5. Restrict data access with accounts and privilege sets

Use accounts and privilege sets to provide the most basic security method within your database files. With accounts and privilege sets, you can limit what users can see and do in a database file. You can restrict:
• File access: Require users to enter an account name and password in order to open a file.
• Data access: Make particular records or fields from individual tables view-only, or hide them completely depending on their level of security clearance.
• Layout access: Prevent users from viewing or modifying layouts in Layout mode.
• Access to value lists and scripts: Prevent users from accessing and modifying value lists and scripts, and from running scripts.
• Outputting data: Prevent users from printing or exporting data, especially if the information is proprietary.
• Menu access: Make only a limited set of menu commands available to the users depending on security level.
When files are restricted with accounts, users must know the account name and password before opening or connecting to a database. The account name and password they enter determines which privilege set will be used, which limits what they will be able to do in a file.
Hint
Your security is only as good as the user accounts and passwords you define. By including personal information about them in their record, they will be more unlikely to be willing to share it with anyone else. Change it about every three monts with minor but memorable modifications.
•Do not share your administrator-level user account name and password with anyone. This protects your files in the event that your physical security, operating system security, or network security has been bypassed. Make sure you also change it frequently.
Your database server can be configured to allow databases to perform external server authentication based on group names in place of accounts/passwords stored in the database. Again, make sure you change your passwords on a regular basis.
Reminder:
In many cases, when you are setting up a new database, the default for the file is initially unprotected. When opening files, users are automatically logged in with the Admin account, which is assigned the Full Access privilege set.
So to prevent others from opening a database with full access, rename the Admin account and assign a password at once. Before sharing the file with others, plan the security of the file and assign the necessary access levels to each user and user group. For example, the Sales department does not need access to the Accounting or Marketing department files.

4. Devise a plan for securing your databases

When you plan your database design, also plan how to secure your database files. It’s much easier to design security into your database from the outset, than to incorporate it later, after the horse has already galloped out of the barn and the damage has been done.
• List the areas of the file that you want to protect, such as particular tables, fields, records, layouts, value lists, and scripts. Plan the number of privilege sets you need to enforce the varying levels of file access that you and your users will require.
• Determine if you need individual accounts for each user (recommended), or accounts that multiple users can share (such as a “Marketing” or a “Sales” account-more risky depending on skills sets)
• Decide if you want to enable the Guest account, which permits users to open the file without logging in and providing account information. If you’re using the Guest account, assign the most limited privilege set possible; otherwise, consider disabling it completely.
• Determine if you need to enable any extended privileges (for example, Network sharing or Instant Web Publishing options) for certain privilege sets.
• Create the accounts you need in the file, and assign the appropriate privilege set to each account.
Consider developing a spreadsheet too  that lists the types of users and summarizes their privileges, such as View, Create, Edit, Delete Records users, Modify, Execute Scripts, and so on.
You can provide limited access to some features, for example deleting records, by using record-by-record privileges with some databases. If this feature is of interest to you, shop around for it when looking for your database solution.

3. Establish network security
Databases shared on an intranet or the Internet use the TCP/IP protocol. You may also use the TCP/ IP protocol when you share databases peer-to-peer, or with the database server. Though TCP/IP is good for moving data and allowing clients to connect to your data, it was NOT designed with security as a primary objective.
So unless you take precautions, it can allow uninvited access to your host computer, server software, databases, and perhaps to other client machines on your internal network.
TCP/IP doesn’t provide very much protection for data, so it is important to place barricades such as firewalls and SSL data encryption to stop access by uninvited visitors. We will talk more about how to use encryption or VPNs to protect data later in this series on database security.
• The most common barricade method used is the firewall, which separates your network into two distinct environments: a public environment that is “outside the firewall,” and a private environment that is “behind the firewall.”
Users outside of the firewall will only have access to those TCP/IP or hardware addresses that you expose. You can concentrate your security on those server machines that are exposed, while allowing the machines behind the firewall to operate with fewer safeguards.
• Using wireless networking devices can pose security challenges. These devices can broadcast your network traffic beyond the walls of your building, so it is extremely important to encrypt your wireless networking signals. Always use the maximum level of signal encryption available. We will discuss wireless networks in more detail later also.

2. Ensure operating system security
Use the security features of your operating system to restrict access to important data. The network administrator should provide access only to individuals authorized to administer and maintain the system or the database/s. In addition, they should:
• Track system user IDs and passwords.
• Restrict access to the actual database application and file directories, servers, and web pages.
• Review remote access settings for file sharing and FTP (File Transfer Protocol).
• Restrict file upload or download access.
• Make sure all users have the latest, most secure versions of the operating system software.
• To streamline processes, you can enable external authentication, which uses accounts that have been configured in the Windows Domain Authentication or in Apple OpenDirectory.
• Do not put your database files on file servers to share them. Choose a database with a built-in networking feature. This will prevent files from being inappropriately copied, or from introducing record locking and potential corruption issues when files are shared with inappropriate methods.

Special Offers for Summer:

FileMaker 9 Software Bundle
FileMaker Pro, FileMaker Server, and more!
Get 10 people up & running TODAY using this robust database.
Available for PC and MAC.
Download, save nearly $1200

In order to try to protect your valuable corporate information, you need to try to ensure that your database files, host computers, workstations, and the networks that access them are ALL safe from theft and corruption.
It may sound like a tall order, but the following is a check list, with further details below.

Your Top 10 Security Steps
1. • Ensure physical security
2. • Ensure operating system security
3. • Establish network security
4. • Devise a plan for securing your databases, communicate that plan to all those with access, and follow up on that plan
5. • Restrict data access with accounts and privilege sets
6. • Back up databases and other important files regularly
7. • Install, run, and upgrade anti-virus software regularly
8. • Test your security measures regularly
9. • Re-assess and improve security measures regularly, and communicate any changes or improvements to all users
10. • Upgrade to the latest database version for their security enhancements regularly
1. Ensure physical security
Evaluate your computers to make sure they are physically secure:
• The host computer should be a dedicated machine, anchored to a desk or immovable object with a lock. Secure the computer so that the hard drive cannot be removed. Restrict access to the computer by storing it in a locked room or cabinet.
• Secure the client workstations that access a database. Lock the computers down, and restrict access to each one by using a screensaver that requires a password.
• Ensure the physical security of backup copies of files stored on portable media, such as tapes and CDs. Back up regularly, and make sure they are not overwritten using the same tapes/CDS over and over again. Make sure you choose a system which will allow easy access to the data.

Special Offers for Summer:

FileMaker 9 Software Bundle
FileMaker Pro, FileMaker Server, and more!
Get 10 people up & running TODAY using this robust database.
Available for PC and MAC.
Download, save nearly $1200