FTP has been around for as long as I can remember; and according to Rapid7 is still in widespread use today with over 21 million FTP servers on present on the internet today.
Sadly this cornerstone of file transfer is is woefully unprepared for today's world of data breaches and targeted hacking campaigns as it provides no protection for files in transmission or when stored on disk. Meaning that files are transferred in the clear, making them easy targets for interception and theft.
If this wasn't enough to be concerned about, regulatory compliance laws have strengthened and continue to strengthen, meaning old FTP servers which might be critical for business operations are becoming too high of a risk to continue operating.
The good news however, is that there are alternatives - and in this blog post, we will cover five of these.
SFTP (SSH File Transfer Protocol)
This extension to the popular remote command execution protocol, SSH allows for files to be transferred over a secure connection.
The major benefit to SFTP is that it created and encrypted data stream between the client and server, meaning data sent between them is encrypted.
In addition to this, SFTP supports two-factor authentication by way of a key exchange between client and server, to identify themselves as the correct parties, in addition to a username and possibly in combination or as a replacement to a static password.
SFTP has become the de-facto replacement for FTP and is often incorrectly described as secure-FTP.
FTPS (File Transfer Protocol over SSL/TLS)
Despite SFTP being seen as the secure upgrade to FTP, it is in-fact FTPS whom should hold this crown.
Much like SFTP, FTPS creates a secure connection between client and server for the transmission of files. With the difference being that FTP uses SSL, rather than SSH, to achieve this connection.
FTPS is run in two modes - explicit and implicit.
Explicit FTPS is the standard today, with it largely overtaking implicit. Using the FTP port 21, explicit FTPS is customisable and can be configured to use SSL when authenting, performing data transfer, in both cases or in neither case.
Whereas implicit FTPS, which is the stricter of the two, uses port 990 and creates an SSL/TLS tunnel as soon as the client connects to the server. Using implicit FTPS means you can operate FTP and FTPS on different ports and thus having both options available.
AS2 (Applicability Statement 2)
AS2 is a popular protocol where EDI is use, that’s used to transmit sensitive data securely and reliably over the internet.
An upgrade to the previous AS1 protocol, AS2 supports the encryption of messages that are then exchanged with a third-party using HTTPS.
AS2 utilises a secure TLS layer so that files can be transferred from source to destination over the internet with encryption as well as digital certificates, used for authentication.
Probably mostly well known as a secure protocol used to serve up web pages onto a web browser, HTTPS also can be used for the transfer of files.
It encrypts a websites inbound traffic using an SSL/TLS session and thus encrypting the traffic between source and destination - keeping any files nice and secure. This is also the reason why all website payment pages (hopefully!) use HTTPS, as it prevents the interception of card payment details.
HTTPS has become an incredibly popular protocol used for all manner of secure communication in recent years due to its simple implementation and widespread knowledge of its configuration among IT teams.
MFT (Managed File Transfer)
The real evolution of file transfer is found in the MFT market, where solutions can include all the transfer protocols listed above; and can be turned on/off or assigned to particular users and connections based on need.
Usually MFT solutions include features such as detailed auditability, on-disk encryption and interoperability with authentication sources such as LDAP or Microsoft Azure.
One such example of an MFT solution is the world-famous and award-winning Ipswitch MOVEit Transfer, which is used by more than ten thousand companies worldwide. The benefits to using MFT solutions are numerous but include:
Flexible deployment on-site or in the cloud.
Strong authentication including MFA (Multi-Factor Authentication) to protect from unauthorised access.
Tamper-evident auditability so that you can track every upload, download and access attempt.
FIPS validated cryptography for file encryption to protect files from theft.
Deduplication and integrity checking to ensure that file storage is efficient and correct.