Nope, I haven’t lost my mind. “One is secure, the other isn’t,” you claim. But there’s more to it than that.
SFTP didn’t evolve from FTP but from SSH – a secure network protocol designed to eliminate the shortcomings of Telnet, which was intended for use on private networks. Therefore, the ‘S’ stands for ‘Secure Shell.’
In comparison, as the successor to FTP, FTPS, was merely an extension/afterthought to incorporate desired security features. SFTP, on the other hand, was built from the ground up with security in mind, the reason it became the more popular option in most file transfer situations. Both FTP and SFTP allow users to transfer files i.e., serve the same basic function but are worlds apart.
In business, all data is considered essential. Some data is more critical and requires transfer for review, collaboration, and sharing with your desired audience, suppliers, colleagues, or partners. Typically, a data repository (involving files and folders in the traditional manner) is used, and, for those savvy enough to avoid third-party clouds, private file servers offer the maximum amount of in-house control. The file transfer method used must secure data during all aspects of its journey, from creation to final deletion. With file transfers involving remote server access, additional security risks are introduced. These include data loss due to breaches, use error, or malicious actors.
Businesses should avoid standard FTP usage ( SCP also has security issues) for sensitive or confidential data transfer. Use SFTP if a managed file transfer (MFT) solution is not in the budget. Reasons include but are not limited to:
As encryption scrambles data, it makes data readable only to the sender and recipient. FTP does not offer encryption, and intercepted data is easily read by third parties. SFTP uses Secure Shell (SSH), verifying the recipient’s host keys before data transfer begins. Regardless of industry or location, it’s likely your business must be compliant with one or more of the following standards (AND with local data privacy laws): HIPAA, ITAR, PCI-DSS, SOX, and GLBA. All of these make encrypted data compulsory for compliance.
With FTP, multiple ports (requires a secondary data channel) are used to transfer files, but SFTP uses one port to send and receive data – port 22. This makes firewall configuration easier and a boost to overall security. In addition, FTP doesn’t offer a standard method to change file and directory attributes.
FTP is easily hacked – even amateurs can intercept FTP transfers with a basic set of tools (provided with Kali Linux, for example) or using the anonymous login feature.
It’s easy to make an error. Sending the wrong file or sending the correct file to the wrong recipient could cause serious issues for your company. While human error is not eliminated with SFTP, it is reduced as recipient host keys are verified before file transfer begins.
Diagnostics is an issue for SFTP as all logs (and messages) are in binary. SSH keys are difficult to manage and validate, and some features (when enabled or disabled) lead to compatibility issues with client-side software from different vendors. In addition, if you’re in software development, implementing file transfers may need additional tools. For example, the .NET framework has no native SSH or SFTP support.
In conclusion, while this is not an exhaustive list of pros and cons for each protocol, it’s clear FTP is not advised if you value your data unless you introduce encryption over TLS/SSL. Even then, SFTP is more secure. Ultimately, YOU MUST CHOOSE a file transfer solution that suits your purpose, platform usage, and business objectives. Whether your file transfer includes servers, desktops or mobile devices, there are solutions for all options. At the time of writing, SFTP is generally considered the most secure, ahead of FTPS and SCP. While there is no such thing as 100% secure in cybersecurity, If compliance, flexibility, automation, and an audit trail is your aim, then a managed solution that has an SFTP client as an option for file transfers is best.
An Irishman based in Hong Kong, Michael O’Dwyer is a business & technology journalist, independent consultant and writer who specializes in writing for enterprise, small business and IT audiences. With 20+ years of experience in everything from IT and electronic component-level failure analysis to process improvement and supply chains (and an in-depth knowledge of Klingon,) Michael is a sought-after writer whose quality sources, deep research and quirky sense of humor ensures he’s welcome in high-profile publications such as The Street and Fortune 100 IT portals.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.
Learn MoreSubscribe to get all the news, info and tutorials you need to build better business apps and sites