FileMaker Pro Security for Providers

Important Note: Many schools and units have standardized on the use of specific database applications (such as Microsoft Access, Oracle, etc.) and may not support FileMaker Pro for their faculty and staff. Information Systems & Computing (ISC) strongly suggests that faculty and staff speak to their local support provider to determine which product(s) are supported before selecting database software.

FileMaker Inc.'s FileMaker Pro database software is widely used on campus. Because of FileMaker's ease-of-use and low barriers to implementation, it is often used by Schools and Centers for small-to-medium scale departmental databases. These databases often include confidential or sensitive data.

Security Issues

Current University-supported versions of FileMaker Pro (6.x and 7.x) have two significantly different security models with substantially different levels of security.

FileMaker Pro 6.0 and below (including FileMaker Server 5.5):

• Use a primitive security model that uses a password as both the ID and password.


• Use a password encryption method for sending passwords over the network that is extremely weak by current standards. FileMaker Pro 6.0 and below cannot force a minimum password length.


• Send data over the network unencrypted and unencoded.

FileMaker Pro 7.0 and above and FileMaker Server 7.0:

• Have a new and significantly superior security system with a unified account/privilege environment.


• Use a capable password encryption method. FileMaker Server 7.0 can require SSL encryption when sending and receiving passwords over the network from FileMaker Pro 7.0 and above clients. FileMaker Pro 7.0 and above and FileMaker Server 7.0 can also force a minimum password length.


• FileMaker Server 7.0 can require SSL encryption when sending and receiving data over the network from FileMaker Pro 7.0 and above clients.

For all versions of FileMaker Pro:

• It is extremely important to note that any database application, including any version of FileMaker Pro, can be made far less secure by not following good general security practices. In particular, using easy-to-guess passwords (e.g. password), can remove almost all of the security initially built into FileMaker Pro.


• It is also important to remember that any database code is only as secure as the laptop, desktop, or server on which it is installed. Thus, providers must ensure the physical security of their databases.

Suggestions

ISC strongly suggests that Schools and Centers that are still using FileMaker Pro 6.0 or lower make aggressive plans to transition to FileMaker Pro 7.0 or FileMaker Pro 8.0 in Fiscal Year 2006. FY 2006 will almost certainly be the last year of University support for FileMaker Pro 6.0.

ISC also strongly suggests that Schools and Centers using FileMaker Pro databases implement passwords for all types of users - in other words, not even the most basic user should be able to use a FileMaker Pro database without entering a password.

For more information

FileMaker, Inc.'s FileMaker Security page.

The University's FileMaker Pro supported products page.

The University's Information Security resources for Application Developers page.

The University's Privacy web site.

- John Mulhern III, Senior IT Project Leader, ISC Technology Support Services