shblackwell

Security In The FileMaker Platform

Discussion created by shblackwell on Dec 1, 2017

This week we have seen on this List a rather extraordinary number of different threads that focused on various aspects of FileMaker Platform security features and practices.  Or, perhaps more accurately, these threads have shown some lack of understanding about what constitutes effective security for the FileMaker Platform.

I wanted to offer a few general observations about this topic in the hope that it will sharpen focus and understanding about FileMaker Platform security.

  • Security is often about technical matters.  Much more frequently, however, it is about human behavior. The Human Factor is often the determinant in whether vulnerabilities are addressed (or even created), whether exploits occur, either purposefully or inadvertently, and whether people understand the real impact of a breach that compromises an asset.
  • Security is not about protecting data so much as it is about protecting organizations that have data from business survivability problems, from business continuity problems, from brand reputation damage, from criminal and civil liabilities, and from regulatory sanctions.  The organization, its personnel, and its survivability are all at stake here. (https://fmforums.com/blogs/entry/1619-protecting-filemaker-platform-business-solutions/)
  • The FileMaker Platform has a number of very good security features.  Their presence in the FileMaker Platform has come as the result of long-waged efforts to address vulnerabilities.  These efforts go back for twenty years in some instances. Use the tools FileMaker gives you. Chief among these tools are these:
    • File Access Protection
    • Fine-grained Privilege Sets

    • API Controls (Version 16)
    • Encryption At Rest
    • Encryption In Transit
  • Vulnerabilities that are not natively present in the family of products are often introduced by developers. These vulnerabilities facilitate compromise of Confidentiality, Integrity, Availability and Resilience (CIAR) of assets. This occurs when developers attempt to invent their own security systems and schema.  These ersatz systems almost always create problems, and they introduce vulnerabilities not otherwise present. (https://fmforums.com/blogs/entry/1512-a-conversation-about-2-factor-authentication/

    https://fmforums.com/blogs/entry/1411-some-vulnerabilities-associated-with-ersatz-log-on-systems/)
  • Finally, security for FileMaker Platform custom business solutions cannot be an afterthought. It must be an integral part from the outset of design, development, and deployment.

 

Respectfully,

Steven H. Blackwell

Platinum Member Emeritus, FileMaker Business Alliance

Outcomes