For an alternative view of the security argument, which may be a little
off topic...
One consideration in regard to arguments for additional security,
whether column and row level security or the divergent thread on
obfuscated stored procedures is whether postgresql currently supports
PCI (international), Basel II (EU - international) and Sarbanes-Oxley
(US) requirements for restricted access, logging and differentiation of
roles and responsibilities, or whether the additional security is
required to provide better matching support. These are important
considerations in the corporate, and especially financial institutions,
though I would suspect that postgresql does not have great penetration
into such organisations.
In my mind, postgresql as is, in combination with application design
considerations and OS level security, does support PCI, Basel II and
Sarbanes-Oxley security requirements. However, I thought I would bring
this up as some people may have different interpretations on what it
means to be compliant to these standards and regulations, and may have a
convincing argument for their case based on what is needed to support them.
This is assuming that the postgresql development community see any value
in being seen to be enablers of PCI, Basel II or Sarbanes-Oxley
requirements. Many commercial version control systems and database
systems now throw in Sarbanes-Oxley compliant in their advertising,
though I have not seen any open source applications do so (which doesn't
mean that they haven't), and personally I think it is a somewhat
misrepresentative to imply that the application itself makes you compliant.
If interested, the following are the relevant Wikipedia links, with
references to the standards and regulations themselves:
PCI: http://en.wikipedia.org/wiki/PCI_DSS
Basel II: http://en.wikipedia.org/wiki/Basel_II
SOX: http://en.wikipedia.org/wiki/Sarbanes-oxley
Not that any of these regulations have done much to avert the market
turmoil of the last few months, despite the bureaucratic overhead that
they generated... But that is another story.
Cheers,
Andy
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
