[mikester]

We have systems set up so that employees can access data via the internet.

It's really a nightmare in my mind as under normal circumstances I would insist that this happen via VPN but I can't do that here.

We're an educational institution as well and we're trying to provide certain confidential data ONLY to those who require it via web based applications. Those web based applications access the databases through firewalls and DMZs and such and those servers housing the applications as well as the data have published security plans (that I'm having trouble getting project leaders to implement as rule).

They see it as a impedance on the usability of their application. Their users are screaming for the app - I'm insisting on the security before deployment and doing my damndest to help them get there without doing it for them.

I'm so frustrated that someone who develops an application doesn't take the time to understand how that application actually works or when secured doesn't work because they couldn't tell me that it did one thing or another.

On a completely different project we have a contractor who is developing the application - an extremely important application. 10 months into the project and 2 months before the functional test they published a need for a shared NFS mount point. Well...we don't allow NFS on "secured" systems (which we informed them in the original RFP) because of a number of reasons - mainly it has a poorly implemented authentication. Also we like to limit the number of services running on a "secured" server to as few as needed - if we can find away around using something that is undesirable like NFS then we do. We had a meeting with these guys discussing the need for NFS and came to the conclusion that we could eliminate the need with other basic UNIX functions that didn't pose any risk or real effort in implementation. They still won't get on board with it and no matter what they still insist that they need the NFS mount. They are now behind schedule and frustrated when in fact it was their own mistakes that led them here. We have never made any implications to make them think we would do an NFS share especially if we could get away easily with not doing it. even the database vendor has insisted that the NFS share is the worst possible means to their desired ends.

It's very frustrating (venting).