Aligning FileMaker Security Requirements To Business Interests
March 29th 2016
There has been a considerable amount of discussion recently in various FileMaker Platform venues about database security. Much of the discussion has focused on the use of one technique or another, and most of those techniques actually detract from the security of FileMaker systems rather than enhance security.
Absent from these discussions, however, has been any description of first instance reasons for having security features in place in the FileMaker Platform. This BLOG entry will discuss the relationship between business interests and security requirements. Developers and administrators must assure that they have properly aligned security requirements with business interests. Generally speaking, we are seeking to assure the Confidentiality, Integrity, Availability, and Resilience (CIAR) of digital assets and supporting physical assets in the organization.
First and foremost, businesses and organizations of most every type have an interest in business continuity. That is, they have an interest in remaining in business, and in being able to continue to function to perform their missions, all in the face of some natural or man-made interruption. That includes cyber-attacks of varying types; but, such attacks are not the only potential interruption that can cause an organization to cease operations, either temporarily or permanently.
Physical damage to IT technology hardware whether by cyber-attack, flood, fire, tornado, building collapse, or similar disaster is one likely cause of business interruption and continuity failure. So is a new phenomenon: the ransom-ware attack. These attacks encrypt the entire data infrastructure of an organization with the attackers demanding a ransom to decrypt the data and release the underlying information back to the organization.
Business continuity can also fail as the result of the loss of customer or client confidence in the organization resulting from a data breach or data exfiltration. Additionally, if attackers were to damage or to delete significant portions of the organization’s data, the organization may not be able to continue in operation.
All these business continuity imperatives argue strongly for robust steps to preserve CIAR and to allow the organization to continue to function post-attack or post-disaster.
Regulatory compliance requirements related to data privacy and avoidance of the associated penalties for non-compliance are another key business interest for most organizations. At international, national, and state levels, there are a variety of statutory and regulatory requirements for safeguarding data against breaches, for notifying affected individuals of breaches, and for post-breach monitoring and management. An organization’s compliance failure can subject it to civil and criminal penalties, including substantial fines. Clearly, any organization, irrespective of structure or mission, wants to avoid these potential penalties.
Organization brand reputation is another key business requirement needing safeguarding. The negative publicity that follows in the wake of a breach as well as the impact and burden of remediation for those whose data are compromised can seriously, if not permanently, tarnish the reputation that an organization has often worked years to achieve. Lost of customer or client confidence, loss of members’ confidence for professional and trade associations, and degradation of analyst and media opinion can all rapidly sink any organization.
Many FileMaker Platform customers and clients are small to medium-size businesses. They frequently have fewer resources to combat the after-effects of CIAR loss. They are the ones most likely to suffer failure of business continuity and to be driven out of business by severe attacks. Larger businesses can also experience negative effects as well; however, they may have more resources to be able to continue to function.
These are some of the business interest reasons for safeguarding FileMaker Platform systems. They are the underlying primary reasons for designing and implementing robust CIAR security in FileMaker systems. These are not the only reasons of course. There can be others, notably protection of developer intellectual property. But the concepts of business continuity, regulatory compliance, and avoidance of civil liability are core reasons that drive security requirements.
Steven H. Blackwell