Blog tool security

[mrhatch]

All,

My company is thinking of using a blogging package as a way to share information about various related projects on our Intranet. The thing is that many of our projects are team efforts with sub-contractors, on other occasions these same companies are our prime competitors.

Management likes the idea of sharing information via the Intranet as it costs less than travel and uses less resources than meetings, but is worried about the security of information in the blogs. They have divided their concerns int a couple of areas.

1. Keeping posts private from subs when needed.
2. Being able to track who posted what and when.

I have tried to run through Google but have had a hard time sorting out the security related blogs from articles on the security of blogs. Any information you have would be greatly appreciated.

[someonewhois]

Who posted what and when is pretty easy. Standard user management. No blog software out there will support hiding posts from subs, I don't think - -blogging is made to be public. You'll probably need a custom application for it.

[mrhatch]

Thanks I was afraid that might be the answer although I was thinking that if we adopted one of the systems that generate static HTML that I could use .htaccess or a Certificate based authentication system to restrict access.

[vgarcia]

Who posted what and when is pretty easy. Standard user management. No blog software out there will support hiding posts from subs, I don't think - -blogging is made to be public. You'll probably need a custom application for it.

WordPress can do password-protected posts

[someonewhois]

WordPress can do password-protected posts

I don't think password protecting posts is the best method.

Personally I would just require all readers to signup, and then put them into different groups, and then when you write an entry, you chose which member groups can view it. Shouldn't be any fowlups there, and then each person has their own login that can be used to track their entries.

[mrhatch]

The only problem is that on an Intranet the size of the one I am working on it would become a full time position to manage access to the number of blogs and users wishing access. As I stated in my earlier post, I believe that the best solution is going to involve using PKI to authenticate users and groups to prevent the overhead of maintaining users accounts.