Why you Shouldn’t Use FTP to Transfer Cloud Files

October 13, 2019 Security and Compliance, MOVEit

The cloud is a fact of life in 2019. From basic cloud collaboration tools to storage buckets on massive cloud platforms like Azure and AWS, most businesses perform thousands of cloud file transfers every day, whether they’re aware of it or not. For businesses and IT teams, this has been a boon. The cloud offers a level of flexibility and capability most on-premise systems could only dream of.

But the cloud also requires adaptation, and changing systems in order to properly—and securely—integrate with the cloud. This is especially true of file transfer systems, which are being called upon to undertake tasks they were never designed for.

FTP is a perfect example of this. We’re often asked if it’s ok to use FTP to transfer cloud files, and the answer is invariably no, not unless you really don’t care about the files you’re transferring.

What is FTP?


File Transfer Protocol (FTP)
 has been around for longer than most IT works have been involved with computers, in fact FTP traces back to the earliest days of networks (1971) predating even the emergence in the early 1980’s of modern Internet Protocol (IP) networks based on TCP (Transmission Control Protocol). As its name suggests, FTP was invented as a simple way of moving files from one computer to another

To do this, FTP software uses a client server model that requires two parts, an FTP client and an FTP server. Historically, FTP has been a popular means of moving large files between systems or between desktops and systems. FTP is also a common means of sharing a file that is too large for an email attachment by uploading it to a neutral location for access by other systems, software or individuals. And while FTP is simple to use, that doesn’t mean it’s the best choice for transferring files.

 For those familiar with its limitations, it is clear that FTP’s creators never envisioned today's security threat environment. While basic FTP has been enhanced with SSH and SSL along the way, for organizations that routinely transfer sensitive documents containing proprietary or regulated data, FTP servers have become a compliance liability.

Inherently Insecure, Especially in the Cloud 

Over time, the simplicity that made FTP so popular has become its biggest weakness. Namely because, as mentioned above, the creators of FTP never considered modern security requirements, and thus didn’t build features to meet them.

FTP can be configured for access without valid authentication, files are stored and transferred “in the clear,” i.e. unencrypted, and data transferred can be easily intercepted by hackers and cybercriminals as it traverses the open internet—say from cloud to on-premise, or vice versa. So when you transfer a file from one protected cloud server to another, using FTP, whatever is transferred is unprotected while in transit. Authentication is equally insecure, with usernames and passwords transferred in plain text!

Despite all this, the use of FTP servers to transfer files has remained popular. Organizations that need to share protected data, however, are increasingly uncomfortable with their ability to secure and manage environments with multiple, disparate FTP servers. Compliance audit firms often see these environments as a red flag and the U.S. FBI even issued an industry alert bulletin cautioning businesses about the risk that FTP servers can present. 

When unmanaged or insecure FTP servers exist in an organization that routinely deals with data that is protected under HIPAA, PCI, FINRA, FDA, SOX or other industry regulations there is also a risk of significant fines. Some 65% of all data breaches originate with a user. The majority of those cases are due to inadvertent errors or poor judgement where sensitive data is mishandled or stored in an unauthorized location - like the file directory of an FTP server or a consumer-grade file sharing service.

In most instances, today, FTP's function is actually served by SFTP servers and SSH clients. SFTP is similar to FTP with the exception that all traffic, including passwords, commands and data, are encrypted to prevent eavesdropping during transmission.

The Answer: Managed File Transfer

While FTP is a basic server-client model, Managed File Transfer system can be thought of as large, centralized file transfer system complete with all the visibility, reporting, logging, security, tracking, integrations with your security architecture, failover and assured delivery features already built-in by design (as opposed to add-ons). These are enterprise-class solutions upon which core processes, like the medical billing and payment systems of a hospital, can be built. For instance, a single implementation may include multiple transfer servers, workflow automation systems and cloud-based transfer services all under management from a centralized console.

These systems are also designed to assure data security for organizations who have core business processes that require the exchange of files containing sensitive data with external parties. In these cases, there is also a concern of compliance with data protection mandates such as the above mentioned PCI-DSS, HIPAA, ISO-27001, GDPR and others in which substantial fines are levied in cases of data exposure, loss or breach. Some of the more valuable features of MFT, in this case, are integration with pre-existing security infrastructure such as anti-virus, DLP and access control systems. Another key feature of many MFT systems in centralized logging and compliance reporting.

Jeff Edwards

Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.

Read next File Transfer vs. SOAP?