my whole company and customer info/credit cards on the internet



I've been searching for a new ERP solution for my company for a while and I
think I've finally found the best one for us. But now I'm being cautioned
about some things so I need some good arguments about how I should setup the
database server.

The application is written in .net it is a N tiered application (I guess
that's what it's called) and it also has a tightly integrated commerce site.
The system was designed to work best with the app db and commerce db on the
same sql server. Desktop clients can connect by internet access if that
server isn't on the LAN and the website can even connect to the LAN but this
obviously wouldn't work because we're only using DSL here.

I've been cautioned that I shouldn't have internet access on my database
server. I somewhat understand the reasoning for this but to me it seems most
data is about as secure as the applications that access them in the first
place. So even if I had a state of the art network in place, a security flaw
in the app could screw me over regardless.

What is good business security practice for handling/storing sensitive
customer information on the internet and what is overkill/paranoia? This is
a serious questions so I'd appreciate not to be mocked.

I'm not a DBA so maybe I'm a little off on my terms, feel free to correct me
where I'm wrong. But it seems to me that if didn't use the same db server
for both the website and main system I'd have a lot of extra work like
replicating web data to web enabled sql server in our office and from the
"live server" on our LAN and then back again.

Thanks in advance for your advice/criticism/suggestions.
Robert


.