I’ll assume you’re sitting down somewhere, staring at a screen, ardently reading about the greatest protocol debate that’s ever existed: SFTP vs. FTP. After all, it’s a topic that’s always on the lips of most CIOs and IT experts alike.
I’ll also assume I don’t see those protein-packed bars on the side and that hot cup of coffee a hand’s reach away.
Much like breathing, the process of moving files from Point A to Point B has somewhat become a formality in today’s work environment. Rarely do people stop and think about the intricacies of this menial task. But for IT enthusiasts like yourself, it’s a known fact that there’s always more than meets the eye as far as secure file transfer is concerned.
Sometimes, you can’t help but wonder whether data in transit is truly safe. Other times, you spend countless hours pondering on the two best security protocols in town: SFTP vs. FTP. Then there’s always the looming question of, “Which is the better protocol?”
The articles you’ve stumbled upon online have barely done justice to this topic. If anything, these blogs have only thrust you deeper into the murk of confusion. You need clarity, and you need it now.
Fret not—we’ve got you covered. In this blog post, we’ll explore the what, how, and why of SFTP vs. FTP. Most importantly, we’ll lift the lid on the better protocol and cast away your doubts once and for all.
First Things First: The Definitions
What, Exactly, is FTP?
There’s no easier acronym on the web. FTP stands for “File Transfer Protocol”, and it’s simply a protocol for sharing files between a client and a server on a computer network.
Predating the modern internet, FTP has been around since the 70s—April 1971, to be exact. At its core, FTP relies on two communication channels between the client and server: the command channel and a data channel.
Rather unsurprisingly, FTP also includes commands which you can use to execute operations on any remote computer. These commands vary from deleting files to showing folder contents to changing directories.
When FTP was first created, people didn’t think that the internet would once be a breeding ground for malicious actors. People never envisioned a world where there would be a new cyber-attack on the web every 39 seconds. Oh my, how times have changed!
Since people have figured out that they can wreak havoc on others’ digital assets for pleasure or gain unscrupulous access, sharing demanded a security evolution. And that’s when SFTP came into the picture.
What is SFTP?
Put simply, SFTP, or Secure File Transfer Protocol, is a secure version of File Transfer Protocol (FTP). If SFTP was a prison, it would probably be the famed ADX Florence—secure from end to end.
SFTP first came into the limelight in 1997, and was originally designed by Tatu Ylonen for SSH 2.0. It essentially provides a secure connection to transfer files on both the local and remote systems.
Given that it’s a more sophisticated and advanced protocol than FTP, SFTP allows users to choose the level of authentication they want when transferring files. Users can transfer files using a combination of user ID and password, using SFTP with no added authentication, or using a pair of SSH keys.
Talking of SSH, SFTP is fundamentally part of the SSH (Secure Shell) protocol. In other words, SFTP cannot exist without SSH—SFTP uses SSH as the binding agent to transfer files securely.
Now that we’ve stripped down these two concepts to their barebones, let’s tackle the elephant in the room: how different they actually are.
FTP vs. SFTP: The Differences that Really Matter
In this section, we’re going to bring out key differences between FTP and SFTP using seven distinct criteria (it’s not rocket science, we promise).
1. How They Work
One key differentiator between the two protocols is how they get data from one endpoint to the other.
Being a client-server protocol, FTP works by facilitating communication between two native computers or endpoints. For starters, a user needs to log on to the FTP server. The client then initiates conversation with the server when the user requests to download a file. In retrospect, a client can upload, download, rename, delete, move, and copy files on a server.
SFTP, on the other hand, works by sending files over secure shell (SSH)—essentially a transport layer that’s used to secure logins and information moving between two endpoints. The SFTP protocol first establishes a secure connection and then provides a higher level of protection for data while transferring it. Unlike FTP, SFTP leverages AES, Triple DES, and other algorithms to encrypt data that flows between systems.
Don’t get me wrong, though. SFTP still follows the classic client-server architecture—only that the connection here is far more robust and secure compared to its predecessors.
2. Mode of Authentication
Does FTP really authenticate client-server interactions? If yes, does it do so reliably?
Well, that’s akin to asking whether Corona (yes, the beer—not the pandemic) is sweet or not.
The answer? No, not at all.
Some would say that most FTP servers still use cleartext passwords for authentication. But guess what? Cleartext passwords were declared null and void as early as the mid-1990s when password sniffing attacks started to gain traction. In other words, FTP has no reliable means of authentication—at least not one that we know of.
As for SFTP, authentication is—dare we say?—a formality. It’s a mainstay, much in the same way Lewis Hamilton is to Formula 1. Since SFTP is built on the SSH transport layer, SSH user authentication is used for all of the protocol’s communication exchanges.
That said, SFTP typically supports the following methods for user authentication:
- Password-based authentication where a user name and password is supplied (although this is widely prone to sniffing attacks).
- Cryptographic authentication, or key-based authentication, where a user name and an SSH key is used. Key-based authentication is much more secure and reliable than password based authentication. What’s more, it has the benefit of being able to use the same authentication keys for multiple servers and eliminates the need for password management.
- Two-factor authentication (or 2FA) where a password and an SSH key is supplied. With 2FA, security is pretty much guaranteed since a user can access their account even if someone else knows their password. Ask any IT aficionado out there and they’ll gladly tell you that 2FA offers the highest level of security around.
For the sake of this blog, let’s dive a little deeper into how SFTP leverages both username/password and SSH keys for authentication:
At first, you have to generate a SSH private key and public key. You then send your SSH public key to your trading partner and they load it onto their server and associate it with your account. When they connect to your SFTP server, their client software will transmit your public key to the server for authentication. If the public key matches your private key, along with any password or username supplied, then the authentication will succeed.
3. Communication Channels
The term “communication channels” has been around for ages, and it’s not going anywhere anytime soon.
In the context of FTP and SFTP, communication channels refers to transportation routes taken by data to reach its intended destination.
Like we pointed out earlier, FTP uses two separate channels to move data between the client and server: The command channel (for controlling conversation) and a data channel (for transmitting file content). These channels are unencrypted (by default), meaning that if someone could gather data between the server and client (man-in-the-middle attack), it would easily be decrypted.
How, you ask?
Well, FTP data is typically sent as plain text (read: plain, uncoded, readable text). That makes it super easy to gather information from the captured data.
Then we have SFTP, where the channel used to move data is just one. This channel, like we mentioned earlier, is protected by the use of SSH cryptographic keys or a combination of username and password. Unlike FTP, SFTP transmissions are, quite frankly, uninterruptible. The encryption on here is sturdy and devoid of any loopholes. Even if someone does manage to obscure the transmission, they still wouldn’t be able to read the data.
4. Firewalls Compatibility
Another major difference between FTP and SFTP is their compatibility with firewalls.
Given that FTP uses multiple ports and needs a secondary channel to move data, using firewalls is inherently difficult—if not impossible. And as you well know, firewalls are incredibly important at deterring hackers from accessing your network remotely.
On the other hand, since SFTP uses a single channel to move data between the client and the server, it tends to be more firewall-friendly. You wouldn’t need a Harvard degree in data security to weave in firewalls into your SFTP setup.
5. Regulatory Compliance
Next to oil, data is perhaps the most precious commodity there is today. Depending on the sensitivity of the data in question, pieces of personal information have recently proved to be a hotcake in the dark web—sometimes fetching up to $6,000 per piece. In response to these spate of data breaches and subsequent sales, industry associations and government organizations have developed regulations to help protect sensitive information across all endpoints.
Let’s face it, though. Meeting regulatory compliance like the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR) can be incredibly complex and time-consuming. Mind you, organizations who fail to meet these requirements are often slapped with heavy fines.
As far as compliance to these regulations goes, the FTP protocol barely scratches the surface. In fact, it can’t facilitate compliance. SFTP, on the hand, provides a secure framework and robust reporting that can meet even the most rigorous compliance mandates. That’s because it provides all the necessary controls:
- End-to-end encryption.
- Server data logging and audits.
- Restricted access to sensitive data.
- Standardized connections between machines.
6. Vulnerabilities
If there’s one area where SFTP gives FTP a cold knockout punch, it’s this one.
The first (rather obvious) vulnerability is that FTP is hugely prone to human error. You accidentally send a file to the wrong address or send the wrong file altogether and boom, your company finds itself in hot soup right away. Of course, you can take proactive steps to promote a culture of security awareness within your business to reduce the possibility of human error. But even then, you’ll be turning a blind eye to the fact that hackers are always roaming around (newsflash: they always are). In other words, you’re not immune to vulnerabilities—human, security-oriented or otherwise—if you are still a diehard fan of the FTP protocol. Uh-oh.
As for SFTP, it’s much more preferred in terms of secure data transfers. The mere fact that it uses SSH keys to verify a recipient’s identity before a transfer occurs gives it an edge over FTP.
Like we mentioned earlier, FTP wasn’t developed with security considerations in mind and, on its own, is not secure. Data is sent “in the clear” (unencrypted), making it more vulnerable to interception and compromise. That’s definitely not the case with SFTP.
While there are a number of add-ons that have been developed for FTP to help organizations overcome its rather blatant shortcomings, the technology proves to be especially troublesome in today’s havoc-ridden business environment. Just recently, the FBI issued a stern warning to healthcare organizations using anonymous FTP servers, as they had become easy targets for cyberattacks.
While SFTP is inherently a product of FTP, it provides more granular control, compliance assistance, and robust data security features that go far beyond the confines of the good ol’ FTP protocol. That’s a fact, an indisputable one at that, and as John Adams once put it:
“Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passions, they cannot alter the states of facts and evidence.”
It’s the era of SFTP, and we’re just lucky to live in it.
FTP vs. SFTP in a Nutshell: Key Pros and Cons That You Need to Know
Pros of FTP
- Transfers can be resumed or rescheduled.
- There’s no size limitation on single transfers.
- Most FTP clients have a synchronizing utility.
- Most FTP clients offer scripting capabilities.
- You can create scripts to automate file transfers.
- FTP allows you to transfer multiple file at one go.
Pros of SFTP
- The connection is always secured (This is a big, BIG one! And it’s pretty much a no-brainer in today’s attack-ridden business ecosystem.).
- Since SFTP runs on a secure channel, no clear text passwords or file data are transferred.
- Speed and optimum efficiency.
- No hardware needed—using SFTP doesn’t require any additional utilities like servers or infrastructure.
- Reduced costs (who doesn’t know how costly in-house servers are?).
- Ease of access—from an accessibility point of view, SFTP provides a single location to store all of its business files and gives you complete control and flexibility over it.
In other words, SFTP provides many (if not all) of the advantages that FTP has—but with superior security.
Cons of FTP
- It’s difficult to monitor file activity.
- Compliance is an issue.
- FTP can be vulnerable to attacks (hello there, spoofing and brute force attacks).
- Encryption is not a given.
- FTP lacks (with a capital ‘L) security.
Cons of SFTP
- SSH keys are not easy to manage and validate.
And the list ends there.
The Battle of File Transfer Protocols: Which One Takes the Crown?
When comparing FTP vs. SFTP for data transfer, consider security above all else.
Let’s be honest; we live in a world where everyone and their kin is using file transfer in some capacity. With it comes far-reaching, deep-rooted security concerns. Other than the obvious possibility of sensitive data falling into the wrong hands, there’s also the issue of regulatory compliance. Finding the best way to share files securely is not just important; it’s mission critical for the safety of your personal and business assets alike (No one likes when pictures of their dogs dressed up as pumpkins are hacked.).
So, which one is the better protocol between FTP and SFTP, you ask?
SFTP, hands down. And it’s not even close.
While some would argue that one is not technically more secure than the other, we strongly believe, like many industry experts, that SFTP is a far superior protocol to FTP and that’s why we use it—even though we support FTP, SSL/FTPS, SSH/SFTP, and HTTP/HTTPS connections.
Today, FTP should only be used on extreme legacy systems and for public access anonymous FTP. Even for anonymous public access, HTTPS and web servers have largely replaced FTP.
All said and done, we can all agree that SFTP really is the king of all transfer protocols (all hail the king). The security perks it delivers—from two-factor authentication to end-to-end encryption and everything in between—are, quite frankly, unrivalled.
Now, what is it going to be? SFTP or FTP? Water-tight security or hogwash security?
You know the answer. We know the answer. It’s up to you to act. All the best!
A Free and Easy Way to See SFTP in Action
Perhaps the best way to experience the security prowess of SFTP is to see the protocol in full swing. You can try out MOVEit Transfer with a fully functional free trial that delivers the security benefits of SFTP combined with the best-in-class reliability and compliance of MFT.
MOVEit Transfer can also handle FTP and HTTPS, among other connections. Give it a try for free today—no credit card required.