FileMaker Security Survey Reveals Interest and Some Confusion

During early and mid-July, I posted on FM Forums a multi-question survey asking people about their use of various FileMaker product security features. I also asked for any comments or for any recommendations they might have for enhancing product security features.

The results are interesting. They reveal a high level of use of many security features; they also indicate some areas of confusion about how security features in FileMaker products work.

Who were the people who responded to the survey? Where were they located?

Respondents said they worked in a variety of different environments:



Respondents were primarily North American and European with a smaller number from other areas:



Security Features Respondents Utilize

One of the most important FileMaker security features is File Access Protection, introduced in FileMaker® Pro 11. This feature is vitally important for securing files and for preventing unauthorized external compromise of a database’s business logic and manipulation of the User Interface.

Respondents indicated considerable use and support for this feature:




Privilege Sets are the method by which FileMaker Pro enforces and supports Role Based Privileges in files. The level of granularity for Privilege Set construction is very fine and precise.

How did respondents to the survey utilize Privilege Sets?






External Server Authentication is another key tool for effective security management of FileMaker Pro solutions, especially for multi-file systems hosted by FileMaker Server. Easing of Account management and leveraging of existing IT security assets make External Server Authentication a very important tool.



The type External Server Authentication respondents say they used provides some interesting results:





Finally, respondents revealed widespread use of some key Record Level Access features for controlling creation, viewing, editing, and deleting of records.

Analysis and Interpretation.

While I am wary of over-generalizations from the information provided by survey respondents, I nevertheless can offer some observations.

1.     FileMaker developers are concerned about security items. They know that systems they develop, either for clients or for their employers, can and will be subject to attacks seeking the data in the files. They also know that the business processes the databases manage can be disrupted if users are not constrained from potentially damaging actions, such as inadvertent or careless record deletion. To that end, they employ a number of the standard security features both for Identity and Access Management and for Role Based Privileges.

2.     Utilization of security features tends to cluster towards and in the Great Middle, with only 39% of respondents saying they always use customized Privilege Sets. We also see a marked differentiation between Macintosh OS and Windows OS in the use of External Server Authentication with the respective Domain Controller.

What this suggests to me is that while a significant portion of respondents have an understanding of the basic security features of the products, that only a highly diminished segment utilizes the more nuanced and advanced security features. This is unfortunate, because these features are very valuable––not to mention very flexible––in aiding creation of robust security for FileMaker Pro files. Since nearly two-thirds of respondents work full time developing FileMaker databases, this is a loss to the developer community.

3.     The relatively high level of adoption and use of the File Access Protection feature is gratifying. Particularly for the developers of commercial products based on FileMaker Pro, but for all of us as well, File Access Protection is one of the very most important features we can employ to protect our and our clients’ files. The cluster around the 37% to 38% of developers who say they do not use File Access Protection is a cause for concern. Without this feature, their files are vulnerable to manipulation and compromise.

4.     In the Comments section of the survey—about which we may have more to say at a later time—a couple of items were noteworthy. First, a number of people requested the ability to have dynamic Field Level Access similar to Record Level Access. I fully endorse that request. Second, a number of people requested that a variety of features and capabilities in the security arena be added to the products. They spoke as if the items they requested could not presently be accomplished, when, in fact, they can be. This indicates that some specialized information about these capabilities needs developing. I will undertake to do that in the coming weeks.

Finally, a word of thanks to all who participated in the FileMaker Security Survey. And a very special thanks to Stephen Dolenski of FM Forums for hosting the survey.