There will always, for example, be a conflict between availability and confidentiality. Ultimate confidentiality might require that the data be stored in an inaccessible bunker with no outside access. Ultimate availability might involve hosting sensitive data on a publicly accessible server with no access controls.

In the real world we must always balance these needs carefully, and triage available resources to achieve an "ideal" outcome. This means that security will never, and can never, be a solved problem.

As an example, diplomacy, open source, shared interests, universal basic income, and education can reduce the desire for attacking. How do these factor into the CIA triad?

I would answer that the triad IS useful in this scenario and further that if we used an alternative model (The 7-C's maybe?) we would still find inherently contradictory requirements for almost every security scenario. In fact, we would just MORE more of those trade-offs, further proving that security can never be "perfect."

For example, I can think of several fundamentals the triad doesn't cover directly. Privacy and non-repudiation spring to mind as concepts that don't neatly fit into the CIA triad, but they are the antithesis of each other!

Perfect privacy would require that nobody (including data-owners) can identify the user, and perfect non-repudiation would require that no access be granted without 100% proof of the current user. Again, you are forced to choose and this means that some aspect will always be less than perfect.

No, this is the same sort of defeatism that prevents us from making progress on security. We could engineer usable systems where actual security is a priority, and not just security theater. We don't because nobody in a position to change anything actually gives a shit.

Security is a priority. But it's not the only priority.

It would be difficult engineering even if it was the only priority, but given that there's little point to security for a system you never deploy, it's not likely to ever completely monopolize focus, either for users or implementers.

Ultimately though, they know that no matter how many times their failure to invest in security results in their customer's data being compromised or destroyed they'll keep making money.

Their customers are corporations who have insurance to cover their expenses when Microsoft's failure to make security a priority inevitably leads to a breech and those corporations are able to avoid all accountability for their decision to use Microsoft products no matter who else gets hurt as a result.

Dealing with yet another security issue caused by Microsoft is just another cost of doing business. It's still cheaper and/or easier for the corporations to keep MS and deal with the endless vulnerability/patch cycle than it is to move to something else and pay people who know what they're doing to manage those new systems so nothing changes.

I do not think that is the only difference between Windows and Linux though.

For one thing Linux has multiple distros, some very varied. Its less of a monoculture. If Linux was more widely used it would also get grater usage for BSDs because a lot of things that run on Linux will run on them too.

Linux IS very widely used on servers, and on Chromebooks, and embedded. The kernel and a few other bits are widely used on phones too.

In what world has SharePoint Server and SharePoint Standard + Enterprise User CALs ever been "FREE"?

> Security honestly feels like a service for a lot of giants.

While code security is on Microsoft, infrastructure security is on the organization deploying SharePoint Server.

Remember, the topic you're commenting on is about SharePoint Server. Not M365. Not SPO.

Yeah.. I think people say "bundled FREE" when they really referring to MS enterprise packages. It's similar to how Comcast will sell you TV for $100, land line for $20, internet for $100, but you can get a TV/land line package for $90? or a TV/internet for $130. You can "bundle FREE" phone on your TV/internet package for an extra $5. (And yes, I heard support before tell me "For $10 more a month, you get a free upgrade to 1Gbps". ???? How is that free? They will say "It's the same package, but one level up for $10 more. It comes with free 1Gbps upgrade. what doesn't make sense?"

There wasn't, as far as I recall, "buy SQL Server Enterprise, get SharePoint Server Enterprise SKU for free" type licensing deals.

Yes, I didn't mean to say it was like that. More that you get discounts, credits, etc. Every EA agreement I heard of seemed custom and different for that enterprise needs. Throwing in Azure credits or a discount on a product if you get another product or increase volume, etc seemed to be typical.

SharePoint Server is widely used and is a high value target.

Atlassian Server products have had their fair share of 0-day exploits. Atlassian also EOL their server products and forced a cloud migration.

I disagree with this take. Linux dominates in the server market.

Meanwhile, Windows is running the crown jewels for operations inside the company, like SharePoint and Active Directory.

I bet Oracle and SAP have similar types of things happen to their application suites but no one runs public websites on Oracle eApplications (yeah, plenty of companies have that exposed to the internet, but it's not The Company's Website)