On Wednesday, 01/16/2008 at 12:10 EST, "McBride, Catherine" <[EMAIL PROTECTED]> wrote: > Don't laugh, we know a guy who failed a PCI audit because the data traffic > moving between his LPAR's wasn't encrypted. No amount of convincing, > coercing, pleading or reasoning would change that auditor's mind.
C'mon, folks. Auditors don't set policy, they monitor/enforce it. If your policy says "All traffic between two hosts that carries personally identifiable information must be encrypted," then the policy is to blame, not the auditor. Consider what would happen if it were all of a sudden possible to sniff traffic on a HiperSocket. Trust me on this, you do NOT want your auditor setting policy! Security policies must be updated from time to time to reflect current technology. If you have failed to actually establish a security policy, then all bets are off and auditors can (and do) invent stuff on the spot based on what THEY know. You want a data protection policy to apply encryption any time it is possible for an anonymous or unauthorized person or machine to intercept it. The argument will be over "possible". Guest LANs and Virtual Switches are sniffable. To allow clear-text transmission between two guests would require an auditor to verify that you can product a list of authorized sniffers, that you audit its use, and that you have a process to remove someone's authorization if their job no longer requires such access. Well, that's what *I* would be looking for. Alan Altmark z/VM Development IBM Endicott