by Nicolás Franco, Rome FileMaker Week 2022
Menu
- Introduction
- The Importance of Security
- Physical Access and Security
- Logical Access and Security
- Using a Launcher for Secure Access
- Managing Security with Domain Controllers
- Layered Security Structure
- FileMaker Data Separation Model
- Sessions and Logging User Activity
- The Labyrinth: Creating Security Through Multiple Gates
- Examples and Demonstrations
- Conclusion: Security Shouldn’t Harm Usability
1. Introduction
The presentation, held at Rome FileMaker Week 2022, featured Nicolás Franco discussing how to enhance FileMaker’s security through layered measures. His session aimed to demonstrate practical, easily implementable steps for safeguarding FileMaker databases against potential breaches. He also touched on some common security issues and how to mitigate them using robust methods.
2. The Importance of Security
Nicolás began his talk by stressing the critical nature of having strong security measures in place. Whether you’re protecting sensitive data, complying with laws, or earning client trust, security should be at the forefront of every project. He elaborated on several points:
- Cybercrime is on the rise, and criminals often target databases for monetary gain.
- Legal frameworks, such as GDPR and financial industry regulations, demand high levels of data security.
- Clients value companies that prioritize security, making it a potential selling point for services.
It’s important to ensure that even the best-designed security systems are activated and enforced.
3. Physical Access and Security
Security isn’t just about software. Nicolás emphasized that physical access to servers must also be restricted to prevent unauthorized manipulation. This includes:
- Securing servers in data centers or locked rooms.
- Using server racks that are locked, adding another layer of protection.
Even though many people focus on digital protection, the physical protection of servers is equally important.
4. Logical Access and Security
The second critical layer of protection involves logical access, which includes software measures that regulate who can access the server and how they access it. Nicolás broke down some essential practices here: #tag4
DMZ (Demilitarized Zone)
Setting up a DMZ ensures that only authorized users, connecting through a secure VPN, can access the server. He advocated for:
- Setting up the server in a DMZ to isolate it from public access.
- Restricting VPN connections to specific users, adding layers of protection against unauthorized access.
VPN and Access Control
Using a VPN adds a secure access layer between the external network and the server. Nicolás emphasized:
- Limiting access to only specific IP addresses or MAC addresses for an additional layer of security.
- Implementing Two-Factor Authentication (2FA), which, though sometimes cumbersome, significantly enhances protection.
5. Using a Launcher for Secure Access
Nicolás explained how the launcher simplifies user access while ensuring security. The launcher file acts as a gateway to the system:
- Personalized Launchers: Each user receives a personalized launcher, which restricts access only to authorized individuals.
- File Hiding: Only the launcher is visible to users; other files remain hidden, preventing unauthorized access.
This creates an extra layer of control, ensuring that users access only the data they are allowed to view.
6. Managing Security with Domain Controllers
In larger environments, Nicolás suggested delegating security to domain controllers, which can streamline the process of user authentication: #tag8
- Centralized Password Control: By using domain controllers, password management becomes much more efficient, as it separates security duties from FileMaker’s built-in management.
- Automated User Management: The domain controller can automate access controls, making security management smoother for larger teams.
This approach also allows companies to delegate security tasks to a separate department, such as IT, removing some of the burden from the FileMaker development team.
7. Layered Security Structure
Nicolás emphasized the need for layered security—the idea that access to data should be granted only after passing through multiple levels of security: #tag9
- Create Multiple Gates: Rather than allowing users direct access to the database, Nicolás suggested setting up a series of checks and balances before users can access sensitive information.
- Access Permissions: By limiting user permissions (e.g., view-only, edit, print), companies can reduce the likelihood of accidental or malicious data manipulation.
Each layer adds a degree of protection, ensuring only authorized individuals can perform certain tasks.
8. FileMaker Data Separation Model
One of the most powerful techniques Nicolás discussed was the FileMaker Data Separation Model: #tag10
- Data Separation: Data is kept separate from the user interface, ensuring that even if one layer is breached, the core data remains protected.
- File Accessibility: Only one central file is visible to users, while all other files containing sensitive data remain hidden, further safeguarding the data.
This approach simplifies data management while providing robust security controls.
9. Sessions and Logging User Activity
To further enhance security, Nicolás recommended logging user activity through sessions: #tag11
- Track User Sessions: By maintaining a log of each session, administrators can see exactly what users are doing within the system, providing an audit trail for identifying unusual activity.
- Store Globals in Sessions: Using a dedicated session table allows for logging global variables associated with each user, enabling more precise access control.
This tracking helps in both security monitoring and troubleshooting.
10. The Labyrinth: Creating Security Through Multiple Gates
Nicolás used the metaphor of a labyrinth to describe how layered security should work in a FileMaker solution. Each user faces a series of gates and checks, and only those with the appropriate credentials can navigate through the maze: #tag12
- Complicating Access: Adding these gates makes it more difficult for bad actors to breach the system, as they must pass through multiple layers to reach sensitive data.
- Flexible Control: By designing systems with many gates, you can fine-tune who has access to specific data at any given time.
This concept of the labyrinth ensures that attackers have a difficult time accessing the core system.
11. Examples and Demonstrations
In his live demonstration, Nicolás showcased several aspects of his security model: #tag13
- Access via VPN: He logged in through a VPN and used the launcher to securely connect to the system.
- Control Panel Interface: Once logged in, Nicolás showed how different users are granted access to specific areas of the system based on their credentials.
- Granular Control: Using the custom security module, he demonstrated how different layers of access are assigned to users, creating a flexible yet secure system.
This step-by-step example helped reinforce the layered security model.
12. Conclusion: Security Shouldn’t Harm Usability
Nicolás wrapped up by stressing the importance of transparent security. Security measures should protect the data without hampering the user experience: #tag14
- Invisible to Users: The ideal security setup allows users to work without feeling burdened by the layers of protection.
- Implement Gradually: He recommended implementing security one layer at a time, ensuring a balance between protection and usability.
Ultimately, the goal is to create a system that is secure yet seamless for users.
Final Takeaway
Nicolás Franco’s layered security approach ensures that sensitive data in a FileMaker solution is not only protected from unauthorized access but also remains accessible in a controlled and efficient manner. By following the techniques outlined in this presentation, businesses can create robust security systems that safeguard their databases while maintaining a user-friendly interface.
