Our Internal Audit is setting up a Teammate server (data & reports) plus a separate license
server (this license server needs to be authenticated by Teammate/ACL periodically).
Teammate will host financial data for auditors to analyse/review (using ACL, CAATS)
for frauds so it's considered sensitive data.
Q1:
Is it appropriate for both the license server as well as Teammate server to be SaaS
(like O365) or just the license server or it's best that they must not be SaaS? For sure
if they're in cloud, the VM must be located in our country due to cross-border restrictions
Q2:
Do we place the license server in DMZ & Teammate in the internal secure backend zone?
Q3:
What other security design considerations to take into account?
Restrict license server to Teammate/ACL/CAATS sites only & the Teammate server
to be accessible to Internal Auditors' subnet only?