FTPS helps to encrypt and transfer private information within the constraints of regulatory requirements.
Many industries rely on the timely and effective transfer of files to provide services to consumers. For example, the healthcare industry requires exchanging sensitive information between healthcare providers, insurance providers, and eligibility services, to name a few. Regulatory requirements such as the Health Insurance Portability and Accountability Act (HIPAA) provide requirements for the use and disclosure of patients'private healthcare information (PHI). FTP services exchange information between caregivers and insurance companies, but the FTP protocol lacks the level of protection needed to meet regulatory requirements for the safeguarding of PHI. However, encrypting private information over the wire using FTPS helps meet this requirement.
The Right Tool for the Right Job
Sharing files is not new, but the methods that technology consumers use to share files do change constantly. At one point in time, the most common way to share files was "sneaker-net" a method of placing files on transportable storage (floppy disks, CDs, USB drives) and physically walking the media to where it needed to go. However, not only is this method incredibly slow, but it also wasn't secure. Email is another common way of sharing files. While email is faster than sneaker-net, file size limits and mailbox quotas restrict its usefulness. In addition, email is typically unencrypted. Therefore, it isn't secure enough to protect sensitive information. Cloud-based file sharing apps such as iCloud, Dropbox, and OneDrive also allow you to share files of greater length. However, these files shared through the popular consumer-directed services are typically not secured enough to meet strict industry-specific regulatory requirements like HIPAA. Business versions of these services may meet regulatory requirements, but they require upkeep to ensure that the use of the services and files is restricted.
FTP - and its Limitations
File Transfer Protocol (FTP), a standard network protocol that has been around since 1971, allows for the transfer of files between computers, typically a "client" and a "server" on a network. While file size limitations are configurable with FTP, businesses typically use an FTP solution to eliminate the restrictions of physical media or mailbox quotas. However, FTP alone does not encrypt the transferred files. Establishing a connection with an FTP server leaves both authentication requests and the transferred data unencrypted over the wire. Any common packet-sniffing tool can read the exposed information. In industries with regulatory requirements such as PCI or HIPAA, protecting data and credentials to transfer data is not only necessary, but also required.
Read: What Is File Transfer Protocol (FTP)?
Securing Data on the Wire with FTPS
Like its' HTTPS counterpart, FTPS includes the encryption necessary to protect the data across the wire. FTPS adds support for encryption to the original FTP protocol via SSL (Secure Sockets Layer) or TLS (Transport Layer Security). FTPS uses public key encryption and FTPS servers must provide an X.509 certificate signed by a trusted certificate authority. A plethora of FTPS solutions exist commercially to protect PHI and other sensitive data, including Ipswitch's MoveIT Transfer. A client/server FTPS implementation runs in one of two modes: implicit or explicit.
Implicit FTPS Mode
Although considered deprecated, an FTP server in implicit mode requires a secure channel without giving the client the option to choose. No negotiation takes place with implicit connections, and a client is immediately expected to challenge the server with a clientHello or the connection is dropped. Implicit FTPS connections use port 990 for the control channel and 989 for the data channel.
Explicit FTPS Mode
Explicit FTPS mode is the standard mode. It requires an FTP client to first explicitly request a secure connection and then to "step up" to a mutually agreed upon encryption method. The control channel connection and data channel connection can step up separately. A secure control channel is established by using an AUTH SSL or AUTH TLS command, and this communication should be secured prior to authentication. After that, secure data channel can be established using the PROT command. To end the secure communication, the CDC (clear data channel) or CCC (clear command channel) commands can be used. As a result, the data can be encrypted when encryption is required, but it doesn't have to include the overhead of encryption when it isn't needed.
FTPS? Or SFTP?
Confusing FTPS and SFTP as acronyms that can be used interchangeably is a common mistake, even though they aren't the same technology. While both include a combination of an asymmetric algorithm, a symmetric algorithm, and a key-exchange algorithm, FTPS uses x.509 certificates and most SFTP implementations use SSH keys. However, an SSH key does not verify the integrity of the key, nor the authenticity of the owner like a PKI-based solution does. FTPS is also not the same as FTP over SSH, tunneling the FTP traffic through a SSH connection. Pros and cons exist for both FTPS and SFTP, but diverse file-sharing solutions such as MoveIT Transfer support both so that you can determine which is right for your business needs.
Conclusion
The healthcare industry requires information exchange without compromising patients' PHI. While FTP alone doesn't provide the required protection - not only for patients' information safety, but also to meet the regulatory requirements - FTPS provides the means to encrypt the data across the wire to secure the data transfer. Although FTPS solutions may not be free, a business will spend much less to secure the data than it will on a HIPAA violation, so an FTPS solution is well worth the cost.
Missy Januszko
Missy Januszko is an independent IT consultant, with more than 20 years of experience as an enterprise hosting architect, large-scale infrastructure designer, and hosted application designer. She specializes in DevOps, automation and configuration management, PowerShell, and Active Directory, and has broad experience across the entire line of Microsoft business technologies. Missy is a co-author of “The DSC Book” with Microsoft MVP Don Jones, and she is also a conference speaker on DSC-related topics. She is a contributor to a number of open-source projects, including “Tug”, the open-source DSC pull server, and “Autolab”, an automated, rapid-install lab build.