Data breaches and cyber threats are becoming increasingly sophisticated, the security of your database systems is more critical than ever. Claris FileMaker 2024 introduces a comprehensive suite of new security features and enhancements designed to help developers, administrators, and organizations protect their data effectively. This in-depth guide explores these advancements, providing detailed insights and step-by-step instructions to leverage them for building a more secure and reliable FileMaker environment.
Table of Contents
- Introduction
- Understanding the Security Landscape
- Support for Let’s Encrypt SSL Certificates
- Enhanced Administrative Roles in FileMaker Server
- Best Practices for Securing Your FileMaker Server
- Security Enhancements in FileMaker Cloud
- Recommendations for Developers and Hosting Providers
- Key Takeaways
- Additional Resources
Introduction
As technology evolves, so do the threats that target digital infrastructures. Claris FileMaker 2024 addresses these challenges head-on by introducing robust security features tailored for developers and administrators. This guide aims to provide you with a comprehensive understanding of these features, empowering you to:
- Secure your FileMaker Server and applications effectively.
- Comply with industry standards and organizational policies.
- Enhance operational efficiency without compromising security.
Whether you’re a seasoned developer, a system administrator, or a business owner relying on FileMaker solutions, this guide is designed to help you navigate the new security landscape introduced in FileMaker 2024.
Understanding the Security Landscape
Before diving into specific features, it’s essential to understand the broader security context:
- Data Breaches: High-profile data breaches highlight the importance of securing data both at rest and in transit.
- Regulatory Compliance: Laws like GDPR, HIPAA, and CCPA mandate stringent data protection measures.
- Organizational Policies: Companies often have internal policies requiring specific security protocols and certifications.
- Client Expectations: Clients and users expect their data to be handled securely, impacting trust and reputation.
Claris FileMaker 2024’s security enhancements are designed to address these areas, providing tools to meet and exceed security expectations.
Support for Let’s Encrypt SSL Certificates
What is Let’s Encrypt?
Let’s Encrypt is a free, automated, and open certificate authority (CA) run by the Internet Security Research Group (ISRG). It provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge.
Key Features of Let’s Encrypt:
- Free of Charge: Eliminates the cost barrier for SSL certificates.
- Automated Process: Simplifies obtaining and renewing certificates.
- Community-Driven: Supported by major organizations and a large community.
- Security Focused: Encourages widespread adoption of HTTPS.
Benefits of Let’s Encrypt Integration
By integrating Let’s Encrypt support, FileMaker Server 2024 offers several advantages:
- Accessibility: Lowers the threshold for implementing SSL encryption.
- Ease of Use: Streamlines the setup process with provided scripts.
- Compliance: Helps meet security standards that require encrypted connections.
- Cost Savings: Reduces expenses associated with purchasing certificates.
Setting Up Let’s Encrypt on FileMaker Server
Prerequisites:
- Server Requirements:
- Operating System: macOS or Ubuntu Linux (Windows support forthcoming).
- Publicly Accessible Domain: A fully qualified domain name (FQDN) pointing to your server’s IP address.
- Network Configuration: Port 80 (HTTP) must be open for the domain validation process.
- Administrative Access: Ability to run commands with administrative privileges on the server.
Detailed Installation Steps:
- Update Your System:
- Ensure your server’s operating system is up to date with the latest patches.
- Install Certbot:
- On Ubuntu Linux:
sudo apt-get update sudo apt-get install certbot
- On macOS (using Homebrew):
brew install certbot
- On Ubuntu Linux:
- Obtain the SSL Certificate:
- Run the following command to obtain the certificate:
sudo certbot certonly --standalone -d yourdomain.com
- Certbot will prompt you for an email address for urgent renewal and security notices.
- Agree to the Terms of Service.
- Certbot will perform the domain validation and generate the certificate files.
- Run the following command to obtain the certificate:
- Locate the Certificate Files:
- The certificates are typically stored in
/etc/letsencrypt/live/yourdomain.com/
. - Key files include:
privkey.pem
: Private key.fullchain.pem
: Full certificate chain.
- The certificates are typically stored in
- Import the Certificate into FileMaker Server:
- Stop the FileMaker Server service to prevent conflicts:
fmsadmin stop server
- Import the certificate using the FileMaker command-line interface:
fmsadmin certificate import /etc/letsencrypt/live/yourdomain.com/fullchain.pem --keyfile /etc/letsencrypt/live/yourdomain.com/privkey.pem --keypass ""
- If prompted, provide the admin console username and password.
- Stop the FileMaker Server service to prevent conflicts:
- Restart FileMaker Server:
- Start the FileMaker Server service:
fmsadmin start server
- Verify that the SSL certificate is correctly installed by accessing the admin console or connecting with a FileMaker client.
- Start the FileMaker Server service:
Important Notes:
- Backup Existing Certificates: Before making changes, backup any existing SSL certificates.
- Security of Private Keys: Ensure that the private key files are secured and have appropriate permissions.
- Testing: Use SSL testing tools (e.g., Qualys SSL Labs) to verify the certificate installation and server configuration.
Automating SSL Certificate Renewal
Let’s Encrypt certificates have a validity period of 90 days, with a recommended renewal interval of 60 days. Automating this process ensures continuous security without manual intervention.
Steps to Automate Renewal:
- Create a Renewal Script:
- Script Content (
renew_cert.sh
):#!/bin/bash sudo certbot renew --quiet fmsadmin stop server fmsadmin certificate import /etc/letsencrypt/live/yourdomain.com/fullchain.pem --keyfile /etc/letsencrypt/live/yourdomain.com/privkey.pem --keypass "" fmsadmin start server
- Explanation:
certbot renew --quiet
: Renews the certificate if it’s due for renewal.- Restarts the FileMaker Server to apply the new certificate.
- Script Content (
- Set Script Permissions:
- Make the script executable:
chmod +x /path/to/renew_cert.sh
- Make the script executable:
- Schedule the Script:
- Using Cron (Unix/Linux systems):
- Edit the crontab:
sudo crontab -e
- Add the following entry to run the script every month:
0 2 1 * * /path/to/renew_cert.sh
- This runs the script at 2 AM on the first day of every month.
- Edit the crontab:
- Adjust Frequency:
- Ensure the renewal runs at least every 60 days.
- Using Cron (Unix/Linux systems):
- Testing the Renewal Process:
- Manually run the script to confirm it works:
sudo /path/to/renew_cert.sh
- Check for any errors and verify that the certificate has been renewed.
- Manually run the script to confirm it works:
Considerations and Limitations
Domain Validation Methods:
- HTTP Challenge: Requires port 80 to be open and accessible from the internet.
- DNS Challenge: Suitable for servers not publicly accessible. Involves adding DNS TXT records.
Using DNS Challenge:
- Steps:
- Use Certbot with the DNS plugin for your DNS provider.
- Alternatively, use manual mode to add DNS records:
sudo certbot certonly --manual --preferred-challenges dns -d yourdomain.com
- Follow prompts to add the required TXT records.
Organizational Policies:
- Certificate Requirements: Some organizations may mandate the use of certificates from specific authorities or require extended validation (EV) certificates.
- Validation Levels: Let’s Encrypt provides domain-validated (DV) certificates. If organizational policies require organization validation (OV) or EV certificates, you will need to obtain them from commercial CAs.
Server Restarts and Downtime:
- Service Disruption: Restarting the FileMaker Server service will disconnect clients. Schedule renewals during maintenance windows.
- Automated Notifications: Inform users of scheduled maintenance to minimize impact.
Troubleshooting Common Issues
Common Problems and Solutions:
- Permission Denied Errors:
- Ensure scripts are run with sufficient privileges (use
sudo
where necessary). - Check file permissions on certificate files.
- Ensure scripts are run with sufficient privileges (use
- Port 80 Unavailable:
- Verify that no other service is using port 80.
- Temporarily stop services like Apache or Nginx if needed during the validation process.
- Certificate Not Applied:
- Confirm that the correct certificate paths are used in the import command.
- Check the FileMaker Server logs for errors.
- Domain Validation Fails:
- Ensure the domain points to the correct IP address.
- Check DNS propagation if recent changes were made.
Enhanced Administrative Roles in FileMaker Server
The Importance of Granular Administrative Control
In multi-user and multi-department environments, it’s essential to delegate administrative tasks without compromising the entire server’s security. Granular administrative control allows:
- Separation of Duties: Different administrators can manage their respective areas without accessing others.
- Minimized Risk: Reduces the potential impact of accidental or malicious actions.
- Operational Efficiency: Departments can manage their own resources, leading to faster response times and tailored configurations.
Features of the New Admin Roles
- Role-Based Access Control (RBAC): Assign permissions based on roles rather than individual users.
- Customizable Permissions: Define specific actions that a role can perform (e.g., manage databases, create backups, run scripts).
- Group Integration: Leverage external groups (e.g., Active Directory groups) for user management.
- Isolated Views: Users see only the databases and schedules relevant to their role.
Step-by-Step Guide to Setting Up Admin Roles
Prerequisites:
- Administrative Access: Full access to FileMaker Server Admin Console.
- User Accounts and Groups: Ability to create local users and groups on the server machine or integrate with Active Directory.
Configuration Steps:
- Access Administrator Roles in Admin Console:
- Log in to the FileMaker Server Admin Console.
- Navigate to Configuration > Administrator Roles.
- Create a New Role:
- Click on ‘Create Role’.
- Role Name: Enter a descriptive name (e.g., ‘Neurology Department Admin’).
- Description: Optionally add details about the role’s purpose.
- Define Permissions:
- General Permissions:
- Manage Databases: Allow uploading, downloading, opening, and closing databases.
- Manage Schedules: Enable creation and management of backup schedules.
- Run Scripts: Permit running server-side scripts.
- Specific Permissions:
- Databases: Assign specific databases or folders the role can access.
- Schedules: Limit schedule visibility and management to assigned schedules.
- General Permissions:
- Assign External Groups (Optional):
- Using Local Groups (Windows Server):
- Open Computer Management > Local Users and Groups.
- Create a new group (e.g., ‘NeurologyAdmins’).
- Add user accounts to the group.
- Using Active Directory:
- Ensure the server is connected to the domain.
- Use domain groups for role assignment.
- In Admin Console, specify the group name in the ‘External Group’ field.
- Using Local Groups (Windows Server):
- Save the Role Configuration:
- Review the settings.
- Click ‘Save’ to create the role.
- Test the Role:
- Log in to the Admin Console using a user account assigned to the role.
- Verify that only the assigned databases and schedules are visible.
- Attempt actions to ensure permissions are correctly enforced.
Best Practices for Role Assignment
- Principle of Least Privilege: Grant the minimum permissions necessary for the role’s responsibilities.
- Regular Audits: Periodically review roles and group memberships to ensure they are up to date.
- Use Groups Over Individual Accounts: Simplifies management when adding or removing users.
- Document Roles and Permissions: Maintain clear documentation for accountability and onboarding.
Case Study: Implementing Admin Roles in a Hospital Environment
Scenario:
A hospital uses FileMaker Server to manage databases for different departments: Neurology and Maternity. Each department needs control over its databases without accessing others.
Implementation Steps:
- Create Departmental Roles:
- Neurology Admin Role:
- Permissions: Manage Neurology databases, create backups, run scripts.
- Databases: Assigned only to the ‘Neurology’ database folder.
- Maternity Admin Role:
- Similar setup for the Maternity department.
- Neurology Admin Role:
- Set Up External Groups:
- Windows Local Groups:
- Created ‘NeurologyAdmins’ and ‘MaternityAdmins’ groups.
- Added department staff to respective groups.
- Windows Local Groups:
- Assign Groups to Roles:
- In the Admin Console, assigned ‘NeurologyAdmins’ to the Neurology Admin Role.
- Testing and Training:
- Department staff logged in to verify access.
- Provided training on using the Admin Console for their permitted tasks.
Benefits Realized:
- Security: Departments could not access or interfere with each other’s data.
- Efficiency: Departments managed their backups and scripts without IT intervention.
- Accountability: Actions could be traced to individual users within departments.
Best Practices for Securing Your FileMaker Server
Securing your FileMaker Server involves a multi-layered approach, addressing physical security, network security, data encryption, authentication, and backup strategies.
Dedicated Server Deployment
- Isolation: Run FileMaker Server on a dedicated machine to prevent conflicts with other services.
- Resource Allocation: Ensures optimal performance by allocating all resources to FileMaker Server.
- Physical Security: Place servers in secure, access-controlled environments (e.g., locked server rooms or data centers).
SSL Certificate Management
- Mandatory SSL Usage: Always encrypt data in transit using SSL/TLS.
- Certificate Selection:
- Let’s Encrypt: Suitable for many use cases; free and automated.
- Commercial Certificates: Consider if organizational policies require OV or EV certificates.
- Renewal Management: Implement automated processes to renew certificates before expiration.
- Certificate Validation: Regularly verify that certificates are valid and properly installed.
Firewall Configuration and Network Security
- Restrict Open Ports:
- Only open necessary ports (e.g., 5003 for FileMaker clients, 16000 for Admin Console).
- Close or restrict access to ports like RDP (3389) and SSH (22).
- Use VPNs and SSH Tunnels:
- For administrative access, require VPN connections or SSH tunnels.
- IP Whitelisting:
- Limit access to known IP addresses or ranges when possible.
- Intrusion Detection and Prevention Systems (IDPS):
- Implement IDPS to monitor and block suspicious activities.
Regular Updates and Patches
- Operating System Updates:
- Schedule regular updates to apply security patches.
- Test updates in a staging environment when possible.
- FileMaker Server Updates:
- Stay current with the latest version to benefit from security enhancements.
- Subscribe to Claris notifications for update releases.
Strong Password Policies and Authentication
- Password Complexity:
- Enforce minimum length, use of uppercase, lowercase, numbers, and special characters.
- Password Expiration:
- Require passwords to be changed regularly (e.g., every 90 days).
- Account Lockout Policies:
- Lock accounts after a defined number of failed login attempts.
- External Authentication:
- Integrate with Active Directory or OAuth providers for centralized management.
- Two-Factor Authentication (2FA):
- Implement 2FA for administrative accounts where possible.
Implementing Encryption at Rest
- Enable Encryption at Rest:
- Use FileMaker’s built-in Encryption at Rest feature for databases.
- Encryption Keys Management:
- Store encryption passwords securely.
- Use password management tools or key management systems.
- Policy Compliance:
- Ensure encryption meets organizational or regulatory requirements.
Backup Strategies and Data Recovery
- Regular Backups:
- Full Backups: Schedule during off-peak hours.
- Incremental Backups: Use Progressive Backups for high-frequency changes.
- Backup Retention Policies:
- Define how long backups are kept (e.g., daily backups for 7 days, weekly backups for 4 weeks).
- Offsite and Off-Server Backups:
- Store backups in different physical locations or cloud storage.
- Testing Backups:
- Regularly restore backups to test data integrity and recovery procedures.
- Automated Backup Management:
- Utilize FileMaker Server’s enhanced scheduling features for automation.
- Backup Security:
- Encrypt backup files, especially when stored offsite or in the cloud.
- Secure backup storage locations with access controls.
Addressing Performance Impact During Backups:
- Optimize Backup Times:
- Schedule backups during low-usage periods.
- Selective Backups:
- Backup only critical databases more frequently.
- Hardware Considerations:
- Use fast storage solutions (e.g., SSDs) to reduce backup duration.
- Monitor Performance:
- Use monitoring tools to assess the impact of backups on server performance.
Security Enhancements in FileMaker Cloud
Overview of FileMaker Cloud Security
FileMaker Cloud leverages the infrastructure of Amazon Web Services (AWS), providing a secure and scalable environment. Key security features include:
- Encryption:
- Data at Rest: Encrypted using AES-256.
- Data in Transit: Encrypted using TLS 1.3.
- Infrastructure Security:
- Physical Security: AWS data centers with strict access controls.
- Network Security: Firewalls, intrusion detection, and DDoS protection.
Compliance Certifications and What They Mean
SOC 2 Type II Report:
- Scope: Security, Confidentiality, and Availability Trust Services Criteria.
- Significance: Demonstrates that FileMaker Cloud has effective controls in place to protect customer data.
- Usage: Can be provided to customers to satisfy their compliance requirements.
ISO Certifications:
- ISO 27001: Specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
- ISO 27018: Focuses on protecting personally identifiable information (PII) in the cloud.
Obtaining Reports:
- Requesting Documentation:
- Email compliance@claris.com to request the SOC 2 Type II report.
- Usage:
- Use these reports to demonstrate compliance to stakeholders or auditors.
Backup and Auto-Maintenance Features
Enhanced Backup Capabilities:
- Direct Backup Downloads:
- Allows downloading backups without restoring them first.
- Facilitates local access and archival.
- Customizable Backup Retention:
- Deleted Database Retention:
- Default: 7 days.
- Configurable: 1 to 15 days.
- Purpose: Provides a grace period to recover accidentally deleted databases.
- Backup Retention Policy:
- Default: 30 days.
- Configurable: 1 to 30 days.
- Purpose: Manage storage utilization and compliance with data retention policies.
- Deleted Database Retention:
- On-Demand Backups:
- Manually trigger backups when needed.
- Cooldown period of 10 minutes between on-demand backups.
- Backup Message Center:
- Real-time updates on backup and restoration tasks.
- Useful for monitoring progress, especially with large files.
Auto-Maintenance Improvements:
- Weekly Auto-Maintenance:
- Ensures critical updates are applied even if clients are connected.
- Disconnects clients during the maintenance window.
- Configurable time window to minimize business disruption.
- Daily Auto-Maintenance:
- Runs within a specified 1-hour window.
- May skip if clients are connected, highlighting the importance of weekly maintenance.
- Enabling Auto-Maintenance:
- Access settings in the FileMaker Cloud Admin Console.
- Toggle the feature on and set preferred maintenance windows.
Performance and Reliability Improvements
- Scalability:
- Automatic scaling to handle increased workloads.
- High Availability:
- Redundant systems and failover mechanisms.
- Monitoring and Alerts:
- Built-in monitoring tools to track performance and receive alerts.
Migrating to FileMaker Cloud: Considerations and Steps
Benefits of Moving to FileMaker Cloud:
- Managed Infrastructure: Offloads server management tasks.
- Security: Benefits from AWS’s robust security measures.
- Accessibility: Provides access to databases from anywhere with internet connectivity.
- Compliance: Helps meet regulatory requirements with built-in certifications.
Migration Steps:
- Assessment:
- Evaluate current server setup and compatibility.
- Identify databases and solutions to migrate.
- Preparation:
- Ensure databases are optimized and free of errors.
- Implement Encryption at Rest if required.
- Account Setup:
- Create a Claris ID and set up a FileMaker Cloud subscription.
- Uploading Databases:
- Use the FileMaker Cloud Admin Console to upload databases.
- Apply necessary configurations and permissions.
- Testing:
- Verify that databases function correctly in the cloud environment.
- Test performance and connectivity from client devices.
- User Access:
- Configure user accounts and access permissions.
- Communicate changes to end-users.
- Decommissioning On-Premises Server:
- Once satisfied with the cloud deployment, plan the decommissioning of the on-premises server.
Considerations:
- Cost Analysis:
- Compare costs of on-premises vs. cloud hosting.
- Bandwidth Requirements:
- Ensure sufficient internet bandwidth for cloud access.
- Data Sovereignty:
- Consider where data is stored and compliance with local regulations.
Recommendations for Developers and Hosting Providers
Educating Clients on Security Best Practices
- Awareness Training:
- Provide clients with information on the importance of security measures.
- Policy Development:
- Assist in creating security policies for password management, data handling, and access controls.
- Regular Updates:
- Keep clients informed about new security features and updates.
Leveraging Cloud Services vs. On-Premises Servers
- Cloud Advantages:
- Reduced infrastructure management.
- Scalability and flexibility.
- Enhanced security measures.
- On-Premises Advantages:
- Greater control over hardware and configurations.
- Potentially better performance for local networks.
- Hybrid Approaches:
- Use a combination of cloud and on-premises solutions to meet specific needs.
Monitoring and Incident Response Planning
- Implement Monitoring Tools:
- Use third-party tools or built-in features to monitor server performance and security.
- Establish Incident Response Plans:
- Define procedures for responding to security incidents or data breaches.
- Regular Audits and Assessments:
- Conduct security audits to identify vulnerabilities.
- Backup and Recovery Drills:
- Perform regular drills to ensure backup and recovery processes are effective.
Key Takeaways
The security enhancements in Claris FileMaker 2024 represent significant strides toward providing a robust, secure platform for database applications. By embracing these features and following best practices, developers and administrators can:
- Protect Sensitive Data: Ensure confidentiality, integrity, and availability of data.
- Comply with Regulations: Meet legal and organizational requirements for data protection.
- Enhance Trust and Reputation: Build confidence among clients and users through demonstrated security commitment.
- Improve Operational Efficiency: Utilize new tools and features to streamline administrative tasks.
Security is not a one-time effort but an ongoing process. Staying informed, proactive, and diligent is key to maintaining a secure FileMaker environment.
Additional Resources
- Claris FileMaker Server Help Documentation:
- Let’s Encrypt Resources:
- Security Best Practices:
- FileMaker Cloud Information:
- Community and Support:
Editor’s Note: The insights in this post come directly from the Claris Community Live 6: The Developer’s Edge – Claris FileMaker 2024 Security Features video, part of Claris’ ongoing campaign to help customers stay ahead of evolving cyberthreats. With cybercriminals increasingly targeting small and medium-sized businesses (SMBs), Claris is emphasizing the importance of upgrading to FileMaker 2024. The latest version brings enhanced security features, including Let’s Encrypt, automated SSL certificate renewals, and improved server management tools.
If you’re still on an older version, now’s the time to check if your system has the latest protections. Claris offers a complimentary security checkup to help identify potential gaps and ensure your business is safe from threats.
Watch the full video below to hear more about these important security upgrades directly from the experts, Jasper Schoonackers (Lesterius), Doug Wallis, and Sangita Banerjee (Claris)
Disclaimer: The information provided in this guide is based on the features available as of July 19, 2024. Features and procedures may change with future updates to Claris FileMaker products.