Jump to content
  • entries
    45
  • comments
    63
  • views
    105,501

2020 To Be Year of Challenges


Steven H. Blackwell

1,854 views

This year 2020 will be one of Change and Challenge for the Claris FileMaker Community. It will require Commitment, Confidence, and Community Effort to see it to a successful conclusion. Herewith, in outline form, are some of the Challenges I foresee we will face:

 

 

1.            We will need to develop a finer level of audit logging of Personally Identifiable Information (PII).  Most logs currently focus on system level activity.  A finer level of focus will assist in achieving compliance with various privacy requirements.  Prompt response timelines for breaches will be an issue as well.

2.            We will need to improve data level protection via encryption.  The UI layer is insufficient for this purpose. But in the process of doing this, we must maintain system usability.

3.            The practice of sending SMS text messages to mobile devices to achieve Two Factor Authentication (2FA) needs to end. It is inherently insecure, and there are better alternatives.

4.            A better approach to 2FA is to adopt hardware tokens of various types. These can be made to work with the FileMaker Platform—indeed they already do so—using expanded oAuth Open ID Connect services.

5.            We are going to need to adopt context—based authentication. Not just Who are you? and Are you who you say you are?  But also, How do we know this?  And from where are you seeking access, on what device, to what asset?  This is not particularly easy to adopt; however, it can be done.

6.            Mobile accessibility is due for a change.  We are at the beginning of end of Wi-Fi. In 2020 we will begin to see adoption of what is called Citizens Broadband Radio Service (CBRS). This is not to be confused with the old CB Radio from the 1970’s. Adoption of CBRS is likely the beginning of Connectivity as a Service.

 

7.            We will begin increasingly to see the containerization of applications and services, e.g. FileMaker Server.

a.            Unlike virtual machines, they don't need a full OS to be installed within the container.

b.            Once the container has been created, it can easily be deployed to different servers. From a software lifecycle perspective this is a great help, as containers can quickly be copied to create environments for development, testing, integration, and production.

8.            We need to adopt processes that facilitate how data owners can assure they exercise due diligence on cloud-hosted data. The owner is the responsible party here. And it is the owner who likely would suffer the bulk of the onus of any breach. In order to exercise this due diligence, data owners must expect and insist on transparency from hosting and PaaS providers about security processes including who does and does not have access to and knowledge of encryption keys. This will not be a straightforward process.

9.            As we experience more and more instances of Machine Learning, we will need to be aware of, and to guard against, manipulation of the Training Data that underpins this process. Such data are susceptible to attack and to manipulation that poisons the data. Even a very small amount of such alteration can affect the machine learning process.

10.        The Human Element has always been at the center of effective FileMaker Platform Security.  That will become even more the case in 2020 and beyond as we move to Federated Identity Management and to Digital Transformation. The culture of any organization is a governing element for its success. We will have many challenges here properly to account for and to plan for the Human Element.

Steven H. Blackwell

Platinum Member Emeritus

  • Like 3

3 Comments


Recommended Comments

  • Newbies

Hi Steven:

 

Very interesting commentary.  I am apposed to hardware keys unless they are keys on devices we already have, like our phones.  We don't need more "things" to carry around.

Why is SMS bad?   

What do you think about applications like Authy such as Amazon uses for 2FA?   Any idea of what is involved in integrating such an application for Filemaker?

Logging has been a long standing issue in Filemaker.  Most everything we have that is "native" are hacks that are subject to work arounds and suck performance.  I've been experimenting using Amazon services to gather and speed up audit logs in Filemaker, but, it really should be something we can do within the Filemaker environment at this point.  These requirements for security are becoming standard fair for ALL companies, big and small, and there is a great opportunity for Filemaker to deliver these abilities at reasonable levels of costs and complexity.   Ideally, we need a mechanism that gives us true TABLE level script triggers.

Happy New Year!

 

Lee

Link to comment
22 hours ago, ESS YES said:

 

I am apposed to hardware keys unless they are keys on devices we already have, like our phones.  We don't need more "things" to carry around.


Why is SMS bad?   
 

We already have this capability for the FileMaker Platform, and we have had it for a number of years.  More and more installations are using Two Factor Authentication (2FA) with these hardware devices.

 

SMS in the form of a code sent to a mobile device, especially a telephone, is inherently insecure.  How does the provider of the asset know that the recipient of the code is the person the requester claims to be?  SMS messages can be re-routed by hijacking the Subscriber Identity Module (SIM) of the device.  Note these two articles:

https://securityintelligence.com/whats-wrong-with-sms-authentication-two-ibm-experts-weigh-in-on-the-nist-recommendation/

https://www.schneier.com/blog/archives/2020/01/sim_hijacking.html

 

Thanks for replying.

Steven H. Blackwell

Platinum Member Emeritus

 

Link to comment
  • Newbies

Hi Steven:

 

I know the devices exists, but dedicated devices can be costly and it is another "thing" that has to be cared for and can easily be lost.

I have not tried out the new Filemaker Cloud.  Guess I need to take a look and see what they are implementing.  I like the concept of FIlemaker ID, but I'm a bit peeved that it is only available in the Cloud platform, at least for the time being.

SMS is being used by many large services for 2FA.   So are they simply ignorant of the risks, or have they decided the risks is minimal?

I like the "Authy" type virtual dongles.  But even these "devices" can be hacked or stolen if someone gets ahold of an unlocked phone or is able to brake into it.

Security in this day and age is a road without an end.  😉

 

Lee

Link to comment
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.