From Dwayne Wright PMP, PMI-ACP, CSM
Certified FileMaker Developer
There may be some difficult choices to be made in regards to securing information that a user needs to use to be productive within their role within the organization. This is one of the primary reasons why security begins with the people. One of the direct concerns from management is that someone will extract critical information and supply it to a direct business competitor. This is normally done by an employee that is unhappy with their employment position with one company and is looking for a better opportunity with a competitor.
I once worked with a company in which this happened all the time. Sales representatives of their competitors would interview and claim they had digital records of all their current customers. In their job interview, they mentioned that they would bring those customers over with them as they made the position switch.
Obviously, the company that I did the project for had me batten down the hatches on their database system. In fact, sales reps could never be able to see companies other than their own, could not print and was limited to list views of 5 records or smaller.
There are at least 4 levels of database information stealing and each has a different threat level. As we have mentioned many times, it is difficult to protect yourself if someone is determined at whatever cost to get this information. However, I think it is worthwhile to discuss some of the different ways information can be obtained. I will use the disgruntled sales rep example as the basis in describing these levels.
The first and lowest level threat is viewing information that should not be needed or even accessible. The sales rep may be able to see who the key contacts are for valuable clients and record this information manually. This is more of a one off process and doesn’t lend itself well to batch record stealing. This supports a security layer that individuals should not see data they do not need to see.
STORED ON PRINT OUTS
The next level is the ability to print information. With the ability to print information, it is easier to obtain data about a batch of records. Now it takes longer to reenter the data in a new system but possible. There is also the ability to print to a PDF and this makes transporting large amounts of data easier and their are tools out their that can parse a PDF. So it is quite possible you may need to restrict printing access of large collections of data.
The next level is the ability to export information out of a database. This makes it very easy to batch move a bunch of information in a very small package. Now it is possible the data that can be exported isn’t complete as the disgruntled employee would like. However even incomplete data on a large batch of records is still a very considerable threat.
COPIES OF WHOLE FILES
The final level is directory access to the files, which could be copied from one machine to the next. This is the most dangerous because it involves the copying of both information and structure. The structure may contain password information to more secure files and compromise them also.
So these are things you might want to consider as you are doing a security review of your files and your business workflow. You should keep in mind that every time you ratchet up your security settings, you may be putting in obstacles that limit the productivity of the good employees.
© 2009 – Dwayne Wright – dwaynewright.com
The material on this document is offered AS IS. There is NO REPRESENTATION OR WARRANTY, expressed or implied, nor does any other contributor to this document. WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. Consequential and incidental damages are expressly excluded. FileMaker Pro is the registered trademark of FileMaker Inc.