Why Security Matters in FileMaker Today
In 2025, the threat landscape continues to evolve, with cyberattacks becoming more frequent and sophisticated. FileMaker, often used to store sensitive business, employee, and customer data, is not immune.
According to IBM's 2024 Cost of a Data Breach Report, the average global cost of a data breach reached 4.45 million USD, a 15 percent increase over the past three years. Additionally, 83 percent of organizations experienced more than one data breach. Gartner also reported that by the end of 2025, 60 percent of organizations will have formal programs in place to manage third-party security risks, reflecting a heightened awareness and investment in cybersecurity.
Securing your FileMaker databases is no longer optional. It is essential for maintaining data integrity, meeting regulatory obligations, and safeguarding your organization's reputation.
User Authentication and Access Management
Effective user management is a foundational component of any security strategy. Each user should have a unique account to support accountability and access control. FileMaker supports multiple authentication methods, including local accounts, external authentication through Active Directory or OAuth providers, and Claris ID for cloud environments.
To minimize exposure, use privilege sets to define roles with limited access based on responsibilities (Principle of Least Privilege). For sensitive databases, implement Two-Factor Authentication (2FA) using tools like Google Authenticator or Microsoft Authenticator with External Authentication. This added layer of protection can stop unauthorized access even if credentials are compromised.
Password and Account Security
Set strong password requirements for all users. Enforce length, complexity, and periodic password changes. Automated password expiration can help disable inactive accounts that might otherwise remain open to exploitation.
FileMaker Pro automatically creates a full-access admin account for new files. Ensure that this account is protected with a secure password or disabled entirely if not needed. Default accounts are often exploited in attacks and should be managed with extra caution.
- If unneeded, leave the Guest Account off.
- Review the Extended Privileges of your accounts and only turn on services you will use (OData, ODBC, Data API, Webdirect) for those accounts.
- Create dedicated privilege sets based on user roles (Admin, Sales, Warehouse, Marketing, etc).
- Apply granular access to records, layouts, and value lists based on those roles. If a user has no reason to view Financials, block the view, edit, create, and delete powers for that user.
Data Encryption and Transmission Security
Protecting data both at rest and in transit is a key part of a secure FileMaker deployment. FileMaker supports AES-256 encryption for stored data. Enable file encryption through FileMaker Pro Advanced's Developer Utilities and secure the encryption key in a safe location. If the key is lost, the data is irretrievable.
To secure data in transit, implement SSL/TLS encryption. FileMaker Server supports SSL certificates that must be installed correctly using a certificate authority. This ensures that all communications between client and server are encrypted and protected from interception.
If using external container storage, implement secure storage so that the files are encrypted at rest. This will protect your external files from being viewed by unauthorized parties if they get access to a backup.
Server and Deployment Hardening
FileMaker Server and FileMaker Cloud offer tools to strengthen overall deployment security. Use the Admin Console to monitor access, disconnect idle sessions, and enforce connection encryption. Avoid using self-signed SSL certificates in production. Instead, use trusted certificates that match the domain or DNS name of your server.
For WebDirect access, follow web security best practices. This includes setting up firewalls, limiting access to sensitive data, applying HTTPS protocols, and ensuring all server software is up to date. Make sure the default Guest account is disabled. FileMaker also has settings in the Sharing options to keep certain files from being displayed within a Hosts tab or WebDirect home page. Utilize these settings to keep only the files necessary for user access viewable when someone visits your WebDirect URL.
Backup Strategies and Disaster Recovery
Backups are your safety net. Schedule automated backups both locally and to off-site or cloud storage. Ensure that complete and partial backups are part of your routine and that you routinely test recovery processes. Never back up to the OS drive. Always utilize a spare drive for your backups and replicate copies to the cloud, if possible. This protects from physical hardware failure if you are an on-premise company.
Incorporate version control by keeping backups for multiple intervals, such as daily, weekly, and monthly. Consider encrypting backup files and storing the encryption keys separately for added security.
Logging, Auditing, and Compliance Monitoring
Tracking user activity helps detect security incidents early and enables forensic investigations. There are various ways to implement audit logs. With later versions of FileMaker, developers have found ways to utilize native features, such as OnObjectSave and OnRecordCommit script triggers, along with OnWindowTransaction, to create audit logging for record changes.
You can find a nice article by DBServices on logging: Here.
Regularly review these logs for anomalies. For organizations subject to regulations like HIPAA or GDPR, maintain documented access policies and ensure you can respond to data access requests and demonstrate compliance when audited.
User Training and Ongoing Security Culture
Even the strongest security features can be undermined by poor user behavior. Educate employees about common threats such as phishing, credential sharing, and unsafe browsing habits.
Create a simple, clear security policy that all users must follow. Encourage them to report suspicious behavior or incidents immediately. Make security awareness a routine part of onboarding and professional development.
Continuous Improvement and Updates
Security is not a one-time setup. Stay current with FileMaker updates and patches. These often include critical security fixes that close known vulnerabilities.
Schedule periodic reviews of your security settings, perform internal audits, and stay informed about emerging threats. Engage with Claris documentation, forums, and security bulletins to ensure your FileMaker environment evolves alongside the threat landscape.
Best Practices Checklist
- Assign unique user accounts and use privilege sets to manage access
- Enforce strong password policies with automatic expiration
- Enable Two-Factor Authentication (2FA) where possible (OAuth Setups)
- Encrypt data at rest using AES-256 and in transit with SSL/TLS
- Replace default admin accounts and use trusted SSL certificates
- Regularly back up your databases and test recovery procedures
- Activate audit logging and review access logs routinely
- Train users to follow secure practices and report suspicious activity
- Stay up to date with FileMaker patches and security bulletins
If there is a particular aspect of Claris FileMaker security you would like to read more about, please don't hesitate to reach out.