3

For my sins, I am now in charge of a host of sensitive information: encryption key storage policies, network architecture diagrams, etc. We will soon be covered by HIPPA, so the pain increases.

Not "admin passwords" sensitive, but stuff I need to be 1) restricted to a subset of people 2) auditable-I need to know who reads this stuff and from where.

I'm hoping there is some kind of secure wiki, ideally a hosted secure wiki that encrypts customer data well enough to clear me with my bosses.

Does this exist? A guy can dream, can't he?

Code Silverback
  • 253
  • 1
  • 2
  • 8

3 Answers3

2

I think you're putting the cart before the horse a bit here. The first thing I would do is come up with a list of the requirements you will be operating under due to policy, regulations, etc. It sounds like you need to have data encrypted at rest, and in flight, to start with, along with relatively fine-grained access control and significant capabilities for audit/logging of access.

Add to that whatever requirements you have for what authentication back end you want, editing capabilties, etc.

Then, with your requirements in hand, you can go looking for the right tool.

Maybe a wiki will work for some of it; you can use SSL with them, and most can be configured to only allow access to authenticated users. Wikis do track changes, which is good for auditing - careful use of the various access levels might go a long way towards building something decent with one. Where this approach is likely to fall down is in the fine-grained access control - in other words, making sure that only some people can see some stuff, and not other stuff. Wikis are generally not built with that in mind. Finally, I don't know of any wiki that handles encrypted datastores.

I might suggest trying to find some communities/lists that are specifically about HIPPA implementation. There may already be something you can use available, but just not commonly known outside of the communities that require it.

malcolmpdx
  • 2,250
  • 1
  • 15
  • 12
0

It doesn't sound like you want a wiki - a web page anyone can edit - but a CRM that allows people to log in and change content. Joomla is good like that, and you can encrypt it easily enough with SSL.

Ernie
  • 5,324
  • 6
  • 30
  • 37
  • There is plenty of ACL available in some Wiki's, don't count them out totally! – Tim Jan 24 '12 at 16:32
  • Yeah, an ACL wiki would be fine. SSL covers transmission, which is a must, but I'm also concerned with ensuring the db is properly encrypted to some plausible degree of diligence on my part. – Code Silverback Jan 24 '12 at 16:35
0

There are Wiki's which allow user restrictions.

But the security question is more valid than ever. If only for privacy regulations.

In order for the cloud solution to be really successful it needs to be at least hacker proof and subpoena proof.

PJW
  • 1