Assessing Threats, Vulnerabilities, and Risks to
FileMakerÂ® Pro Databases
Hosted FileMaker Pro databases are susceptible to unauthorized access, manipulation, destruction, and other forms of compromise. Developers and server administrators need to understand how to assess threats and the risks of those riskâs occurring as various threat agents seek to exploit vulnerabilities.
This process starts with an understanding of the environment where the databases operate. We have a variety of digital assets that we must seek to protect. Nowadays, for the most part, the assets we are most concerned about are the hosted databases and the information in them.. We need to be able to protect the Confidentiality, Integrity, and Availability (CIA) of those digital assets.
When a breach of CIA occurs there will be an impact on the digital asset. Understanding and predicting the level of that impact is an important aspect of the assessment we must make. We can generally classify the level of impact into one of four categories:
The targets of that impact are the people, the assets, the operations, and the reputation of the organization that owns the asset whose CIA is breached. The same event, e.g. a breach of Confidentiality of the asset, may have very different levels of impact on each different target. Likewise, on the same target, a breach of Integrity may have a far more adverse impact than a breach of Confidentiality would.
As a result, FileMaker developers and server administrators must assess each attribute of CIA and the likely impact of its breach on each target: people, operations, assets, and reputation.
The Threat is that a Threat Agent will exploit a known or a heretofore unknown Vulnerability in a specific hosted FileMaker file resulting in a breach of CIA with an adverse impact of varying levels on the various targets as described previously.
Risk is the likelihood of some Threat Agentâs actually exploiting the Vulnerability. And Risk can be difficult to quantify or even to identify, especially if the Threat Agent is of a type not previously identified or even known to exist.
In FileMaker Security, indeed in most types of information security, we have three principal tasks:
In terms of setting priorities to achieve this, since tasks seem always to exceed resources, we should focus on the higher Risk items that have greater levels of Adverse Impact. Or so it would seem. But the equation is not quite that simple. Closing known Vulnerabilities is a major factor in blocking the Threat Agent. We may therefore get an overall more beneficial result in terms of our goal of protecting our digital asset by having a more nuanced mixture and balance among these categories.
In summary then, when we undertake to assess the Threats, Vulnerabilities, and Risks to our hosted FileMaker Pro databases we have a number of items to consider:
When we can answer these questions, we can begin to address the question of what type and amount of security we need for our hosted FileMaker Pro databases and for FileMaker Server.
Please see the graphic for a further depiction of this concept. As always, your comments or questions are welcomed.
Steven H. Blackwell