Comparing SFTP & FTPS for Managed File Transfer
If you need to transfer files, you have many options: FTP, FTPS, HTTP, HTTPS, SFTP, SCP, WebDAV, OFTP.
These are just a few of your choices; how do you pick the right one, particularly when security, compliance and data governance are major concerns?
The most common way to transfer files is via File Transfer Protocol (FTP). First proposed in 1971 for use with the scientific and research network, ARPANET, FTP is easy to use and continues to be deployed by a wide range of tools for many use cases.
The Problem with FTP
The major problem with FTP is its lack of data encryption and security features.
When FTP first came to the forefront, enterprises didn't face the same security challenges you have to deal with today, so its creators didn't build in data security. Commands and files are transferred in plain-text, enabling users to easily capture sensitive information.
So unless you only transfer files that contain no sensitive data, exclusively within your network firewall — you'll need an extra layer of security and a different mechanism for transmitting files.
In this article, we cover two different protocols that add security to the core of FTP:
- FTP over SSL (FTPS)
- SSH File Transfer Protocol (SFTP), also known as Secure File Transfer Protocol
As you'll see, there are several key differences between these protocols and FTP.
What is FTPS and How Does it Differ from FTP?
Dr. Taher Elgamal, Chief Scientist at Netscape from 1995 to 1998, is considered the "Father of SSL" and invented the flawless cryptographic system within SSL 3.0 to protect network communications. SSL later evolved into the modern Transport Layer Security (TLS) standard.
SSL/TLS was applied to FTP to create FTPS, producing a secure protocol for sending and receiving files across and between enterprises.
FTPS Security
FTPS provides two key security elements: message encryption to secure messages in transit, and client/server authentication, which validates the identities of the sender and receiver involved in a transaction.
- Secure Encryption: A session key protects the data in transit; the message is encrypted with a session-specific key (TLS handshake). Once established, all messages exchanged between the client and server are encrypted.
- Authentication: The client may authenticate the sender's server identity by validating the trustworthiness of the server's certificate, running several checks, most notably whether the certificate was issued by a trusted Certificate Authority (CA). The server authenticates the client using a username and password over a secure channel.
The sending server's certificate can be signed by a known certificate authority (CA), or your partner can self-sign it and provide you with a copy of their public certificate.
There are many tools available to send and receive files via FTPS, making it a logical choice for many file transfer situations.
Drawbacks of FTPS
One of the most common issues with FTPS is establishing connections for data transfer. In FTPS, data is transferred over a separate channel from the main channel where commands are issued. This means a new connection is made each time you list a directory or upload/download a file.
The protocol allows the data connections to be made either from the server to the client, or from the client to the server. Thus, one of the two environments must be properly prepared for this, including defining a port range to use for the data connections. The port ranges must be publicly accessible, which makes network firewall configuration more challenging.
What is SFTP and How Does it Differ from FTP?
SFTP was first designed as a proprietary protocol in 1997 and was later taken over by the Internet Engineering Task Force (IETF). SFTP is very similar in concept to FTPS. You can use it to log onto a server, upload and download files, and create and traverse directories. But the protocols themselves are quite different.
SFTP Security
Like FTPS, SFTP allows you to authenticate connections via a username and password. However, SFTP also lets you take advantage of public key authentication and multi-factor authentication to further enhance security.
The encryption technology is different; unlike FTPS, which uses SSL/TLS for encryption, SFTP uses SSH.
SFTP vs. FTPS
Both FTPS and SFTP offer strong protection and authentication. But SFTP offers some clear advantages when compared with FTPS.
1. FTPS Requires Multiple Connections/Ports
FTPS uses multiple port numbers. The first port for the command channel is used for authentication and passing commands. But anytime a file transfer request or directory listing request is made, another port number must be opened for the data channel. You and your trading partners will have to open multiple ports in your firewalls for FTPS connections, which can present a security risk.
In contrast, SFTP uses only one connection. This means only one port must be open on your server, and the server only needs to be publicly accessible on the chosen port, making it easier to secure.
2. SFTP Uses Consistent Security
SFTP requires that all client and server communication are secured. FTPS can switch between insecure FTP connections and FTPS secure connections. As a result, SFTP makes it easier for IT administrators to enforce security best practices within an organization by standardizing all file transfers.
3. SFTP is More Broadly Standardized
SFTP has wider cross-platform support than FTPS does. SSH and SFTP have a history of ubiquitous support across Unix/Linux platforms, making SFTP a better choice for most data movement projects.
Leveraging FTPS, SFTP and Other Protocols with MFT
The reality is that no one, single protocol covers every file transfer use case for modern enterprises. As a result, many organizations find themselves stuck with a hodgepodge of different protocols and file transfer software.
To unify their file movement, save money, and guarantee security and compliance, many organizations are increasingly turning to managed file transfer (MFT) solutions that allow them to manage, monitor, and automate file transfers using a variety of protocols — including FTPS and SFTP.
With MFT, you don't have to choose between FTPS and SFTP. Modern MFT solutions provide versatile technology designed to handle all of your secure data transfers between computers using a variety of security protocols. No need to juggle a mess of solutions.
Our flagship product, ArcESB, is a unified MFT solution that can help you manage all of your secure data transfer protocols for a variety of use cases. ArcESB can run on Windows, Apple and Linux, right inside AWS, and even deploy in containers. It provides detailed audit logs, supports EDI protocols for partner exchanges, and can automate file encryption, workflows, and other data transfer processes. See the MFT and EDI protocols we support.