What is the optimum way to secure a company wide wiki?
- by Mark Robinson
We have a wiki which is used by over half our company. Generally it has been very positively received. However, there is a concern over security - not letting confidential information fall into the wrong hands (i.e. competitors).
The default answer is to create a complicated security matrix defining who can read what document (wiki page) based on who created it. Personally I think this mainly solves the wrong problem because it creates barriers within the company instead of a barrier to the external world. But some are concerned that people at a customer site might share information with a customer which then goes to the competitor.
The administration of such a matrix is a nightmare because (1) the matrix is based on department and not projects (this is a matrix organisation), and (2) because in a wiki all pages are by definition dynamic so what is confidential today might not be confidential tomorrow (but the history is always readable!).
Apart from the security matrix, we've considered restricting content on the wiki to non super secret stuff, but off course that needs to be monitored.
Another solution (the current) is to monitor views and report anything suspicious (e.g. one person at a customer site having 2000 views in two days was reported). Again - this is not ideal because this does not directly imply a wrong motive.
Does anyone have a better solution? How can a company wide wiki be made secure and yet keep its low threshold USP?
BTW we use MediaWiki with Lockdown to exclude some administrative staff.