The Internet is a scary place for businesses, which is obviously why many are paying closer attention to best practices for securing their file transfers.
Among those best practices for securing data: encryption. There are three options for encrypting file transfer data: FTPS (File Transfer Protocol Secure), SFTP encryption (SSH File Transfer Protocol) and HTTPS (HTTP Secure). All three are heavily used for internal to external, or business to business, transfers. But first, let's start with the basics.
What is Encrypted File Transfer?
File transfer encryption (such as SFTP encryption) is an essential security measure that prevents outsiders from being able to read or understand the data that is being transferred. This protects the information from potential hackers. When data is encrypted, the information gets manipulated into an unidentifiable format while in transit, and once it reaches it's destination, the data becomes readable again. This way, the data is only accessible by those it is intended for.
End-To-End Encryption Options
The fastest of the three file transfer encryption options, and the most widely implemented, is FTPS Encryption (or FTP over SSL). FTPS has implicit and explicit notes, but both utilize SSL encryption. With FTPS Implicit SSL, the client and server institute an SSL session before any data can be transfered. Comparatively, in FTPS Explicit SSL, the client and server decide together what level of encryption standard is required for the data to transfer. This is helpful because both un-encrypted FTP and encrypted FTPS sessions can occur on a single port. However, this can't always occur and a range of data ports must be available for use.
SFTP only requires one port, making it the one of the simpler options for FTP encryption. All data exchanged between an SFTP client and server will be protected by an encryption cipher, as well as through the use of public and private keys. These offer a further protection through another form of authentication, called public key authentication.
While FTPS and SFTP encryption are great to use within servers, HTTPS is better for interactive, human-based transfers. We can see HTTPs at work even in the web sites we use. HTTPS protects data sent between web browsers and the websites we visit. Web browsers like Chrome and Firefox even visually display this security through a locked padlock in the security bar. HTTPS uses SSL or TSL protocols. Like SFTP, HTTPS also uses Public Key Infrastructure. In this system, the public and private keys depend on each other. Websites or data encrypted with the public key can only be decrypted with the private key, and vice-versa.
Ultimately, all three of these options (FTPS, SFTP and HTTPS) will automatically and transparently encrypt a company’s data and protect it from being snipped as its traversing over the Internet. Which is the right for your company just boils down to your specific file transfer encryption needs.
Related Article: Sharing Encryption Keys: A Practical Example With GPG
Why It’s Crucial to Encrypt Data at Rest
Not only is it important to encrypt data as you transfer files from one server to the next, but it is equally important to protect and encrypt these data as it rests on your home server. Why? Two reasons. One, data exchange files are particularly vulnerable because they are files in a very easily-consumed format. Encrypting this resting file adds a new level of protection against potential hackers. Two, file transfer servers on the Internet are more exposed to an attack.
By encrypting data at rest, the hacker would not only have to break into the server, but they would also have to find the key to decrypt the data. This will make their task longer and more strenuous, giving your organization ample time to notify the authorities and track down the hacker.
Yes, your company may be utilizing a firewall, DMZ or a reverse proxy, but even with these things in place you’re still exposed because all three are connected to the outside world, while a file transfer is not. During today's threat of cyber theft, it is important for organizations to take a strategic and defensive approach by protecting their data – regardless as to whether it is in motion or at rest.
Data That May Be Accessed By or Shared With Third Parties
When a company shares a file with another company, they are typically using a storage vendor that has automatic encryption. However, these storage vendors often require that all of your users are authenticated to a domain before use. So what happens when you need to transfer a file to a company that has not been authenticated? What options do you have? Must you only work with vendors that have been authenticated? Your company will need a different way of ensuring that the files, both in motion and at rest, are encrypted.
Most companies have a policy in place that every file needs to be encrypted before it is transferred, typically using PGP. PGP (Pretty Good Privacy) is a failsafe for companies to ensure that if someone uploads a file, it gets encrypted without the third party having to be tech-savvy and implement it themselves. However, while PGP is valuable, there is still the risk that something will break and the file won’t be PGP encrypted.
Is PGP Encryption Good Enough?
So what happens when PGP breaks? Or better yet, is PGP even strong enough to protect a company’s most crucial and private files? Many customers leverage PGP and praise its effectiveness. And, yes, PGP is incredibly effective in the hands of security experts and practitioners. These professionals understand security cyphers and keys, and know how to fix something if it breaks.
However, for the less tech-savvy among us, what happens is a scenario similar to this: We are given a login for decrypting a file transfer. If we are unable to figure it out, we typically ask someone else in the office for help. Now this code is no longer private, because someone else has been given access. Its just as if you've shared the password to gain access to all of the data.
Simply put, you wouldn’t implement a firewall and state that your entire network is safe. No, you would take a precaution to assure your employees and your customers that your system is secure. And this is exactly how PGP should be treated. You should have PGP in place, but you should also take the extra security measures to ensure that your network itself is protected.
Learn More About Encrypted File Transfer
If you’re interested in learning more about encryption and file transfer security, be sure to read the ebook 'The Definitive Guide to Managed File Transfer' by clicking here.
And you're always welcome to visit my own site (UltimateWindowsSecurity.com) for news and analysis.