you will and will not do, compute/services-wise, then you are statistically likely to see the same rate of incidents, at whatever cost that comes to the business, indefinitely.
> "a solution which the business side tends to finds unreasonable"
Isn't it odd that "unreasonable" solutions keep being suggested in threads started by people who first push Linux, and second ask what the thing even does anyway.
> "Thus the tender balance between business needs and business risk emerges as the deciding principle."
There is no tender balance and this is nothing like the deciding principle, and again it's illustrative that in a world where big organizations turn to poor quality software with poor UX for reasons like "nobody got fired for buying IBM" and "I look good on the Gartner report" and "the vendor will bend over backwards to make our auditors and legal team approve it" that Linux people go for the only thing they have going and try to suggest it's the most important thing, even though it's demonstrably an afterthought or a never-thought.
> "you are statistically likely to see the same rate of incidents, at whatever cost that comes to the business, indefinitely."
And you see this happening for literally 30 years and the "whatever cost" being written off as a business expense that has never changed anything, but you still call it "the deciding principle" when the evidence shows that the decision makers barel consider this at all?
So now you've changed your position, what happens to your original claim "If every car in your neighborhood that gets broken into is manufactured by a single manufacturer, it is in your interest in asking why that is, and perhaps considering that fact when shopping for a new car."
Why would that need to be said at all, if businesses are using security as A [prominent] deciding factor already?
My reply "businesses are visibly not using it as a deciding factor" still seems correct.
It all started with Novell Netware. It was a great product and companies would buy it to have centralized management. Microsoft noticed this and decided to use their power position to drive Novell out of the market by offering a similar service and have it built in in their server product line. Novell tried to fight but it didn't last long.
The protocol was proprietary and an open source implementation in Samba was very slow at catching up. If you decided to host a domain controller using it, you newer knew if a random disconnect was a network issue or the controller or the client.
And here we are. Active directory, or Entra or however they call it these days, is basically a standard way to manage users everywhere. And until a strong entity (EU?) comes up with strong backup towards an alternative solutions (we have plenty of them now), the situation will not change.
> Active directory, or Entra or however they call it these days, is basically a standard way to manage users everywhere. And until a strong entity (EU?) comes up with strong backup towards an alternative solutions (we have plenty of them now), the situation will not change.
You still have Active Directory on premise and now you have EntraID (formerly Azure AD) in the Azure cloud.
For Windows devices, it is the only mechanism supported to have a centralized management system.
For other systems, such as MacOS, you have alternatives that don't require any centralized user database.
Most cloud-native companies today rely on Okta or Amazon Cognito for their applications. Google Workspace supports this too, but it is incredibly basic at what it can do.
I don't think there's nothing that anyone can do to make this different.
And just to nitpick a little, it's like saying the smartphone reduced the camera market because of its dominant position. It didn't, it just provided convenience when there was none (a phone, a camera, a video recorder...).
Most enterprise PCs are Windows machines and integrate with Microsoft services easily. The only way Microsoft is going to lose the enterprise market is if enterprise PCs move away from Windows.
But, for enterprises, the only reasonable migration away from Windows is Mac. JAMF Pro for Mac can be hosted on-premise on Linux. The majority of enterprise software runs on Mac. However, Macs are expensive so it's unlikely to overtake Windows enterprise machine usage.
Hardware support for Linux PCs is poor and lacks the manageable of Windows PCs with Active Directory and GPO, or JAMF for Macs. Enterprise software usually doesn't support Linux. Linux PCs are uncommon for personal use and corporations don't want to train users how to use Linux.
"Hardware support for Linux PCs is poor and lacks the manageable of Windows PCs with Active Directory and GPO, or JAMF for Macs. Enterprise software usually doesn't support Linux. Linux PCs are uncommon for personal use and corporations don't want to train users how to use Linux."
I would dispute the "hardware support" comment. Linux has pretty good hardware support nowadays. And "enterprise" software is a vague term here. For desktop Windows, of course Microsoft will have that covered every which way, but for things such as authentication, authorization and security, Linux has a place. A comment about adding "Redhat" to the mix is not talking about desktops (necessarily) but servers and security.
There are still plenty of issues with bluetooth, batteries, microphones, gpus, touchpads etc when doing a clean install of Ubuntu on any random laptop.
True. But larger orgs don't buy "random laptops". The trick is to just buy laptops where you know everything works, and the company making them has a commitment to Linux.
Buy your linux laptop fleet from Framework, System76, Starlabs etc and you won't have any problems like that. You might have OTHER problems, but not that one.
Do these companies support Net 30/60/90 payment? Do they provide enterprise support?
There’s a reason why corporations use HP and Dell machines. And there’s a reason why HP/Dell/etc don’t have Linux OSes on their corporate client machines. Well, they do, but companies don’t care to order them for the other reasons people have listed here.
I work for a company with 1000+ people in RnD doing software development. 80% of those use Ubuntu and have one desktop and one laptop (HP EliteBooks) and that works fine.
You are right that not all devices don't work perfectly, but the Bluetooth headsets, Bluetooth mouses, conference rooms etc. that the company supports are tested for compatibility before being bought by our IT department.
Canonical and Red Hat have certified hardware. Most corporate workers aren’t software developers. They just want their productivity suite for email, scheduling, messaging, documents, spreadsheets, and presentations.
This suggests that the main thing Linux needs, for broader enterprise adoption, is a much improved "log into something that quacks like Active Directory" solution. Not actual Active Directory, obviously that just contributes to the lock-in, but what else is even remotely as polished and well integrated? I suspect this is the true moat actually. Nearly every actual business has "log into our company managed authentication system and have our communication and basic productivity apps just work" woven throughout the core of onboarding.
Microsoft sure has a lot of warts, but even as a Linux enthusiast, I cannot deny that Outlook "Just Works" with a frankly shocking set of basic stuff. Login for the first time, check your email, hey there's your meeting with your manager on your calendar, and now we can add new events just by putting you in this group, etc etc. There's dozens of little integrations baked in here that a tech enthusiast could feasibly replace in isolation, all of which vanish the moment you turn off the Exchange server or whatever it is. It's way more complex under the hood than most people realize, which is why "ditching Microsoft" so often turns into "Adopting Google Apps", as they have a similar turnkey solution to most of the same problems.
Not meaning to be a big ball of negativity, but as I haven't really explored here... in the FOSS space, what is the equivalent? Which tools are the most polished, and what server backends could be hosted on-prem to gain the same basic integrations with login, email, calendar, chat, and video conferencing?
Amen .. and this has been the case for a very long time. I remember transitioning my startup employer to "small business server" (Active Directory+Exchange) over 20 years ago. Why? Email and calendaring, especially - remember this? - Blackberry integration.
Everyone above middle-manager level lives in meetings, which means that the calendar is a critical piece of productivity software for them, and they want the comforting familiarity of Outlook. Which means they get to impose that on a whole organization.
The company that should be doing this kind of integration is Red Hat, but they've never quite managed it.
The open source solution space is probably LDAP and CalDAV, but as you say, nowhere near as conveniently integrated.
AD integration and desktop management solutions rule the Windows desktop. But not Macs in an organization, which are an absolute pain to manage, and yet somehow persist.
Perhaps it's not enough for there to be a "push" to Open Source because you've been failed by a proprietary solution, there needs to be a "pull".
> Perhaps it's not enough for there to be a "push" to Open Source because you've been failed by a proprietary solution, there needs to be a "pull".
Absolutely. A company isn’t going to create a GitHub issue and wait around. You can’t make service agreements with FOSS. There needs to be market forces to sell this software to corporations and it’s a hard sell.
Even macOS has a ton of goofy workarounds and third-party products required to get that level of ease for logging in with a corporate identity and having everything "just work". It's only finally getting close in Tahoe with the new additions to Platform SSO, but close is not "feature parity" either.
Apple focussed on consumer and even shunned the enterprise.
MS for all its flaws, welcomed, targetted and tried to support scale operations in larger business environments (Imaging, AD, GP, SuS, bitlocker, ...).
Also, if your only fix a hardware problem option was to "visit the 'genious bar'" and wait 6 weeks for a machine to come back, vs the Dell/HP/... service of "same day onsite repair", what is IT going to prefer for client computers?
Apple has changed their tune, in so far as they probably need some level of identity management on the Mac, crypto-key escrow, restrictions, and so on. Their Device Management framework is quite capable.
For large enough businesses Apple will let you do your own self-service repairs too. On-site. Order the part and you're still in warranty.
I'm in the manufacturing sector, on the integration side of things now, but yes, change is always a battle. The way I see it, the problem is two-fold:
Side 1: the workers, especially the labor portion, are extremely resistant to learning new ways to do things unless you can prove, beyond the shadow of doubt, that the new way will be easier than the old way (aka, less to remember/think about) but also does not diminish the quality of their work or increase the perception that their coworkers might see them as having it easier than them.
Side 2: the people responsible for purchasing and resource allocation often do not know what they are buying. In any shop, if you say "we need new PC's for the office" the first thing the purchaser will do is ask a supplier for a deal on a fleet of Dells because that's just what they've always done. If the company is larger and has an actual IT department, they will just provide Windows PCs because that's what they were trained to support. The alternative, Linux, is never considered because they simply don't know anything about it and it's not being offered by their suppliers anyway, so why learn?
Going Mac in an enterprise environment is a stupid move. Apple is constantly changing how MDM works. One week they'll go all-in on some method of doing things, and tell everyone they must comply or GTFO. The next week they'll completely change their minds and gaslight you, saying that old way is stupid and nobody should have ever used it ever. Then they will put in blocks to prevent it from working. This means all the work and tooling that people poured into it are just dead.
It’s been pretty consistent with how macOS MDM works with device profiles. The software to manage provisioning of device profiles may have changed, but at the OS level it hasn’t.
I've worked in two 5k-10k companies in the past 10 years with 80+% of MacBooks in the fleet, all managed through MDM and as an end-user I never experienced issues. Unsure how the IT folks felt about it but they managed it pretty well if I didn't experience any problems for so long.
Neither of those claims is true in my experience. MDM is par for the course for SOC2, which is increasingly popular these days, and managing MDM seems like one of many responsibilities of ops teams.
I can assure you, the DoD isn't a bunch of windows servers hosting sharepoint for the public. Federal government IT in general is a RHEL shop, at least serverside.
> Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already?
Because there is no FOSS solution even coming close to the level of out-of-the-box integration of Office 365. Thunderbird has zero integration with LibreOffice, LibreOffice has zero integration with Owncloud (or whatever else one might use), neither has integration with a softphone software, much less a backend like Asterisk. And some software like Sharepoint or MS Access doesn't have anything on the FOSS side.
You are very close. But Office isn't the secret to Microsoft's unassailable dominance in enterprise. I could remove Office at work and we'd be okay.
Active Directory is the key. A unified management of users, devices, groups, and policies that everything else is built on. Nothing outside of the Windows world even comes close. There's Linux tools to impersonate or talk to Active Directory, but no alternative to it.
Group Policy lets me set up any number of tens of thousands of configuration changes and apply it easily to any group of users or computers with a few clicks, regardless of device manufacturer. Linux distributions aren't even consistent enough about which system tools are onboard, much less what policies can be configured on them. Web browsers all have Group Policy plugins, so everyone's web browser is configured by Active Directory too.
Linux is a hellhole, for Mac JAMF fills the gap pretty well.
For Linux, I'd probably whip up Ansible these days if I were tasked with it, but getting it off the ground is ... nasty. Set it up as a systemd unit to run on boot, login and network-online.target, and that's it.
The problem is, decision-makers will not go for the "secure" way, they want a solution out of "one mold" - and so do users. It is a common complaint when trying to set up a FOSS solution, users complain that they have to learn and memorize different ways of doing the same thing across different application... and made worse by many FOSS projects not having UI/UX designers at all that care about consistency even in the scope of the application itself.
And on top of that, many data exchange formats are not just "old", they're "fossil" and don't even come close to meeting the demands that people have come to expect.
In every single company I have been working in the last 15 years, information was spread across so many different tools that integration was a moot point: Office365, Jira, Confluence, a separate ticketing tool, some mkdocs or single markdown files in repositories, spreadsheets, dedicated HR web portal, intranet, internal blog/comm/social media... Even within Office365 information is stored randomly as office files in sharepoint, teams channels, personnal onedrive, emails, copy/paste in teams, teams channel onedrive synched drivees, onenotes...[1] Also RBAC makes sure that whenever you came across one doc containing link to other stuff, you end up having no access to half of the links
Bottom line the tightest integration doesn't reduce any friction because there is not a single toolsuite that fits every use case and people end up making a mess of everything. You never know where you can find the information and every single teams wiki ends up being a collection of links to a myriad of different places. Also half of the people still email people documents instead of the links because they don't understand anything else.
[1] yes it is in the background the same product but people access them and more importantly know or search the information in totally different ways.
Only because Microsoft offers “certified professional” badges and the MSCP’s are pushing the only thing they are certified for, and the corporations buy into the whole “certified” thing.
I have a ton of customers where the admins are constantly reminding everyone about the certifications they have, all while their basic security is below average.
> when more secure (Linux-based) options are far cheaper and widely deployed
Hold on, we are talking about SharePoint here. I don't know any software that could replace it, that is allowing office suite to collaborate in a way SharePoint Server does it (versioning, concurrent editing, online editing, workflows, customizations, OneDrive, IRM, compliance, search etc.)
Even in a windows environment. Can you name more secure, cheaper and widely deployed alternative?
This is SharePoint on-premise, so Google Workspace isn’t a good comparison?
Also, even if we do look at cloud: Workspace isn’t bad (exception: sheets vs Excel), but SharePoint is the center of Teams, Power Platform, PowerBI… to replace M365 with Workspace means a lot of research, setup and testing of 3rd party alternatives to the above.
If you’ve ever worked in a well configured Microsoft stack, nothing beats the integration.
There’s no reason to believe Workspace would be more secure if it had the same feature set/integration configured.
One of the answers should be for the DoD, or any other such military institution, to try and rely a little bit less on everything being "digitilized", or at least to change it all into a more fragmented data/information "archipelago", with no centralised unique source-of-truth.
The clients of said server are not going to be Linux. Running a secure, working, manageable CIFS server on Linux serving Windows clients is surely going to cost much more than just using the Microsoft solution. Some products don't even work at all with that configuration (e.g. Quickbooks Enterprise).
Microsoft invested in making integrated Windows-based business software and a big closed-source ecosystem and/or bought other tech companies that previously developed similar tech. Some of them older than Red Hat even Microsoft.
Where is the equivalent tech on the Linux side that Red Hat developed? They simply didn't have a competitive enough alternative. Usually anything outside of cloud/web server space, you'd find alternative open-source projects rotting with non-clear ownership and year old last commits. Red Hat and Linux world weren't interested in developing those things. They weren't interested in making competitive user friendly alternatives that enabled non-programmer users. It is hard, thankless, soul crushing work that nobody does anymore since Microsoft bought or eliminated them. There are simply no equivalent alternatives in the open source world because competing with Microsoft requires accepting significant losses as a company for a long time. Google Workspace is a thing only because Google can finance its developers with ad money.
Just having Linux is no golden key to security either. You need to put the exact amount of barriers in front of your on-prem servers regardless of the OS.
The whole security mess is just the symptom of capitalist economy. Most companies give 0 fucks about it because caring about security is costly and time consuming. With the race to the bottom for first-to-market, caring about security is a risk, it is a distraction. They ignore it until they establish a position and maybe their misdeeds become a liability. However, no company got actually severely punished for not caring about security. So it is still seen as cost by many.
Most government IT is using RHEL. You are correct, it is because of the thankless work they put into long term enterprise support. Microsoft doesn't do anything like that.
Red Hat were interested. They funded desktop Linux heavily for a long time. It didn't work because the (non-capitalist!) ideology of Linux is incompatible with success, and Red Hat always tied down by the community they chained themselves to. Desktop platforms have far more hardware and software heterogeneity than server platforms do, the pace of innovation is much faster, and they require the ability to ship closed source software, closed source drivers, to innovate and then for people to capture some of the value to fund all that.
For the longest time desktop Linux simply tried to clone Windows/macOS. Eventually Red Hat came to dominate GNOME enough that it developed a bit of its own personality, but the kernel and software distribution approach always held it back from even matching its competitors in usability, which wasn't even close to enough. Apple have executed excellently for decades and even they only made progress in the pure consumer space, the enterprise space is one they never tried to attack despite having the money needed to do so.
Capitalism isn't the problem here. Communist software isn't exactly famous for being impenetrable, in fact it's more famous for hardly existing at all. Google and Apple are highly capitalist, and their security stance is much better. The problems at MS are deeper.
Probably because most Linux users aren’t looking to share (or even use) office documents. Linux collaboration happens on wikis, message boards, and Git.
Unpopular opinion but I don't think this solves anything. The exploit wasn't an OS exploit but a userland app exploit (Sharepoint Server/App). These attacks will always be developed until we're able to write perfect exploitation free software.
If the government was running Red Hat with 'open source SharePoint alternative' the headline would be 'open source SharePoint on-prem solution exploited'.
Could be that Microsoft can navigate all the regulatory bullshit that surrounds anything government. I don't know of anyone doing that for anything Linux.
There's tons of Red Hat in federal IT, that's not the issue. It's just that Microsoft dominates the client-facing software business, and Red Hat has minimal presence there so while you might see RHEL desktops at e.g. NASA you're unlikely to see them anywhere else, and there's no real open source equivalent of SharePoint or Office out there.
Maybe [0] will be one, eventually, but it would take a long long time to replicate the functionality if it were to ever happen. Best case scenario is that the EU were to fund an open source solution.
> Schleswig-Holstein, one of Germany’s 16 states, on Wednesday confirmed plans to move tens of thousands of systems from Microsoft Windows to Linux. The announcement follows previously established plans to migrate the state government off Microsoft Office in favor of open source LibreOffice.
People don't take it seriously because European governments have a history of making announcements like this and then rolling it back in favour of a return to Microsoft.
Lets see what happens when they try to move finance of Excel. If they are successful there, then there might be hope, if not, then they will eventually go back or have 45% of the company on some kind of exception.
No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."
So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?