My views on Nextcloud, Microsoft Office 365, and Google Gmail

February 16, 2023

I have been a client/user for a long, long time

I have been an Microsoft Office user since there was an Office package. I have been an Office365 user for half a dozen years (the company I work for is all-in into the Microsoft ecosystem) and use Microsoft Teams for eight hours daily.

I have been a Gmail user since the service was created. In addition, I have been a reseller for many years and have helped several companies take advantage of their ecosystem of apps.

I started using Nextcloud five years ago. I was looking into replicating some of the features I found in both Google and Microsoft in my personal life. So I self-hosted Nextcloud and started sharing it with friends and family. Much to my surprise and wonder, I found it to be an equally capable alternative to the previous two commercial options. It can be self-hosted or used hosted by a third-party as a service (SAAS) like the Microsoft and Google alternatives.

I like LibreOffice and OnlyOffice. Used both extensively for years. They both have a much better security track record than the Microsoft equivalent, and I honestly don't see the point of paying for a less secure proposition. While I understand some individuals have some limitations that make them have difficulty adapting to slightly different interface options, I never met a single one that could not make the transition. For many years the Microsoft offering was head and shoulders better than anything else on the market; I don't think that has been the case for years now.

I have personal biases... so take my opinions with a BIG grain of salt.

I have administered Linux and *BSD systems for 30 years. While I have no system administration responsibilities in my current job, I never stopped doing it.

While I understand the rush to cloud hosting, mainly when scalability is an issue, it is not a silver bullet solution and creates some problems. Price is one of those issues, and latency is another (if you have a mix of on-cloud and on-premises systems that are mutually dependent)—not even going to touch on issues like security, optimization, and backups. In addition, good system administration is not cheap and does not scale down well for small and medium-sized organizations. Also, it's hard even to grasp the concept of micro-companies and individuals being able to self-host projects with anything that resembles sound system administration practices. It is just too expensive and risky.

As a former professional with 30 years of experience, I have some options that most people don't have. For example, I self-host my social media (Mastodon, Writefreely, and Publii servers), Nextcloud, and Bitwarden services. The option to host the services makes me favor them compared to alternatives.

What about big(ger) companies?

If random scaling (up or down) is an issue, there is no alternative to the cloud. Organizations with thousands of employees have options regarding email services, group calendars, video/audio conferences, and contact management. Running email services internally and using Nextcloud may be a better fit. There are a lot of hurdles to doing it right, but keep an open mind because it can be done, and you can save a small fortune.

Email, in particular, would benefit significantly from (eventually being self-hosted and) changing paradigms: ensuring every internal email is at a bare minimum digitally signed and ideally end-to-end encrypted (using either S/MIME or PGP/GPG), and information should never leave the company systems. Impersonation (identity theft) would be a thing of the past; instead of the number one spear-phishing weapon in every hacker's arsenal. You need to self-host the servers to implement rules to reject every non-encrypted email message between internal emails, signed with recognized keys.

Encryption keys and client certificates should be hardware-based, locked, and centrally managed, and users should have zero capability to transmit them to third parties. Thus ending phishing attempts to steal credentials. In addition, requiring user touch (or biometric authentication) makes life much harder for attackers, even if the device is compromised.

I am a big fan of zero-trust environments and protected VPN tunnels to critical services, and all those should be hardware locked. You cannot exploit 0-days vulnerabilities in the software you cannot access.