Security Guide
Table Of Contents
- Chapter 1 About database security
- Chapter 2 Security “Top 10” list
- 1. Ensure physical security
- 2. Ensure operating system security
- 3. Establish network security
- 4. Devise a plan for securing your databases
- 5. Restrict data access with accounts and privilege sets
- 6. Back up databases and other important files
- 7. Install, run, and upgrade anti-virus software
- 8. Test your security measures
- 9. Assess, iterate, and improve security measures
- 10. Upgrade to FileMaker Pro 7 and FileMaker Server 7 for security enhancements
- Chapter 3 Build security into your solutions
6
FileMaker Security Guide
Availability of data
Databases should only be available to users as necessary. This is a basic, but frequently overlooked,
consideration. Database designers and network administrators must consider not only hackers, but
also employees who have more access than is critical. Make it a design goal to provide access, both
to data and to specific features, only to those who really need it. Do not enable any sharing options,
like web publishing, unless it is necessary.
Potential threats to your data
You must protect your data and database design from both unintentional and intentional changes.
Someone might try to copy aspects of your design, look at the data entered by your users, damage
the system (perhaps using someone else’s user ID), enter false data, ruin your reports and layouts,
corrupt calculations, or break scripts.
The most common threats to your data include:
•
Unintentional threats from known parties and accidents. Authorized users can inadvertently
make mistakes, see data they shouldn’t see, delete or change records that they shouldn’t have
access to, and delete or damage files so that the system becomes unavailable.
•
Intentional threats from known parties. Consider hackers who will benefit from accessing data
that they shouldn’t see, who might falsify data, or intentionally try to damage the data.
•
Uninvited intruders or threats from anonymous parties. Mostly, these are Internet-based threats
from intruders with anonymous access who attempt to steal information, cause damage, or make
web systems unavailable.
It is important to note that small businesses and larger workgroups may face the same threats,
especially on the Internet. Employees in small businesses and home offices may assume they are
safe because they have a low profile, but this is no longer true. Hackers use automated tools to
detect and break into vulnerable systems. The value of the data will usually determine the time and
resources a hacker will invest in attempting to crack a system. Often the goal of the attack is just to
find a system that can be used to confuse the trail involved with attacking another target.
Small businesses are generally easier to get access to than larger organizations because they often
lack good perimeter defenses (for example, firewalls maintained by experienced network
administration staff), and don't have baseline security standards for their computer systems (for
example, if all computers aren’t using the most secure operating system versions.
Outside intruders frequently want access to the data of a workgroup or small business. Occasionally
their goal is to disable the system, but it’s more common to attempt to gain access to sensitive
information, such as credit card numbers or identification information like passwords, and birth
dates. Intruders are assumed to be located far away from the workgroup and likely to have little
direct knowledge of the system. They use automated scripts to locate systems that have well-known
weaknesses. Only a modest amount of security is needed to make them pick another target.