Cloud Services Security
theFM Studio is committed to excellence — both of its service offerings and how it serves its valued clients. Our service offerings are designed to help clients make their business better through high performance, secure, and highly available solutions. And, theFM Studio values trust.
To demonstrate this, we have consistently applied industry leading security practices to our own practices, including incorporating the Claris® | FileMaker best practices security guide recommendations for configuring Cloud Services environment. These have been designed to embody the latest security standards and protocols and maintained with the latest updates and security patches.
These values underpin what we do at theFM Studio.
Our Cloud Services production infrastructure is provided by Amazon Web Services (AWS). AWS data centres and AWS services deliver the physical infrastructure, environmental controls, access control mechanisms, and monitoring systems to enable the highly secure and highly available offerings from theFM Studio.
Through our relentless commitment to excellence and relationships with AWS, theFM Studio is able to provide enterprise-grade offerings to organisations of all sizes in its pursuit of enabling digital transformation.
Security and Control Environment
theFM Studio team is responsible for ensuring the confidentiality, integrity, and availability of all of it’s clients hosted solutions managed by them. This includes all information within AWS facilities, on equipment, or transiting networks owned by or in direct partnership with AWS. Specific methods used to achieve these objectives include, but are not limited to: development and distribution of security policies and procedures, security assessments, monitoring and processing of security alerts, and responding to security incidents.
People, Policies, and Training
theFM Studio employs individuals of long standing that are certified professionals in their discipline and are committed to the key principles of honestly, respect, confidentiality, and compliance.
theFM Studio maintains a set of policies, standards, and guidelines to serve as the body of requirements and guidelines for implementing highly secure and highly available systems. These guidelines are based on the Claris® | FileMaker best practices security guide recommendations for configuring a Cloud Services environment and policies set out by Amazon Web Services.
Based on the policies, standards, and guidelines of our organisation, key personnel are required to complete annual security awareness training. Those with responsibilities that impact the security of theFM Studio’s service offerings and compliance efforts, receive additional training on a variety of topics.
theFM Studio leverages global security frameworks to guide its security processes and controls. Key topics, such as Physical Security, Authentication, Encryption, Network Security, and System Hardening are detailed below.
Physical Security and Environmental Controls
theFM Studio uses Amazon Web Services (AWS) for its hosting needs. AWS has obtained a SOC 2 Type II certification over the services used by theFM Studio, including the physical and environmental security control of its data centres.
Additionally, AWS has security controls to limit physical access to its facilities and critical systems, including but not limited to data centres, POD environments, and telecommunications closets. These controls include the proximity badge access system, biometric readers, facility camera systems, and visitor logs.
The security of theFM Studio systems, devices, and accounts starts with secure credential creation and management.
Administrative access to theFM Studio hosting environments is limited to administrators through multi-factor authentication. Within the theFM Studio environment, theFM Studio deploys the concept of least privilege. Through role-based access control features within AWS, theFM Studio is able to provide highly granular permissions to different types of administrators at theFM Studio (e.g. server administration, database administration, network administration). theFM Studio service offerings supports authentication via external identity providers including Apple Open Directory Microsoft Active Directory.
OAuth identity provider authentication
OAuth 2.0 is used to authenticate theFM Studio users that sign in to custom apps via a third-party identity provider such as Amazon, Google, or Microsoft Azure. The latest versions of FileMaker also support OpenID.
The FileMaker Server Admin Console
The FileMaker Server Admin Console is a web application for working with custom apps hosted by theFM Studio and for managing FileMaker Server. The Admin Console allows authorised administrators to manage:
- monitor Server statistics (CPU, Memory, Network usage and disk space);
- manage database files (open, pause, close, download, remove, verify);
- disconnect and message idle users;
- schedule Backups (auto-Backup and On-Demand, preserved and schedule backups of solutions);
- configure general settings including:
- FileMaker Clients
- set up folders
- schedule server-side scripts
- manage SSL Certificates and
- logging ( > Configuration > Logging Viewer > Logs > Log Setting > access.log);
- manage connectors for Web Publishing, FileMaker Data API, Plug-ins, ODBC/JDBC connectivity;
- Server administration (management of FileMaker licences, System Administrator Username/Password and external authentication).
Protecting sensitive information is deeply embedded in theFM Studios’ DNA. Encrypting data in transit and at rest is one of the primary tools theFM Studio employs as a key part of its commitment to clients.
FileMaker On-Premise Virtual Private Server:
- In transit: Client connections require the use of the TLS 1.2 protocol.
- At rest: FileMaker Server utilises several AWS data storage environments for data persistence. Across these data platforms, theFM Studio utilises AWS Key Management Service (KMS) for the encryption of data at rest.
- Disk: theFM Studio leverages AWS KMS with AES 256-bit encryption.
Firewalls are an important part of any security effort. In generic terms, a firewall refers to a control that can be used to prevent certain network traffic from entering a private network. theFM Studio leverages firewalls throughout the network and between different zones in the network including application firewalls, web application firewalls, and network-layer firewalls.
Additionally, network traffic is continuously monitored (AWS CloudWatch).
Hardened baseline configurations help drive consistency within the operational environment and provide assurances that systems are built leveraging approved software, while minimising the attack surface for a potential malicious code event to exploit.
As part of a baseline configuration, AWS Information Security-approved tools for malicious software detection are default requirements within configuration baselines. These applications provide system-level detection, monitoring, and alerting of potential security events and can prevent malicious code from executing. These tools also have defined integration paths to enterprise monitoring and event management capabilities, allowing our support team to aggregate themes and activities across the environment, invoke incident response actions, and support forensics investigations.
Security Assessments and Vulnerability Management
Security assessments, performed by the Claris FileMaker Information Security Team, are performed before production deployments of new or updated features, services, configuration, or code changes. Security testing of infrastructure, including network devices and operating systems, is supported through vulnerability scanning and subsequent remediation.
Business Continuity & Disaster Recovery
theFM Studio uses Amazon Web Services (AWS) for its hosting infrastructure needs. AWS has architected its environment to be highly redundant and provide high availability to its customers.
Additionally, theFM Studio leverages Amazon Web Services ISO 27001 certification process and the data centres of AWS are audited for resiliency and continuity of operations.
Data Management & Privacy
theFM Studio has retention policies and schedules to outline the required retention periods for records.
Clients hosted solutions are available for 30 days after the termination or expiration of client’s Cloud & Managed Services subscription, after which all such systems are deleted.
TheFM Studio is committed to customer privacy and complies with applicable privacy regulations in regards to our service offerings and services. TheFM Studio collects only the minimum amount of data necessary to provide customers with the services.