FTP vs. SFTP: Considerations for secure file transfer

secure file transfer

Share this content

Facebook
Twitter
LinkedIn

Businesses today rely on the safe transfer of data to operate securely in today’s digital economy, writes Heath Kath, Senior Solutions Consultant, Fortra

There are several protocols that can be used for this purpose and each offers a different benefit to your organisation. File Transfer Protocol (FTP) has been around longest and is the default file transfer method for many companies with legacy architecture.

Secure File Transfer Protocol (SFTP) is a “relatively” newer protocol, which requires some shifting of the status quo, but brings needed security benefits to the table.

Determining which protocol is right for your organisation requires understanding them both.

Who uses FTP?

The File Transfer Protocol came around in the 1970s as a way to transfer files over ARPANET, the precursor of the internet.

It has undergone several iterations since then; it now aligns with Transmission Control Protocol/ Internet Protocol (TCP/IP), which gives you the ability to make and remove a file directory (as opposed to just transferring from one) and follows now dated (1997) security standards.

By default, FTP does not encrypt traffic and needs to be enhanced in order to do so.

FTP sends data over two separate (unencrypted) channels. The command channel authenticates the users. The data channel sends the files.

While it requires authentication to access, the fact that FTP sends data in plaintext makes it especially vulnerable to even the simplest attacks.

Knowing this, why do many organisations still use it? Because it’s been around for a quarter of a century, it is still compatible with many systems.

Those that still use it might also be unaware of the risks, especially as the threat landscape is constantly changing.

Nevertheless, the risks (including sniffing, spoofing and brute force attacks) are real and worth considering. FTP can, however, be secured as FTPS.

What about FTPS?

FTPS (FTP over SSL/Secure Sockets Layer) is a step-up security-wise from FTP as it is a secure FTP protocol that allows you to protect and exchange files with trading partners, employees and clients.

While more secure than FTP, it does have a few disadvantages, primarily FTPS requires multiple port numbers.

Authentication and passing commands use the first port, with each file transfer request or directory listing request requiring another port number to be opened for the data channel.

Both you and your trading partners must open a range of ports in your firewalls to allow FTPS connections and this can pose a network security risk.

The multiple ports requirement is just one reason SFTP (Secure File Transfer Protocol) is often recommended over FTPS as it offers users better usability with firewalls.

However, both solutions, when used with a managed file transfer solution benefit from all the security and benefits of automation, audit logs and monitoring capabilities.

Related reading: SFTP vs. FTPS: The Key Differences | GoAnywhere MFT

What is Secure File Transfer Protocol (SFTP)?

SFTP was created in 1995 by Tatu Ylönen (inventor of SSH) in 1995 to replace the less-safe FTP and it has remained the standard for secure file transfer.

It allows you to access, transfer and manage files safely over any reliable data stream.

Originally a proprietary part of the Secure Shell (SSH) protocol- a method developed to securely send commands over an unsecured network – SFTP was then created as an extension of SSH 2.0 by the Internet Engineering Task Force (IETF) roughly 20 years ago and is still widely referred to as SSH File Transfer Protocol to this day.

Unlike FTP, it does encrypt by default (using SSH) and brings with it other benefits, including dynamic integration, the ability to authenticate over firewalls and a faster transfer speed.

What risks come with FTP?

To add another vote of no-confidence, modern servers have dropped FTP support because of its lack of up-to-date security features.

FTPS and SFTP both offer the security to eliminate the following risks:

  • Design: FTP might get files from point A to point B, but it was not originally designed for security and still operates with a lot of latent weaknesses. Those include:
  • Packet sniffing/capture: FTP transmits using plaintext, leaving any data transfers, transmissions and logins openly readable by anyone on the network, as in Man-in-the-Middle attacks.
  • Port theft: FTP ports are easily guessed and so they’re easily hacked. For example, an unencrypted FTP connection will always use port 21, although FTP was officially assigned to port 20 as well. Port 21 is the controlled port, while port 20 is used for data. Outside of that, you have a limited number of ports you can choose from, depending on the type of FTP you use. This information narrows things down for attackers and once they’ve identified the port, a PORT command will work to give an attacker middleman access. This can initiate an FTP bounce attack (taking advantage of passive mode FTP) which tricks the FTP server to send data to another unintended device on the network

Because of its low tech setup and the fact that it wasn’t built with security in mind, it unfortunately doesn’t take much to take advantage of systems running FTP.

The security benefits of SFTP

As mentioned FTPS is a more secure option than FTP, but SFTP has its advantages, including no need for multiple ports. Other benefits of SFTP offers include:

  • You get fewer data breaches with built-in security features like default encryption of all file transmissions
  • Role-based permissions and detailed audit logs help you keep up with compliance requirements (also possible with FTPS)
  • There’s no need to slow down for safety; automated workflows enable your team to transfer data quickly and securely, without sacrificing productivity for safety, or adding the risk of human error.
  • SFTP can integrate with existing resources. Most FTP clients worth their salt already support some version of SFTP

And the best part; using SFTP can save you time. To make up for old file transfer methods, teams often write cumbersome, custom scripts to keep up with the demands of modern-day file transfer.

However, whenever we humans get our fingers in the pie, it can get messy, error-prone and complicated.

SFTP – in addition to being secure – can help you quickly create new processes, assign custom access permissions, view your transfers and monitor user access so you know when a file transfer did or didn’t succeed.

The automated aspect of SFTP, in conjunction with managed file transfer, not only adds to its reliability, but also to its security, as less human involvement means fewer possible mistakes.

Fortra’s GoAnywhere MFT allows you to confidently send files to your trading partners using the SFTP and Secure Copy (SC) protocols.

Send files, credentials and commands via an encrypted tunnel that connects your SFTP server in GoAnywhere MFT with those receiving your data.

Because SFTP requires authentication from both sender and receiver, it is a reliable way to protect your data in transit. SFTP is also an extremely effective solution for transferring data safely in the cloud.

As organisations have moved to cloud and hybrid environments, typical on-prem security tools fell short, resulting in “lack of security, lack of mobility, performance issues, maintenance cost, productivity impact and poor user experience,” according to one Information Security Officer at a healthcare company.

Because of its SFTP capabilities, MFT is able to enable safe data transfer across disparate environments, protocols and platforms.

Additionally, SFTP file transfer methods, as found in GoAnywhere MFT, enable companies to maintain compliance standards in complex and highly regulated environments.

In fact, disabling standard FTP is one of the top recommendations for keeping your servers safe and your company compliant. Open FTP ports and plaintext passwords won’t bode well during an audit.

However, using encrypted communication tunnels and secure transfer of data in the cloud will.

Use the right tool for the job

If you want to simply transfer files, look no further than FTP.

But if you want to transfer sensitive or business-critical files securely and meet compliance requirements you need the Secure File Transfer Protocol.

This article was originally published as a blog on Fortra’s website. To find out more information about the company’s work, please visit: blog/ftp-vs-sftp-considerations-secure-file-transfer

Newsletter
Receive the latest breaking news straight to your inbox