Explanation by Coviant Software: Useful Tips & Technology Guides
What is Secure FTP (File Transfer Protocol)?
FTP is a file transfer protocol that does not include any options for encrypting data in transit. It was originally designed for use in private scientific and research networks and is based on a specification defined in 1985 by the Internet Engineering Task Force in RFC 959. FTP uses two connections to send data. Authentication data (e.g., usernames and passwords) is exchanged on a command channel. Data files are sent on a separate channel that is established after the authentication is complete.
Secure FTP is a broad term that refers to two different technologies that can encrypt both authentication information and data files in transit.
- FTPS refers to secure FTP that uses SSL or TLS for encryption. FTPS is very similar to FTP and uses extensions to FTP that add support for the Transport Layer Security (TLS RFC 4217) and Secure Socket Layer (SSL RFC 2228) protocols. Like FTP, FTPS uses two connections – a command channel and a data channel. You can choose whether to encrypt both connections or only the data channel.
- SFTP refers to the use of Secure Shell or SSH network protocol to exchange data over a secure channel. Unlike FTP and FTPS, the SFTP protocol is only a draft specification, which can cause small incompatibilities between SFTP client and server implementations. SFTP uses only one connection and encrypts both authentication information and data files being transferred.
Secure FTP protocols protect data only while it is being transmitted. Once data files have been written to a secure FTP server, the data is no longer protected unless the files were encrypted before transmission. A typical scenario is to encrypt files using a tool like PGP and then transmit using either SFTP or FTPS.
What is the Difference Between SFTP VS. MFT
Managed File Transfer (MFT) and Secure File Transfer Protocol (SFTP) are often–and incorrectly–used either interchangeably or as though they were integral and always found side-by-side. This is not true. MFT is a platform for securely, automatically, and reliably sending and receiving files to and from organizations. SFTP is a protocol for securing files that are to be transferred. MFT and SFTP complement each other; and the best MFT platforms, like Diplomat MFT, use SFTP as their default protocol for automatically securing files. Here’s why.
SFTP has been around for more than 20 years and is supported by virtually all computing platforms developed during that time. SFTP’s ubiquity means that it enjoys near universal compatibility with current, legacy, and future computing technologies, including on-premises hardware, cloud systems, and software-based systems.
Niche protocols, defined by industries or geographies (PeSIT and OFTP come to mind) are of limited value. Even popular cloud-based protocols like AS2 and AS3 are HTTPS-dependent. That is why Microsoft announced SFTP support for its Azure Blob Storage service, and why ecommerce giant Wayfair standardized on SFTP for file transfers between its vast network of partners and suppliers.
Here’s what SFTP offers and why, as a secure protocol for file transfers, it is the best of the best.
- Strong cryptographic encryption;
- Strong cryptographic authentication of both client and server, include 2FA;
- Firewall friendly — all the power of FTP with the ease of configuration of HTTPS because it only requires one port to be opened in the firewall;
- Built-in data compression using zlib or zip libraries, which helps to reduce the amount of data sent over the wire; and,
- Message integrity — unlike other protocols, and the only mainstream protocol, SFTP provides cryptographically strong integrity checking of each packet that flows between the two systems. This ensures no data tampering takes place.
Information sent using SFTP is secure and both parties involved in the transfer can be assured that the information has not been intentionally or inadvertently changed. No other protocol offers all of that across so many platforms.
SFTP and PGP™
When it comes to data transfer SFTP and PGP have different goals. SFTP to encrypt the transfer. PGP is to encrypt the payload. The payload is the part of transmitted data that is the actual intended message.
Sessions encrypted via FTPS and SFTP are great at protecting data when in transit; however, when that data lands on an FTP server, it may not be inside a firewall and it could be exposed. PGP is the most widely deployed encryption to protect data and plays a fundamental role in managed file transfer.
Coviant Software uses PGP™ as its encryption standard of choice for keeping data secure when using our Diplomat MFT platform. We use PGP because it is widely used, easy to work with, and has proven a reliable form of encryption for more than thirty years.
For more information about PGP and why we trust it, visit our PGP information page.