With all the recent ransomware events in the news, it's clear that we need to protect our servers and apps from eyes and ears that aren't our own. To that end, let's review some of the ways bad actors find ways to access our FileMaker data. We'll also highlight the FileMaker cyber security features that Claris provides to help us defend ourselves against attacks.
Before we get started, let's explain what ransomware is. A ransomware attack occurs when a hacker hijacks a data source and then requires payment before they'll release it. In the age of cryptocurrency, this type of cyber threat is easily facilitated because of the exchange's inherent anonymity and virtual impregnability. Unfortunately, the Colonial Pipeline outcome is an exception, not the rule. Therefore, it's improbable that there will be little to no financial consequence in a ransomware attack.
To that end, we, as keepers of personal and sensitive data, need to do our best to protect it. There are some very sophisticated techniques out there to secure our databases. Claris recognizes this and offers several defense features for non-technical and highly technical users alike.
Claris gives us a default Secure Sockets Layer (SSL) certificate when installing an on-premise version of FileMaker Server. SSL is an Internet security protocol that creates a safe connection between a web server and a web browser. But please don't use it for anything other than initial testing. This default certificate is the same one that has been installed on every FileMaker Server since 2012. So it's widely available to anyone who has installed FileMaker in the last decade. Unfortunately, several FileMaker technologies, like the Admin API and the Data API, don't work with Claris's default certificate installed.
There are two powerful reasons to get a custom SSL certificate: encryption-on-the-fly and server spoofing. Encryption on the fly allows the data between the client and the server to be encrypted by the SSL certificate so that some bad actor who is listening in on network traffic can't poach it. Another important thing an SSL certificate does is make sure that the server's full name is used, thereby ensuring that someone isn't tricking our users into logging into a fake, password-stealing website instead of our server. This anti-spoofing superpower comes from the fact that the SSL certificate is bound to a domain and/or a fully qualified domain name (FQDN), not an Internet Protocol (IP) address. We control all of our FQDN's and the IPs they point to from our domain name system (DNS) server, which offers another level of security. So get a custom SSL certificate from a provider of choice, install it, and make the required DNS entries to ensure users can access the server using the FQDN. FileMaker Server 19.3 has made this process much more manageable by giving us the ability to create a certificate signing request (CSR) right in the Server Admin Console.
Just as we safeguard the data that flies through the network, we need to protect the data that sits on our hard drives or our thumb drives from unapproved eyeballs. We refer to this type of protection as at-rest encryption, and it is critical when we move our apps to the cloud. Claris requires it when we share our files on their services. We can easily encrypt our apps using FileMaker's Developer Utilities, a menu option that becomes available when we select advanced Tools from the application's Preferences.
Once you've selected a file from the computer, via the "Add..." button and renamed it, you can specify "Solution Options" to add the encryption password. Remember to encrypt a file you need to authenticate first with a Full Access account.
After you've configured the options, you can hit the "OK" button on both dialog boxes to start the encryption process. Please put this password in a safe place because no one can help you if you lose it, not even Claris. When the encryption process is complete, you'll have two files, an open file and an encrypted one. After you upload the file, there's an option for the server to remember your encryption password, so you don't have to enter it every time you open the file.
One of the most important things we can do to ensure a secure experience with FileMaker is to use strong passwords. We should use unique passwords among our different accounts and change our passwords regularly. Hacked, stolen, or guessed passwords are the primary way the bad guys get into our stuff. Our passwords are the first lines of defense, so that's why it's so important that we're deliberate about how we manage them. FileMaker helps with this process by offering us feedback when we set up our accounts. FileMaker will calculate the strength of our passwords as weak, moderate, or strong, and we should all strive for a strong rating.
We can also enforce specific password lengths and require users to change their passwords regularly. We can find those settings within the "Edit Privilege Set" dialog found in the "Advanced" section of Manage Security in FileMaker.
Doing all three of these things will help ensure our data stays ours and doesn't fall into the hands of others. Please consider taking the time to make sure you're using SSL certificates, encrypting your apps, and applying best practices for password generation and maintenance, which will save you time and heartache in the future!
Be sure to check out our articles about FileMaker security best practices and FileMaker backup principles as well. And join our mailing list to keep up with the new features and latest information about FileMaker and other custom application development platforms.
This article is also published on FileMakerProGurus.com.