Security considerations have always been a priority when building a Custom App, but now we are in the 'cloud-age' it is even more critical to get it right from the outset and to periodically audit. Recent events in the UK such as the NHS ransomware cyber-attack only brings this into sharper focus.
FileMaker 16 has further improved on an already strong set of security features in FileMaker 15 with a number of important enhancements:
- HTTP Strict Transport Security (HSTS) optional setting requires that web-client connections use SSL encryption. Although SSL for database connections has long been a part of FileMaker Server this new setting forces web clients (e.g. WebDirect users) to access your FileMaker data over HTTPS connections. Once the web client has completed an HTTPS connection, the web browser prevents the user from downgrading to HTTP connections. This new option is recommended as a simple belt and braces measure.
- OAuth 2.0 support for accounts allows you to integrate external authentication providers within your eco system right within the FM platform. This supports Amazon, Microsoft Azure & Google and is controlled by FileMaker Server. If your server has all 3 configured and enabled you will see all 3 icons on your FileMaker Pro login dialog. Single sign on authentication is a popular modern feature that FileMaker have adopted for your convenience.
- Clickable security lock icons. FileMaker Pro has for long indicated the security of your connection to a FileMaker Server via a range of padlock icons. A single click on the padlock icon now provides more details about the security of your connection e.g. certificate details and validity or suggestions for an insecure connection.
- Field-level text encryption Is an extra layer of protection for your data. It enhances the already existing comprehensive access restrictions that can be found in the manage security dialog where you can limit access to tables,layouts and fields by privilege set. The new encryption functions can be built into a solution’s logic in order to easily and securely encrypt text or container fields containing sensitive data. Then you can program to either a) allow users access to the decrypted field data when they enter the correct password or b) program your chosen conditions (e.g. specific users) under which to decrypt and display the previously encrypted field data.
- There are 3 new extended privileges to lock down access to external interactions with your FileMaker data by privilege set. ‘fmrest’ determines whether members of a privilege set can access the database file from a web service via the new FileMaker Data API available with FileMaker Server. ‘fmurlscript’ determines whether members of a privilege set can run FileMaker scripts from URLs; called using the FMP URL protocol. ‘fmextscriptaccess’ determines whether members of a privilege set can use external applications such as Apple events and ActiveX to control your FileMaker app. If a user’s privilege set does not have the privilege enabled for one of these actions that they perform, they will see the standard FileMaker error; ‘Your access privileges do not allow you to perform this operation’.
Even with the additional security enhancements of the FileMaker 16 platform, it can be an intimidating process to lock down your Custom App if you are new to the FileMaker platform so if you are not sure where to start you can always contact our consulting Team for a security audit.