Why don't companies use EAR by default?

You'd think with over a billion records hacked and exposed and more everyday (like the T-Mobile hack last week) that companies would be using EAR now.

I'm wondering what I'm missing as to why companies don't encrypt their data at rest. EAR is built in to most database products today so why not use it.

Even FileMaker supports EAR.

Are companies in general just too lazy to implement EAR and better security so the hacks don't happen in the first place or are penalties for losing customer data too lax? Perhaps this question is not an either/or but both and other reasons too.

What good is it if you use a VPN, encrypt your hard drive, etc., only to have the companies who have your data out of your control be totally lax and get hacked -- then just send you the obligatory "oops, sorry....here are the credit bureaus so YOU can follow up and protect yourself (from our incompetence)" letter?

I am not able to answer you question but I would love to know the answer.

Yep. :slight_smile:

One of the issues - and I’ve had phone conversations with Claris about this - is the lack of a master password.

Background: I’ve had three clients over the years end up with their developer leaving for a variety of reasons. If EAR had been turned on, it would have been a business extinction event as they would not have had future development access.

Businesses can be in big trouble even without EAR activated. That is the case when they don't have the credentials to an account with FULL ACCESS. End of the road. I have seen such a case where the developer, an employee, past away and brought the credentials with him. But that is another matter.

I don’t disagree, but if EAR is on, password reset is not available.

In virtually all enterprise grade software, privileged access management includes a master password or similar functionality to provide security controls so that no developer can - intentionally or innocently - lock up access to program development.

Due to GDPR the vast majority of files we support use EAR. There are some serious flaws applying this, particularly with externally stored files, which I've posted in the community before.

Avoiding the master password/reset issue, I've always wondered how EAR would be applied to a FileMaker standalone app, say distributed within the Apple App Store.

There is no way of opening a file locally with EAR, other than entering the password, prior to the account credentials entry. Therefore, either each file would have to be encrypted individually and the password given to the end user (hardly on the App Store!), or all files would have to have the same password, which is hardly GDPR compliant, neither is a file/app containing personal information without EAR compliant.

This begs the question, just how compliant are many of the FileMaker solutions out there?

Work to do still by Claris I believe.