On 15/01/2014 3:58 AM, Nuno Souto wrote:
Strange audit requirements... Are you sure the auditors had a vague notion what a network connection between an app server and a db server does and how it works? Our auditors haven't got a clue, so we just ignore ANY of their recommendations on the subject. They are the kind that "tut-tut" at select access on ALL_TABLES given to PUBLIC. Mostly because they trust blindly the output of "security check" scripts they have been sold by "experts" who hadn't a clue in the first place...What I am sure of wrt auditor knowledge is that that the auditors can fail the organization if their recommendations are not followed, and that can get the org tossed from the NYSE/TSE and other exchanges. In such a situation, DBAs with attitude are expendable.
But in this case, the organization has a legit reason for keeping and analyzing the network traffic logs. I don't agree with the way they did it, nor do I agree in general with the architecture the vendor has chosen, but that is - according to the principal consultant - irrelevant.