Claris Engage Beyond 2021

• Chris Moyer, CEO at The Moyer Group
• Koen Van Hulle, infrastructure business unit manager at Lesterius
• Sangita Banerjee, product manager at Claris
• Elaine Suen, senior manager, DevOps at Claris
• Andrew LeCates (facilitator), director, Product Marketing and Community at Claris

Table of Contents

1. Introduction
2. The Evolving Threat Landscape
3. Claris’ Approach to Security and Compliance
   • SOC 2 Type 2 Report
   • ISO Certifications
4. The Importance of Shared Responsibility
5. Best Practices for Claris Developers and Consultants
6. Staying Current and Informed
7. The Value of Security Certifications for Customers
8. Future of Security in the Claris Ecosystem
9. Conclusion

Introduction <a name=”introduction”></a>

In an era where data breaches and cyber attacks are becoming increasingly sophisticated and frequent, the importance of robust security measures and regulatory compliance cannot be overstated. At the recent Claris Engage Beyond 2021 event, a distinguished panel of experts from Claris and the Claris community convened to provide an unprecedented look into the company’s steadfast commitment to security and compliance. This blog post delves deep into the insights shared during this enlightening discussion, offering a comprehensive overview of Claris’ approach to protecting customer data and maintaining the highest standards of security in the industry.

The Evolving Threat Landscape <a name=”the-evolving-threat-landscape”></a>

The panel began by painting a vivid picture of the current cybersecurity threat landscape, emphasizing the urgent need for heightened vigilance and proactive security measures.

Chris Moyer, a respected Claris Platinum Partner, shared some alarming statistics about the rising tide of ransomware attacks. He revealed that by the end of 2021, experts predict a ransomware attack will occur every 11 seconds, a dramatic increase from every 40 seconds in 2016. This exponential growth in attack frequency underscores the critical importance of robust security measures for businesses of all sizes.

Moyer also highlighted a disturbing trend: ransomware gangs are now actively recruiting insiders to compromise their own organizations in exchange for a cut of the ransom. This development adds a new layer of complexity to the security challenge, as even organizations with strong perimeter defenses and security awareness training can fall victim to insider threats.

Sangeetha Banerjee, Senior Manager for Product Management at Claris, provided a comprehensive overview of the top six challenges in the current threat landscape:

1. Phishing attacks: These have doubled in frequency compared to the previous year, largely due to the pandemic situation.
2. Ransomware: As highlighted by Moyer, this remains a significant and growing threat.
3. Malware: Various forms of malicious software continue to pose risks to organizations.
4. Data leakage: Unauthorized disclosure of sensitive information remains a constant concern.
5. Weak passwords: Despite ongoing education efforts, weak passwords continue to be a common vulnerability.
6. Insider threats: As mentioned earlier, this is an increasingly prevalent risk.

Banerjee also emphasized the role of shadow IT in exacerbating these threats. The rapid shift to remote work due to the COVID-19 pandemic has led many organizations to quickly adopt new tools and technologies, often without proper vetting or security controls in place.

The panel noted that while ransomware has historically focused on the Windows ecosystem, there’s a growing trend of attacks targeting macOS and Linux systems. This shift is driven by the massive financial incentives for cybercriminals, with hundreds of millions of dollars flowing to ransomware gangs each year. As a result, these groups can afford to invest in expanding their reach to previously less-targeted operating systems.

Another crucial point raised was the misconception that smaller organizations are safe due to their size. In fact, after high-profile attacks like the Colonial Pipeline incident, many ransomware groups are now deliberately targeting smaller and medium-sized organizations to avoid attracting too much attention from law enforcement and government agencies. This shift in focus puts many Claris customers squarely in the crosshairs of potential attacks.

Claris’ Approach to Security and Compliance <a name=”claris-approach-to-security-and-compliance”></a>

In response to these growing threats, Claris has made significant investments in security certifications and compliance measures. The discussion highlighted two key achievements that demonstrate Claris’ commitment to protecting customer data:

SOC 2 Type 2 Report <a name=”soc-2-type-2-report”></a>

Claris recently obtained its first SOC 2 Type 2 report for Claris Connect. This report, issued by the renowned third-party auditor KPMG, provides an independent attestation of the design and operating effectiveness of Claris’ internal controls in protecting customer data.

Sangeetha Banerjee explained that the SOC 2 report covers three critical trust service criteria:

1. Security: Ensuring that systems are protected against unauthorized access, use, or modification.
2. Availability: Guaranteeing that systems are available for operation and use as committed or agreed.
3. Confidentiality: Protecting information designated as confidential from unauthorized access and use.

Elaine Suen, Senior Manager leading the DevOps team at Claris, provided an in-depth look at the rigorous process involved in obtaining this report. She detailed numerous controls implemented by Claris, including:

• Security by design in product development: Incorporating security considerations from the earliest stages of the software development lifecycle.
• Formal change management processes: Ensuring that all changes to systems and software are properly vetted, tested, and documented.
• Separation of duties: Implementing strict role-based access controls to prevent any single individual from having excessive system privileges.
• Strict access controls: Limiting access to sensitive systems and data on a need-to-know basis.
• Multi-factor authentication: Requiring additional verification beyond passwords for accessing critical systems.
• Data encryption in transit and at rest: Protecting data both while it’s being transmitted and when it’s stored.
• Web application firewall and endpoint security: Implementing multiple layers of defense against various types of cyber attacks.
• Disaster recovery planning: Ensuring business continuity in the event of a major incident or disaster.
• Infrastructure incident handling process and handbook: Providing clear guidelines for responding to and managing security incidents.
• 24/7 infrastructure and security monitoring: Maintaining constant vigilance through dedicated teams around the globe.

Suen emphasized that obtaining the SOC 2 report is not a one-time achievement but an ongoing process that requires continuous improvement and adherence to strict security standards.

ISO Certifications <a name=”iso-certifications”></a>

In addition to the SOC 2 report, Claris has obtained two ISO certifications under the Apple Services umbrella:

1. ISO 27001: This is the world’s most recognized information security management system certification. Sangeetha Banerjee explained that ISO 27001 covers 11 security domains composed of 114 controls, all of which Claris has implemented. These domains include:
   • Physical and environmental security
   • Human resource security
   • Software development security
   • Operational management
   • Business continuity management
   • Access management
2. ISO 27018: This certification provides a code of practice for protecting personally identifiable information (PII) in cloud environments. Banerjee noted that ISO 27018 builds upon the foundation of ISO 27001, adding specific privacy-related controls such as:
   • Obtaining user consent for data processing
   • Transparency in data usage
   • Minimizing the collection of personal information
   • Data retention and deletion practices

These certifications apply to both FileMaker Cloud and Claris Connect, providing customers with assurance that Claris adheres to internationally recognized standards for information security and privacy protection.

The Importance of Shared Responsibility <a name=”the-importance-of-shared-responsibility”></a>

A recurring theme throughout the discussion was the concept of shared responsibility in maintaining security. While Claris provides a secure platform and infrastructure, customers and partners play crucial roles in ensuring end-to-end security.

Koen van Hulle, a Claris consultant with Lesterius, emphasized the importance of a holistic approach to security. He stressed that securing a Claris solution involves more than just setting up login credentials. Key points he raised include:

• Educating users about proper data handling practices: Ensuring that employees understand how to handle sensitive information and adhere to security policies.
• Maintaining up-to-date software across the entire solution stack: This includes not only Claris products but also connected APIs, JavaScript libraries, and any other integrated technologies.
• Implementing proper access controls: Ensuring that users have the minimum necessary privileges to perform their roles.
• Securing both server and client-side components: Recognizing that vulnerabilities can exist at various points in the system.

Van Hulle also highlighted the importance of considering security implications when exporting data from Claris applications. He noted that even if the application itself is secure, exported data can be vulnerable if not handled properly.

Chris Moyer expanded on this concept, emphasizing the role of developers and consultants as trusted advisors to their clients. He suggested that Claris professionals should guide their clients in implementing best practices such as:

• Regular security awareness training: Helping employees recognize and respond to potential threats like phishing attempts.
• Implementing SIEM (Security Information and Event Management) tools: These solutions aggregate and analyze log data from various sources to detect potential security incidents.
• Utilizing SOAR (Security Orchestration, Automation, and Response) platforms: These tools can automate incident response processes, enabling faster reaction times to potential threats.
• Conducting regular security assessments: Periodically evaluating the organization’s security posture to identify and address vulnerabilities.

The panel agreed that achieving robust security requires a collaborative effort between Claris, its partners, and end-users. Each party has specific responsibilities in maintaining the overall security of the ecosystem.

Best Practices for Claris Developers and Consultants <a name=”best-practices-for-claris-developers-and-consultants”></a>

The discussion yielded several key recommendations for Claris developers and consultants to enhance the security of their solutions:

1. Adopt a “security-first” mindset: Consider security implications at every stage of development, from initial design to deployment and maintenance.
2. Implement strong authentication mechanisms: Utilize multi-factor authentication where possible and enforce strong password policies.
3. Encrypt sensitive data: Use encryption for data both in transit and at rest, especially when dealing with personally identifiable information.
4. Regularly update and patch systems: Stay current with the latest versions of Claris products, operating systems, and any third-party components used in solutions.
5. Implement proper access controls: Use the principle of least privilege, granting users only the minimum necessary access to perform their roles.
6. Conduct regular security audits: Periodically review system configurations, access logs, and user privileges to identify potential vulnerabilities or suspicious activities.
7. Develop and maintain incident response plans: Have clear procedures in place for detecting, responding to, and recovering from security incidents.
8. Educate clients on security best practices: Help clients understand their role in maintaining security and provide guidance on implementing security policies and procedures.
9. Stay informed about emerging threats: Regularly review security bulletins and advisories relevant to the Claris ecosystem and related technologies.
10. Leverage Claris’ built-in security features: Familiarize yourself with and make full use of the security capabilities provided by Claris platforms.

Staying Current and Informed <a name=”staying-current-and-informed”></a>

The panel emphasized the critical importance of staying up-to-date with the latest security trends and best practices. They offered several recommendations for the Claris community:

1. Participate in virtual user groups and meetups: Chris Moyer highlighted how the shift to virtual events due to the pandemic has made it easier to attend user groups from around the world. He mentioned a public calendar compiled by Egbert Friedrich that aggregates worldwide Claris meetups.
2. Follow InfoSec professionals on social media: Moyer suggested following the #infosec hashtag on Twitter to get a pulse on current security trends and emerging threats.
3. Engage with the Claris Community forums: Share knowledge, experiences, and best practices with fellow developers and consultants through the official Claris Community platform.
4. Attend security-focused conferences: Consider participating in events like DEF CON to gain deeper insights into the world of cybersecurity.
5. Subscribe to security newsletters and blogs: Stay informed about the latest vulnerabilities, patches, and security strategies relevant to the Claris ecosystem.
6. Regularly review Claris’ security documentation: Keep abreast of updates to Claris’ security features and best practices by regularly consulting official documentation.
7. Participate in ongoing professional development: Seek out training opportunities and certifications to enhance your security expertise.
8. Collaborate with IT security professionals: Foster relationships with security experts to gain different perspectives and insights on protecting Claris solutions.

The Value of Security Certifications for Customers <a name=”the-value-of-security-certifications-for-customers”></a>

For Claris customers and partners, the security certifications and compliance measures discussed provide several significant benefits:

1. Assurance of best practices: Customers can trust that Claris is following industry-best practices in data protection, as verified by independent third-party auditors.
2. Simplified vendor assessment: Enterprise customers often require extensive security questionnaires and assessments before adopting new technologies. Claris’ certifications can streamline this process, potentially reducing the time and effort required to gain approval for Claris solutions.
3. Increased credibility: When proposing Claris solutions to IT departments or decision-makers, partners can point to these certifications as evidence of Claris’ commitment to security and compliance.
4. Competitive advantage: In industries with strict regulatory requirements, Claris’ certifications can provide a competitive edge over solutions that lack similar assurances.
5. Foundation for shared responsibility: The certifications provide a clear baseline for security, allowing customers and partners to build upon this foundation with their own security measures.
6. Continuous improvement: The ongoing nature of these certifications ensures that Claris will continue to evolve its security practices to meet emerging threats and changing regulatory requirements.
7. Global recognition: ISO certifications, in particular, provide internationally recognized assurance of Claris’ security practices, which can be especially valuable for multinational organizations.
8. Risk mitigation: By choosing a platform with robust security certifications, organizations can reduce their overall risk profile and potentially lower cybersecurity insurance costs.

Future of Security in the Claris Ecosystem <a name=”future-of-security-in-the-claris-ecosystem”></a>

The panel also touched on the future direction of security within the Claris ecosystem:

1. Continued investment: Claris representatives affirmed the company’s ongoing commitment to security, promising continued investment in both technology and processes to enhance data protection.
2. Expansion of certifications: While the current SOC 2 report covers Claris Connect, there are plans to expand this coverage to other Claris products in the future.
3. Enhanced integration with Apple security framework: As part of the Apple family, Claris will continue to leverage and integrate with Apple’s robust security infrastructure.
4. Focus on cloud security: With the increasing adoption of cloud solutions, Claris will continue to enhance its cloud security features and practices.
5. Emphasis on privacy: In line with global trends and regulations like GDPR, Claris will maintain a strong focus on data privacy alongside security.
6. Automation and AI in security: The panel hinted at potential future implementations of AI and machine learning to enhance threat detection and response capabilities.
7. Developer tools and resources: Claris plans to provide more tools and resources to help developers build secure applications on its platforms.
8. Continued community engagement: Recognizing the importance of the Claris community in maintaining a secure ecosystem, the company plans to increase its efforts to educate and engage with developers and users on security topics.

Conclusion <a name=”conclusion”></a>

As the digital threat landscape continues to evolve at a rapid pace, Claris has demonstrated its unwavering commitment to security and compliance through significant investments in certifications, infrastructure, and best practices. By obtaining SOC 2 and ISO certifications, implementing rigorous internal controls, and fostering a culture of shared responsibility, Claris provides a secure foundation for businesses to build and deploy mission-critical applications.

However, the panel made it clear that security is not a destination, but an ongoing journey that requires vigilance from all stakeholders in the Claris ecosystem. Developers, consultants, and end-users all play crucial roles in maintaining the security of Claris solutions.

By staying informed about emerging threats, implementing industry best practices, and leveraging the secure infrastructure provided by Claris, developers and organizations can confidently build solutions that not only protect sensitive data but also meet the stringent compliance requirements of today’s business environment.

As we look to the future, it’s clear that security will remain at the forefront of Claris’ priorities. With ongoing investments in technology, processes, and community education, Claris is well-positioned to continue providing a secure and trusted platform for businesses of all sizes to innovate and thrive in an increasingly digital world.

The key takeaway from this enlightening discussion is that security in the Claris ecosystem is a collaborative effort.