Explanation by Coviant Software: Useful Tips & Technology Guides
What is Secure FTP (File Transfer Protocol)?
FTP is a file transfer protocol that does not include any options for encrypting data in transit. It was originally designed for use in private scientific and research networks and is based on a specification defined in 1985 by the Internet Engineering Task Force in RFC 959. FTP uses one data connection for sending commands, and a separate data connection each time client or server needs to send data, which requires multiple firewall ports be opened. Authentication data (e.g., usernames and passwords) is exchanged on a command channel in cleartext. Data files are sent on a separate cleartext channel that is established after the authentication is complete.
What is Secure FTP?
Secure FTP is a broad term that refers to two different technologies that can encrypt both authentication information and data files in transit.
- FTPS refers to secure FTP that uses SSL or TLS for encryption. FTPS is very similar to FTP and uses extensions to FTP that add support for the Transport Layer Security (TLS RFC 4217) and Secure Socket Layer (SSL RFC 2228) protocols. Like FTP, FTPS uses two connections – a command channel and a data channel and, therefore, suffers from the same firewall headaches as FTP. You can choose whether to encrypt both connections or only the data channel.
- SFTP refers to the use of Secure Shell or SSH network protocol to exchange data over a secure channel. SFTP is widely supported across every major operating system in use today, ranging from Windows, Linux, and MacOS, to mainframe, IoT, and cloud storage systems. SFTP uses only one connection and encrypts both authentication information and data files being transferred, making it firewall friendly. SFTP is the best protocol for secure and automated file transfers.
Secure FTP protocols protect data only while it is being transmitted. Once data files have been written to an SFTP server, the data is no longer protected unless the files were encrypted prior to transmission. A typical approach is to encrypt files using a tool like PGP, and then transmit using either SFTP or FTPS so that the file contents remain encrypted when they arrive at their destination.
What is the Difference Between SFTP VS. MFT
Managed File Transfer (MFT) and Secure File Transfer Protocol (SFTP) are often–and incorrectly–used either interchangeably or as though they were integral and always found side-by-side. This is not true. MFT is a platform for securely, automatically, and reliably sending and receiving files to and from organizations with auditing and alerting. SFTP is a protocol for securely transferring files between systems. MFT and SFTP complement each other; and the best MFT platforms, like Diplomat MFT, use SFTP as their default protocol for automatically securing files. Here’s why.
SFTP has been around for more than 20 years and is supported by virtually all computing platforms developed during that time. SFTP’s ubiquity means that it enjoys near universal compatibility with current, legacy, and future computing technologies, including on-premises hardware, cloud systems, and software-based systems.
The SFTP protocol implements rich file system semantics such as opening and closing files, writing at specific offsets within a file, listing directories with file metadata (size, created and modified dates, and permissions), setting or getting metadata on individual files, and so on, making it perfect for file transfers. Niche protocols, defined by industries or geographies (PeSIT and OFTP come to mind) are of limited value because of their limited implementation options and failure to address operational challenges. Even popular cloud-based protocols like AS2 and AS3 are HTTPS-dependent, meaning they lack rich file transfer semantics. Perhaps that is why Microsoft announced SFTP support for its Azure Blob Storage service (well after Amazon AWS added SFTP FIle Transfer Family for S3), and why companies like ecommerce giant Wayfair, JP Morgan, Citi Bank, Concur, Workday, and more standardized on SFTP for file transfers between its vast network of customers, partners, and suppliers.
Here’s what SFTP offers and why, as a secure protocol for automated file transfers, it is the best of the best.
- The Industry’s strongest cryptographic encryption;
- Strong cryptographic authentication of both client and server, include two-factor authentication (2FA);
- Firewall friendly — all the power of FTP with the ease of configuration of HTTPS because it only requires one port to be opened in the firewall;
- Built-in data compression using zlib or zip libraries, which helps to reduce the amount of data sent over the wire and speed up file transfers;
- Filesystem semantics – secure file transfers operate with full capabilities of file systems, including metatdata management, data appending, file/folder renaming, rich directory listing operations; and,
- Message integrity — SFTP provides cryptographically strong integrity checking of each data packet that flows between the two systems. This ensures no data tampering takes place.
Information sent using SFTP is secure and both parties involved in the transfer can be assured that the information has not been intentionally or inadvertently changed. No other protocol offers all of that across so many platforms
SFTP and PGP™
When it comes to data transfer, SFTP and PGP have different goals. SFTP’s job is to encrypt the transfer on the wire. PGP’s is to encrypt the files being transferred. This ensures that the file itself is saved to disk in an encrypted form at its destination, so that only the intended recipients can decrypt and see its contents.
Sessions encrypted via FTPS and SFTP are great at protecting data when in transit. However, there are no guarantees on where that data resides at its destination (it might exist within an insecure network segment in your partner’s data center), and the file might be accessible to theft from the disk where it is saved. Using PGP solves this problem because the file itself will be encrypted at rest (on the disk) until such time as the partner intentionally decrypts it. PGP is the most widely deployed encryption to protect data and plays a fundamental role in managed file transfer. Another commonly used option is to ZIP the file with a password, though this is a less standard and universally supported option (Diplomat MFT supports this if you so choose).
Coviant Software uses PGP™ as its encryption standard of choice for keeping data secure when using our Diplomat MFT platform. We use PGP because it is available on every operating system, easy to work with, and has proven a reliable form of encryption for more than thirty years.
For more information about PGP and why we trust it, visit our PGP information page.
For more information about Coviant Software’s Diplomat MFT SFTP server, visit our SFTP server page.