Andre Meyer wrote:
For a multi-national military project I have suggested using Plone as CMS and collaboration platform. However, I need to convince people that Zope/Plone is secure enough to prevent leaking of sensitive data.
Security always depends on how deeply you want to look. At the end of the day, any application will only be as secure as you can make it given your understanding of the problem. Very few people would be so brash as to claim to understand *every* aspect of zope and its security implications. What matters is how well you understand what it is you're trying to accomplish and how the tools at your disposal work. That said, can you define "sensitive data?" Is a username sensitive data? Is a document a user uploads senstive data? Is the path the on the host system the software is running beneath sensitive data? To answer "is X secure enough" you have to be able to define "enough."
Is it possible to set up a publicly accessible Web server with Plone that contains public as well as private data neatly separated depending on login user and group? Even group members should not be able to see data of other groups unless explicitly permitted to do so.
Sure. Provided you understand what you're doing and limit the privileges of your users accordingly.
best pattern of use? Are there good examples of similar deployments (NATO, NASA)? How do they deal with this?
The "best" (there's no such thing) pattern of use for secure applications is probably that of 'least privilege'. If you don't need it, get rid of it. If a user doesn't need to do something, make it so they can't. [Of course, I've seen people try to take this too far and actually end up hurting system security; again, you have to know what you're doing.] -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy