Ronnie Rios, FileMaker DevCon 2015
In today’s digital world, securing sensitive information such as customer data, financial records, and intellectual property is critical for businesses of all sizes. In his 2015 DevCon session, Ronnie Rios highlighted the main security threats facing FileMaker users and provided practical solutions for addressing these risks. This blog post offers a detailed look at the session’s key points, outlining how businesses can safeguard their FileMaker solutions using the platform’s built-in security features.
Menu
- Introduction to FileMaker Security Risks
- Understanding the Three Primary Attack Vectors
- Encryption at Rest – Protecting Data on Disk
- Securing Data in Transit with SSL
- Managing Identity and Access
- User Education – The Missing Link in Security
- Best Practices for FileMaker Security
- Key Takeaways from the Session
Introduction to FileMaker Security Risks #tag1
As businesses store more and more sensitive information, the need for robust security grows. FileMaker solutions are no exception. Whether you’re handling customer data, intellectual property, or financial information, you need to ensure that your FileMaker database is protected against both internal and external threats.
In his session, Ronnie Rios underscored the importance of taking a proactive approach to security. By understanding the key attack vectors that threaten FileMaker systems, developers and administrators can implement effective defenses to safeguard their solutions.
Understanding the Three Primary Attack Vectors #tag2
Ronnie Rios identified three primary attack vectors that businesses must address to protect their FileMaker systems effectively. Each vector represents a potential vulnerability that, if exploited, could lead to data loss or unauthorized access.
1. Attack Vector: The File
The database file itself can be a weak point if not properly secured. While many assume that storing data within a FileMaker file provides some level of security, Rios emphasized that encoding or obfuscating data is not the same as encryption. Without encryption, the data remains vulnerable.
Key Vulnerability: Unencrypted files can be copied and accessed without authorization, compromising the entire system.
2. Attack Vector: Over the Wire
Data transmitted between FileMaker clients and the server is often compressed and encoded, but if it isn’t encrypted, it remains at risk. Without proper encryption during transmission, malicious actors can intercept the data and read it in transit, leading to breaches.
Key Vulnerability: Data in transit is vulnerable to interception, especially on insecure networks.
3. Attack Vector: Identity and Access
The final attack vector involves user accounts and privilege management. Poorly configured accounts, weak passwords, or improperly assigned privileges can open the door to unauthorized access. Even with encryption, weak identity and access management practices can make it easy for attackers to gain entry.
Key Vulnerability: Without proper account management and privilege sets, unauthorized users can gain access to sensitive data.
Understanding these attack vectors is the first step to implementing a robust security framework for your FileMaker solutions.
Encryption at Rest – Protecting Data on Disk #tag3
Encryption at rest is one of the most effective ways to protect data stored in a FileMaker file. As Rios explained, FileMaker provides AES-256 encryption, a government-grade encryption standard that makes it nearly impossible for unauthorized users to read data without the encryption key.
How AES-256 Encryption Works
AES-256 is a symmetric key encryption algorithm, meaning the same key is used to encrypt and decrypt data. FileMaker uses this algorithm to protect the entire database file while it is stored on disk. Even if someone gains physical access to the server or a backup copy of the database, they will be unable to open the file without the encryption key.
Why Encryption Matters:
- Security Against Physical Theft: Even if an attacker gains physical access to the server or the storage medium, encrypted files remain secure.
- Compliance: Many regulatory frameworks, such as HIPAA, PCI DSS, and GDPR, require encryption at rest to protect sensitive data.
Password Strength: The password used to generate the encryption key is critical. A weak password can be brute-forced, allowing attackers to access the data. Rios recommended using strong, complex passwords to ensure maximum protection.
Securing Data in Transit with SSL #tag4
In addition to encrypting data at rest, it is essential to secure data while it is being transmitted between clients and FileMaker Server. Rios explained that FileMaker supports SSL encryption (Secure Sockets Layer), which protects data from interception as it travels across networks.
Why SSL Matters
Without SSL, data transmitted between the server and clients is vulnerable to interception, particularly on public or insecure networks. Attackers can use tools to capture this data and potentially gain access to sensitive information.
SSL Best Practices
- Use CA-Signed Certificates: While FileMaker supports self-signed SSL certificates, these are only suitable for testing purposes. Rios recommended using CA-signed certificates from a trusted Certificate Authority to ensure maximum security in production environments.
- TLS 1.2 Support: FileMaker Server supports TLS 1.2, which is a secure version of SSL. Administrators should ensure that their servers are configured to use the latest secure protocol to prevent vulnerabilities associated with older versions of SSL.
By securing data in transit with SSL, businesses can prevent attackers from intercepting sensitive information during transmission.
Managing Identity and Access #tag5
Managing user accounts and privilege sets is a cornerstone of FileMaker security. Rios discussed how poorly managed identity and access controls can lead to unauthorized access, even if encryption is in place. He highlighted two important areas: authentication and authorization.
1. Authentication: Who Are You?
Authentication is the process of verifying a user’s identity. In FileMaker, this is handled through accounts and passwords. FileMaker uses a one-way cryptographic hash to store passwords securely, making it difficult for attackers to reverse-engineer them.
Password Strength: Rios emphasized the importance of enforcing strong password policies, including:
- Minimum Length and Complexity: Passwords should be at least 8-12 characters long and include a mix of letters, numbers, and symbols.
- Password Expiration: Regularly expire passwords to ensure that compromised credentials don’t remain valid indefinitely.
2. Authorization: What Can You Do?
Authorization controls what a user can access once they are authenticated. FileMaker’s privilege sets allow administrators to define what users can see and do within the database.
Key Areas to Secure:
- Records and Fields: Ensure that users only have access to the records and fields that are relevant to their roles.
- Layouts and Scripts: Limit access to sensitive layouts and scripts to prevent unauthorized users from viewing or modifying them.
- Exporting Data: Disable the ability to export data for users who don’t need this capability, reducing the risk of data leaks.
By carefully managing accounts and privilege sets, administrators can ensure that users have only the access they need, minimizing the risk of unauthorized actions.
User Education – The Missing Link in Security #tag6
No matter how secure a system is, if users are not properly trained, they can inadvertently expose vulnerabilities. Rios emphasized that user education is one of the most critical components of a strong security posture.
Key Areas for User Education
- File Access: Educate users on the importance of using strong passwords and never sharing their credentials. Ensure they understand the risks of leaving workstations unattended while logged into sensitive systems.
- Network Security: Teach users to recognize insecure networks, particularly when accessing FileMaker solutions remotely. Users should avoid connecting to public Wi-Fi without a secure VPN.
- Password Strength: Reinforce the need for strong passwords and the dangers of reusing passwords across multiple systems.
- Social Engineering: Warn users about the risks of social engineering attacks, such as phishing. Educating users to recognize suspicious emails or phone calls can prevent them from inadvertently sharing sensitive information with attackers.
Without proper education, even the best security tools can be rendered ineffective by human error. Therefore, ongoing user training is essential.
Best Practices for FileMaker Security #tag7
Rios concluded his session with several key best practices that every FileMaker administrator should follow to enhance the security of their solutions. These steps can greatly reduce the risk of security breaches and ensure that sensitive data remains protected.
1. Host Solutions Securely
Ensure that your FileMaker Server is hosted in a secure environment with limited physical access. Use strong network security measures, such as firewalls, VPNs, and intrusion detection systems, to protect against external threats.
2. Use Database Encryption
Always enable Encryption at Rest (EAR) for FileMaker databases. This ensures that even if the database file is copied or stolen, the data remains unreadable without the encryption key.
3. Disable Automatic Login
Avoid using automatic login features. Always require users to authenticate with a strong password when accessing the database.
4. Use External Authentication
Where possible, use external authentication (such as Active Directory) to manage user credentials. This centralizes authentication and allows organizations to enforce stronger password policies and multi-factor authentication (MFA).
5. Disable Keychain for FileMaker Go
On mobile devices, ensure that users do not store passwords in the keychain. This prevents unauthorized users from accessing the system if the device is lost or stolen.
By following these best practices, businesses can greatly enhance the security of their FileMaker solutions, protecting sensitive data from a wide range of threats.
Key Takeaways from the Session #tag8
Ronnie Rios’ DevCon 2015 session on FileMaker security highlighted several critical areas where developers and administrators must focus their efforts to secure their solutions:
- Encrypt Data at Rest and In Transit: Use AES-256 encryption for files on disk and SSL for data in transit to protect against physical theft and network-based attacks.
- Manage Accounts and Privileges Carefully: Implement strong password policies and limit user access to only the data and features they need to perform their tasks.
- Educate Users: Train users on security best practices, including recognizing phishing attacks, using secure passwords, and avoiding insecure networks.
- Follow Security Best Practices: Regularly audit your security settings and ensure that your solutions are hosted in secure environments with encryption enabled.
By taking these steps, businesses can significantly reduce the risk of data breaches and ensure that their FileMaker solutions remain secure against both internal and external threats.
This expanded blog post provides a thorough look at Ronnie Rios’ session on FileMaker Security, Inside and Out, offering actionable advice on securing FileMaker systems from multiple angles. By understanding and addressing the three primary attack vectors, implementing encryption, managing access, and educating users, businesses can protect their sensitive data and maintain the integrity of their FileMaker solutions.
DevCon 2015: Security, Inside and Out – Ronnie Rios
