Richard Carlton, Jun 2, 2020, FileMaker Training Videos
Introduction to FileMaker Workflow Security
Overview of Workflow vs. Bad Guy Security
Workflow security involves creating a controlled environment where users follow established procedures to maintain data integrity. However, “Bad Guy” security is about safeguarding against intentional breaches and attacks. By focusing on workflow security, organizations ensure a streamlined process that doesn’t hinder operations while protecting against internal risks.
Why Workflow Security Matters in FileMaker
FileMaker apps often store sensitive data that requires protection beyond just password access. Proper workflow security helps businesses ensure that operations are consistently and securely followed, maintaining both efficiency and compliance.
Menu
- Introduction to FileMaker Workflow Security
- Workflow Security Fundamentals
- Comparing Workflow Security and Bad Guy Security
- Key Elements of Effective Workflow Security
- User Compliance and Workflow Integrity
- Implementing Workflow Security Through Script Triggers
- Leveraging Security Through Obscurity
- Advanced Security Techniques for Enhanced Protection
- Real-World Examples of Workflow Security in FileMaker
- Identifying and Mitigating Security Threats
- Ensuring Comprehensive Protection with Advanced Security
- Creating a Security-First Culture Within Your Organization
- Backup Strategies and Disaster Recovery Planning
- Best Practices for Maintaining FileMaker Security
- Check List
- Video
Workflow Security Fundamentals
Understanding Workflow Security and Its Goals
Workflow security is designed to ensure that users follow specific steps when interacting with the system. This includes using designated fields, following process checklists, and adhering to system prompts. It is not just about locking down the data, but also guiding users through the application.
The Role of Human Behavior in Workflow Security
User habits and human error play a big role in workflow security. If security measures are too restrictive, users may circumvent them, potentially leading to data inconsistencies. Understanding user tendencies helps in designing a workflow that encourages compliance.
Why Security is More Than Just Passwords
Passwords protect access to the system, but they don’t ensure users will follow processes once inside. Workflow security addresses what happens after users have logged in, creating layers that guide them through secure and compliant behaviors.
Comparing Workflow Security and Bad Guy Security
Exploring the Difference Between Workflow Security and “Bad Guy” Security
While workflow security focuses on guiding users through specific actions, “Bad Guy” security aims to protect against attacks from individuals attempting to gain unauthorized access or steal data. Each type of security serves different purposes but is essential for a complete security strategy.
How Motivations Shape Security Approaches
In workflow security, motivations are usually about convenience and efficiency. In “Bad Guy” security, motivations are often financial or malicious. Understanding these motivations is key to developing effective security measures for each scenario.
Understanding Where Workflow Security Falls Short Against Malicious Attacks
While workflow security can prevent internal errors, it is not a substitute for “Bad Guy” security. Malicious attacks require robust access controls, encryption, and constant monitoring to prevent data breaches and unauthorized access.
Key Elements of Effective Workflow Security
Establishing Checkpoints and Approval Steps
Create specific points in the workflow where actions require review or approval before continuing. This might include sign-offs for data entry, confirmations for sensitive actions, or validations for compliance.
Restricting Access Levels Based on Roles
Not every user needs full access. Designate different roles with corresponding access levels to ensure that sensitive information and critical actions are limited to authorized personnel only.
Tracking User Actions and System Interactions
Monitoring who performs what actions and when can help identify potential issues and ensure accountability. Use activity logs to track key events and interactions within the system.
User Compliance and Workflow Integrity
Managing Team Dynamics and Security Training
Effective workflow security depends on user buy-in. Conduct regular training to ensure users understand the importance of following established processes and the risks of non-compliance.
Setting Clear Security Expectations for Users
Document and communicate security protocols to users, making it clear what is expected of them and the consequences of bypassing security measures.
Encouraging Compliance Without Stifling Productivity
Workflow security should not be so restrictive that it impedes productivity. Strive for a balance that promotes adherence to processes without unnecessary obstacles.
Implementing Workflow Security Through Script Triggers
Overview of Script Triggers: Pre vs. Post
Script triggers in FileMaker can be set to run before or after certain actions. Use pre-script triggers to prevent unwanted actions from happening, while post-script triggers can validate completed actions.
Examples of Script Triggers for Workflow Security
Examples include restricting field edits based on the user’s role, limiting access to sensitive records, and controlling button actions based on workflow conditions.
Using Script Triggers for Record Locking and Access Control
Implementing script triggers allows for dynamic access control, such as locking records when they’re marked as “final” or preventing edits based on record status.
Leveraging Security Through Obscurity
What is Security Through Obscurity?
Security through obscurity involves hiding certain functionalities or data to prevent unauthorized access. While it is not a standalone security solution, it can complement other security measures.
Pros and Cons of Hiding vs. Removing Access
Hiding elements can deter casual users but does not stop determined attackers. Evaluate when it’s appropriate to hide versus when to enforce access restrictions.
Utilizing Flags, Hidden Fields, and Layout Control
Flags and hidden fields can control what users see and interact with, while layout objects can be configured to show or hide based on user roles or workflow conditions.
Advanced Security Techniques for Enhanced Protection
Incorporating Biometric Access Controls
Biometric controls such as fingerprint scanners add an extra layer of security, verifying user identity before granting access to sensitive areas.
Utilizing Two-Factor Authentication and External Integrations
Two-factor authentication adds another layer of protection by requiring users to confirm their identity through a secondary device, reducing the risk of unauthorized access.
Using Web Viewer Layers and Layered Objects
Incorporate layered web viewer objects to obscure critical elements when necessary. This technique can be especially useful in highly interactive layouts where visibility control is needed.
Real-World Examples of Workflow Security in FileMaker
Creating Multi-Step Approval Processes
Design workflows that require multiple levels of approval, ensuring no single user can bypass essential steps without oversight.
Limiting Record Edits and Field Visibility
Control record access by locking specific fields when conditions are met, ensuring data is not altered without appropriate authorization.
Implementing Object-Level Visibility Rules
Use FileMaker’s built-in visibility controls to show or hide objects based on the status of records or user permissions, reinforcing workflow security.
Identifying and Mitigating Security Threats
Analyzing Potential Threats to Workflow Integrity
Assess where your workflow could be vulnerable to unauthorized actions or non-compliance, and identify steps to mitigate these risks.
Using FileMaker’s Access Controls to Prevent Tampering
FileMaker’s access controls can be customized to restrict certain users from accessing or altering sensitive information.
Developing Policies for Handling Suspicious Activity
Implement policies that define how to respond to suspicious behavior, such as locking accounts, triggering alerts, or escalating issues to management.
Ensuring Comprehensive Protection with Advanced Security
Encryption at Rest: How and Why
Encryption at rest protects data stored within FileMaker files, safeguarding against data theft if the physical file is compromised.
Removing Full Access Privileges: When to Use This Feature
Removing full access privileges can protect your FileMaker file from being edited or accessed in unintended ways, adding another layer of security.
Implementing File Access Protections for Secure Integrations
File access protections allow you to control which files can connect and interact with your FileMaker solution, reducing risks from unauthorized file connections.
Creating a Security-First Culture Within Your Organization
Building Awareness and Training for All Users
Instill a security-first mindset by providing ongoing training on security best practices, and make security an integral part of your organization’s culture.
Routine Security Audits and Data Integrity Checks
Conduct routine audits to ensure that all security protocols are up-to-date and functioning correctly. Regular audits can help identify vulnerabilities before they become problems.
Developing an Incident Response Plan for Security Breaches
Prepare for potential security incidents by establishing an incident response plan that outlines steps to take during and after a breach.
Backup Strategies and Disaster Recovery Planning
Determining Backup Frequency and Storage Locations
Identify how often backups should be made and where they should be stored, including off-site and redundant locations for maximum protection.
Using Off-Site and Redundant Backups for Data Protection
Off-site and redundant backups can protect against data loss from physical threats like theft, fire, or natural disasters, ensuring business continuity.
Testing Recovery Scenarios and Data Restoration
Regularly test your backup restoration process to ensure data can be recovered swiftly and accurately if needed.
Best Practices for Maintaining FileMaker Security
Regularly Updating FileMaker Software and Security Protocols
Stay current with FileMaker updates and regularly review security protocols to keep your system protected against evolving threats.
Using Encryption and Access Logs to Monitor Data Security
Encryption, combined with access logging, provides a robust approach to monitoring who accessed what data and when, adding accountability.
Aligning Security with Compliance Regulations
Be mindful of regulations like GDPR that impact how personal data should be handled and secured, and ensure your FileMaker solution is compliant.
Check List
| Phase | Task | Status |
|---|---|---|
| 1. Understanding Workflow Security | Identify the current workflow processes and security measures in place. | ❏ |
| Define the goals and objectives of workflow security. | ❏ | |
| Assess how human behavior impacts security, including potential circumvention of security protocols. | ❏ | |
| Identify key steps in workflows that need to be secured. | ❏ | |
| Ensure that security measures are not too restrictive to avoid users bypassing them. | ❏ | |
| 2. Workflow Security Fundamentals | Define role-based access control (RBAC) to restrict access based on job responsibilities. | ❏ |
| Create user roles and ensure access levels are limited to necessary data and actions. | ❏ | |
| Establish checkpoints and approval steps in the workflow for critical actions (e.g., approvals, data entry). | ❏ | |
| Implement logging of user actions to ensure accountability and track potential security incidents. | ❏ | |
| Conduct regular training for users to ensure they understand workflow security protocols. | ❏ | |
| Monitor compliance with workflow protocols through periodic reviews of user actions and system interactions. | ❏ | |
| 3. Implementing Script Triggers for Security | Create pre-script triggers to prevent unauthorized actions before they occur. | ❏ |
| Implement post-script triggers to validate actions after they are performed (e.g., checking data integrity). | ❏ | |
| Set up script triggers for record locking when certain conditions are met (e.g., record finalization). | ❏ | |
| Use script triggers to control access based on record status or user roles. | ❏ | |
| Document script trigger configurations for future audits or changes in the workflow. | ❏ | |
| 4. Leveraging Security Through Obscurity | Identify sensitive data or functions that could benefit from obscurity (hiding instead of removing access). | ❏ |
| Use hidden fields, layout controls, and flags to obscure data from unauthorized users. | ❏ | |
| Review pros and cons of hiding vs. removing access, and apply it where suitable. | ❏ | |
| Ensure that obscured data is not accessible through unintended channels (e.g., external connections). | ❏ | |
| 5. Advanced Security Techniques | Implement biometric access controls (e.g., fingerprint scanning) for critical areas. | ❏ |
| Introduce two-factor authentication (2FA) to verify user identity for high-risk actions. | ❏ | |
| Use web viewer layers and layered objects to control the visibility of sensitive components. | ❏ | |
| 6. Workflow Security in Practice | Design multi-step approval processes for key actions (e.g., data changes, approvals). | ❏ |
| Limit record edits and field visibility to prevent unauthorized modifications. | ❏ | |
| Implement object-level visibility rules based on user roles or workflow status. | ❏ | |
| Test workflow security measures in real-world scenarios to ensure compliance and efficiency. | ❏ | |
| 7. Identifying and Mitigating Threats | Conduct a security threat analysis of the workflow and identify vulnerable points. | ❏ |
| Use FileMaker’s access control features to restrict tampering and unauthorized access. | ❏ | |
| Establish a policy for responding to suspicious activity (e.g., account locking, alerting admins). | ❏ | |
| 8. Advanced File Access Protections | Encrypt data at rest to protect sensitive information stored in FileMaker files. | ❏ |
| Remove full access privileges from the file when not needed to prevent unauthorized changes. | ❏ | |
| Implement file access protections to prevent unauthorized integrations or file connections. | ❏ | |
| 9. Building a Security-First Culture | Conduct regular security awareness training for all users to instill good security practices. | ❏ |
| Perform routine security audits to assess workflow security and identify potential vulnerabilities. | ❏ | |
| Create an incident response plan for handling security breaches, including steps to mitigate data loss or exposure. | ❏ | |
| 10. Backup Strategies and Disaster Recovery | Determine an appropriate backup frequency to ensure data is consistently protected. | ❏ |
| Store backups in multiple locations (on-site, off-site, and cloud-based options). | ❏ | |
| Test data recovery scenarios regularly to confirm that backups can be restored quickly and accurately. | ❏ | |
| 11. Maintaining FileMaker Security | Regularly update FileMaker software to stay current with the latest security features and fixes. | ❏ |
| Use encryption, access logs, and monitoring tools to track who is accessing sensitive data and when. | ❏ | |
| Ensure compliance with regulations like GDPR or other relevant laws. | ❏ |
