Secure Alternatives to FTP
Teams today constantly send files to other members of their team or to outside trading partners over FTP. These files may contain sensitive customer financial data, health information, or even personal identification data, such as Social Security Numbers.
As regulations such as HIPAA, GDPR, PCI and many others designed to ensure data privacy grow in number and importance, it becomes ever more critical for organizations to keep sensitive data private and secure. These regulations require you encrypt data and safeguard it from prying eyes at all times — whether in transit or at rest on the server.
Unfortunately, FTP is simply not secure.
FTP communication is unencrypted. This protocol uses only a single factor of authentication (e.g. username and password) to access files. User login credentials are transmitted to the server in plain text and are visible for attackers to see when data is in transit.
Luckily, you have a number of secure FTP alternatives to improving the security and privacy of your FTP transfers.
SFTP
The first FTP alternative is SFTP, or Secure File Transfer protocol, which uses SSH encryption to transfer files and allows organizations to securely share information with outside partners. It is popular because it's platform-independent and firewall-friendly, requiring only one port number to initiate a session and transfer information.
As its name indicates, SFTP uses the Secure Shell (SSH) protocol to encrypt communication. It thereby prevents unauthorized access to sensitive data in transit, including passwords. SFTP authenticates the user via a User ID and password, SSH keys or a combination of the two in multi-factor authentication.
FTPS
FTP over SSL/TLS (FTPS) enables secure transfers of internal and external files using the Transport Layer Security (TLS).
TLS offers two types of negotiation, implicit and explicit. Implicit TLS immediately creates a TLS connection before login or file transfer can begin. If the user fails to comply with the security requirement, the server prevents the connection.
With Explicit TLS, the server sends server information to the recipient before the TLS negotiation begins. Explicit TLS is sometimes considered slightly less secure as there is some portion of the communication that occurs in plaintext, though passwords and data are both secured with either TLS negotiation type.
SFTP vs. FTPS
Both SFTP and FTPS attempt to bring encryption and security to the classic FTP protocol. While they both aim to achieve the same goal, they go about it differently. Learn more about them and why SFTP is usually a better bet in our comparison article:
Comparing SFTP vs. FTPS for File Transfer
AS2
Applicability Statement 2 (AS2) is another secure file transfer protocol often used for business-to-business (B2B) messaging to transmit EDI documents from one organization to another. AS2 is a universal method for transporting data used by millions of businesses worldwide, including most major retailers, such as Amazon and Walmart. Like FTPS, AS2 offers the ability to secure communications using TLS. However, unlike FTPS and SFTP, AS2 also offers the ability to encrypt and sign the message contents prior to sending the file.
AS2 also offers a receipt mechanism which allows the recipient to inform the sender that the message was delivered. This receipt enables you to keep audit trails, required for certain regulations, that document when the message was delivered. The receipt is also signed, which provides validity to the sender that the recipient is the one who received the message. Find out more about AS2 in our comprehensive AS2 walkthrough.
HTTPS
HTTP is a lightweight, straightforward way to send files. A major benefit is that most firewalls allow HTTP traffic. But because firewalls have fewer rules restricting HTTP traffic, it can be less secure. HTTP over TLS (HTTPS) is an extension to HTTP that secures HTTP traffic using TLS. As it does for FTPS and AS2, TLS provides HTTPS with an encryption layer for the communications between the client and server.
Additional File Transfer Options
While the secure file transfer protocols discussed previously are the most well-known, you have the option of using many other specialized protocols as well.
Other Applicability Statement EDI Protocols
- AS1 — largely considered outdated and superseded by AS2
- AS3 — the AS answer for direct secured FTP transfers, but not as popular as SFTP & FTPS
- AS4 — a modern, web-services-based update to AS2
Industry-Specific Protocols
- Gas Industry Standards Board (GISB)
- RosettaNet (RNIF) open e-business process standards
- Odette File Transfer Protocol (OFTP), predominantly used in the automotive industry for EDI
Adding Encryption to FTP
You can also securely transfer files directly over FTP if your FTP client provides built-in encryption. The most popular means of achieving this is through OpenPGP, which provides both encryption and digital signatures to otherwise unsecured FTP transfers and other plain text files, such as emails.
Conclusion
If you need secure file transport, ArcESB can help. ArcESB is a managed file transfer (MFT) solution that allows you to use any of these protocols or solutions to automate file transfers and ensure that files are secure both at rest and in transit. You can also use ArcESB to monitor secure file transmissions from an external or internal perspective and to create complete audit trails.
Try ArcESB free for 30 days or get our 100% free secure FTP automation client included in our free ArcESB Core file transfer kit.