Web Enabling is turning on another service, usually Apache Web Services or IIS from Microsoft. Like FileMaker, they have their own security. So if you turn on web services using port 80, then nothing is encrypted. However, you can SSL secure your web pages and use port 443 and they will be inabled. Basically, what the MIT security is telling you is that turning on another service that FileMaker talks to is outside of FileMaker security and you need to secure it, but not with FileMaker tools. WebDirect is a FileMaker web solution and FileMaker provides a method for using SSL, preferable with an authorized certificate. There is going to be a good security session on this topic at Devcon. But to get back to MIT's advice, they had people who could easily turn on web services with FileMaker doing so without properly securing the data on the web service. I'm sure MIT has some huge guide document on securing web services and I'm sure their guideline would like you do custom web publishing from FileMaker if you used a secure web service.
I think they may be referring to IWP. IWP has issues with security. Taylor is right; CWP is the proper route to go (including using secure certificates) if you need secured web services using a FileMaker application.
"If you have sensitive data, do not web-enable your FileMaker databases"
Any ideas on the reasoning behind this?
It’s good advice. It is very easy to expose data to the web.
I get to see fmpro applications which are web enabled that have not included effective data security. In many cases the developers’ rely on a level of UI security which cannot be replicated on the web. Layouts, data and scripts are exposed unnecessarily.
Much of this boils down to really looking at security. Those who are serious about security usually require this thought process to be documented in a Security plan and maybe even a Continuity of Operations Plan. In FileMaker, we're so used to rapid application development and continuously changing, most users don't even do such documentation or if they do, they don't keep it current. But if you ever deal with a client who is serious about security, be prepared to document security controls, backup procedures, recovery plans, etc. FileMaker has made security pretty easy for us mostly, so it is easy to overlook what is going on and just trust FileMaker. But we really should look at all levels of security including how FileMaker data can be exposed in the non-standard client-server context such as web publishing/CWP/PHP, ODBC/JDBC, FIle Exports, etc.