After working with Exchange since 1995 or thereabouts, all I can do is report the situation as I see it.

Yes, there are organizations capable of running secure Exchange on-premises deployment that suit the requirements of their users very well. There’s no doubt about that. But what has become horribly obvious over since March is two facts. First, there’s a very large set of Exchange on-premises servers which are not being well managed and are increasingly vulnerable as time passes. The users of those servers would be better off in the cloud. At least they’d be safer.

Second, Microsoft’s failure to deliver the committed next version of Exchange Server leads me to think that maybe the sands of time are running out faster than anticipated for these servers.

Office 365 is not for everyone. It is frustrating as hell at times and Microsoft’s quality in some parts is poor. Unbelievably poor. But overall, I consider it the best solution for email today. Again, I can only say it as I see it.

But what does truly aggravates me even more with an article like this stating O365 is the ONLY option and not vouching for making a better more secure on-prem solution. I mean if MS had the model of “you’re the customer, you have the choice of our cloud or on-prem”, no matter which one you choose they will encourage based off of what you the customer wants and will listen to their customers. MS seems to have forgotten that concept when there are so many of us still looking for on-prem because of it’s benefits over the cloud. It’s aggravating to not see both options pitched and helping the customer decide which is better. Their model is O365 is the better choice when it always isn’t.

Fair point. However, I still hold to my position that many companies would be better to run email in the cloud. We’ll discuss the issues on Thursday at this online event: https://www.binarytree.com/event/exchange-server-exploits-experts-discuss-why-cloud-email-can-be-more-s8147931/

🙂

It’s always good to consider the alternatives which are available and to understand the costs and technical implications of moving platforms.

The problem for the on-premises base is that it’s declining. Microsoft is a commercial organization and its focus is therefore on the part of the business which generates returns for shareholders, and that’s the cloud. As the number of on-premises seats declines further, Microsoft has an interesting balancing act to perform to keep some large on-premises organizations happy while not investing too high an amount of engineering resources. We’ll see how that goes over time.

It’s obvious that MS is wanting out of the on-premises Exchange world with the release of 2019 and licensing requirements even if just running hybrid.

This has me considering researching some open source mail platforms, because I have a feeling those will also be embraced by firms who see this exploit as a failure of MS themselves and will be against migrating to their cloud environment.

I would also point out that although I have close connections to Microsoft, I never hesitate to call them out when things go wrong. See https://practical365.com/blog/exchange-hcw-replaced/ as an example.

I don’t know how long a message can be. But in any case, short and sweet is the best way to get your point across.

It’s true that I have been focused on cloud services since 2015 or thereabouts, but I have worked with on-premises technology since my first email server in 1982, so I think I have balance. I understand the challenges that you outline, but I do think that companies who can’t maintain on-premises servers should be in the cloud because sooner or later they will have a security problem.

Couple of things to consider:

First, I don’t think Microsoft has shown much appetite for increasing cloud prices for basic services like EXO. They haven’t since 2011. What they will do is try to upsell higher price plans and add-ons, just like EA Games will try to sell you a new player in FIFA 2021.

Second, there’s a bunch of “go local” datacenters deployed at country level which allow organizations to keep their data in that country. Sure, the US government might try to do something bizarre, but that might also affect on-premises software. It’s not so long ago since the encryption technology in Outlook was considered a state secret in some countries…

There are also other services where remote control is still based on default passwords, databases are open to internet etc. We should not forgot them either. We perhaps could ask also, how many of those Exchange servers being open to anywhere to internet must be open (port 443)? Or have they just followed Microsoft best practices?

Can I also ask, have you been too long time surrounded by Microsoft speaks, and having hard to see no more than O365 as a solution? ;-D But seriously, perhaps there should be some reminders of how companies are able to keep their platforms updated as they should.

ps. you should have counter which shows how long messages we could write on here 🙂