This. The next time, there's a real disagreement in trade policies, Europe is going to be fucked. Microsoft does have access to literally everything and no one even seems to understand that, because no one understands what "cloud" or even just "online vs. offline" means nowadays. It's a bit scary.
This is another big issue, but the EU does know and care about it. My current employer falls under the critical infrastructure category (we’re finance/energy) and that means we’re required to have contingency plans for how to exit Microsoft in a month. Not just theoretical plans, but actual hands on plans that are to some degree tested once in a while.
The issue is how impossible it is to exit Microsoft, and this is where I’m completely onboard with your scary part. We can exit Azure painlessly from the digitalisation perspective, well not financially painless but still. IT-operations will have fun replacing AD/EntraId though, but all our internal software can be moved to a Kubernetes cluster and be ready to accept external authorisation from Keycloak or whatever they have planned to move to.
But where is the alternative to Office365? Anyone on HN could probably mention a bunch, but where is the alternative for people who don’t really “use” computers as such? The employee who basically think a pc “is” Office365. As in we could probably switch their Windows to Linux and they might not notice if they still had Office365.
This is where the EU currently doesn’t really have an answer. We have a strategy to exit Office365, but I’m honestly not sure our business would survive it.
This is a big deal in cybersecurity education. I'm in the UK doing
it. We've a dilemma that industry is desperate for fresh new
cybersecurity recruits to fill an enormous skills gap. In the UK,
Microsoft is a "preferred supplier" for lots of organisations, even
defence stuff, and to get our students past the gatekeepers they
pretty much need "365". Regardless of whether they can recompile a
Linux kernel and do protocol analysis with Wireshark... no 365, no
job, Not even tier-1 support.
By contrast my last cohort of masters students worked on things like
critical infrastructure, national security, long-term resilience,
hybrid interoperability... everything that Microsoft is not and makes
worse.
So there's a schism between academic understanding and industrial
reality that makes cybersecurity really rather hard to fix.
So I have to walk into a classroom and say:
"Heads-up! We're going to be learning about 365 administration this
week, about Active Directory, and this and that... which are all
okay products and make a lot of admin tasks easier. BUT!! The only
reason is so you can walk into a job. Because this US company has
the UK tech sector by the balls. As soon as you're working, forget
everything you hear in these lectures, because it's dangerous
BigTech mono-culture that's antithetical to the real values of
cybersecurity. Take the principles. Reject the products. Look at
other tools that do the same, Have a backup plan."
And I hope they took enough from Ross Anderson's SecEng book, and from
the BSD/Linux classes and my the other lectures to go out there and
start undoing the harm.
> My current employer falls under the critical infrastructure category (we’re finance/energy) and that means we’re required to have contingency plans for how to exit Microsoft in a month. Not just theoretical plans, but actual hands on plans that are to some degree tested once in a while.
If those plans exist and there is even a tiny chance you can pull that off i'm impressed.
In most organizations it would be a almost impossible challenge to even upgrade all their servers to a new OS in a month. I don't think i've ever seen a organization of more than 100 employees that could reasonable migrate their cloud provider, identity source and operating system in a month. Endpoint operating system upgrades often take a year (or more).
Most organizations do not spend any time even thinking about that, nor considering it in their decision processes, nor prepare for it. An organisation that do, will have an IT architecture. For example limiting exposure in the first place. For example, they might chose to not have have any servers with Windows in the first place. They might have a thin client or web oriented workflow for endpoint applications, which make switching out Windows easier on employee mdchines. They might have already have multiple OSes in use, to check that critical systems can be successfully accessed without Windows. That said, it is of course a big endeavour.