When it comes to FTP versus SFTP, which software is the best solution for your organization? The answer can be reached by breaking down the most important file sharing requirements for your financial institution.
Organizations that operate in the financial services sector must be extra vigilant about security and compliance with regard to transferring sensitive information. There are government regulations in place to ensure that client data is kept private and safe, such as the Gramm-Leach-Bliley Act (GLBA).
These laws are aimed at safeguarding your customers and your business. Without strict adherence to them, your financial organization is open to dangerous risks, like costly data breaches. To avoid this kind of disaster, it is essential to use a file sharing software that meets the industry’s compliance regulations and protects your data assets.
If you’re trying to solve the FTP-versus-SFTP dilemma for your financial institution, consider the following factors. Then dive into this detailed comparison guide for more critical information on making the best software decision for your organization.
Your Top Priority: Data Security
Your financial institution deals with fragile information every day, which makes data security the highest criterion for assessing file sharing software options.
Since FTP has been around for almost half a century, it predates many of the cybersecurity measures that have become commonplace in recent years. Therefore, standard FTP file transfers are not encrypted. Both your credentials and your files are sent in plain text, making this option susceptible to harmful cyber threats. More recent updates to FTP now include Explicit FTPS, which is SSL-encrypted. FTPS is certainly just as secure as SFTP, but it uses the same connection port as unencrypted FTP. Therefore, if you want to use FTPS you must be assured that your FTP server application can disable FTP and force all users to use FTPS. You certainly don’t want to leave this choice to your users, as most software will default to the unencrypted version. You also need to be certain that your FTP server does not allow FTPS connections to use any unencrypted data channels either.
With SFTP there is no un-encrypted alternative. As such, many financial institutions rely on the more secure solution for their file transfer needs. SFTP (also known as “secure FTP” or “FTP over SSH”) utilizes AES and Triple DES to encrypt data transfers. Any user IDs and passwords that are used to access the server are encrypted as well.
In addition, SFTP connections can be authenticated via SSH keys, which offer another layer of security and ensure that information doesn’t fall into the wrong hands.
How Ports Fit Into the Debate
SFTP runs on top of the Secure Shell protocol and defaults to port 22 for data exchanges (although it can be configured to run on another port to mitigate attacks). While SFTP uses the one encrypted channel to communicate, FTP and FTPS use many separate ports. When dealing with strict firewall policies, this distinction between the two can render SFTP the easier software to use.
Breaking Down the Respective Processes
Take a look at this article’s explanation of how each file sharing process is executed:
FTP:
- The FTP client opens a TCP connection to the control port (21) of the server.
(FTPS adds another step here that requires the connection on port 21 to be encrypted.)
- The FTP client forwards a username and password to the FTP server for authentication.
- The server indicates whether authentication was successful.
- The FTP client sends commands indicating the file name, data type, file type, transmission mode and direction of data flow to the server. The server indicates whether the transfer options are acceptable.
- The server establishes another TCP connection for each data flow. Passive connections use a large range of ports that the client software and the server software constantly and dynamically choose.
(Firewalls can’t sense what data ports are needed when FTPS is used, therefore the entire range of ports needs to be open at the client-side firewall. This must be done in advance and usually involves thousands of ports.)
- Data packages are now transferred using the standard TCP flow control, error checking and retransmission procedures.
- When the file has been fully transferred, the server closes the data connection but retains the control connection.
- The control connection can now be used to initiate another data transfer or can be closed.
SFTP:
The functionality of SFTP is similar to that of FTP. However, SFTP clients use SSH encryption to authenticate the user, to control the connection and to transfer all files -- all over the same port (port 22). It allows a wide range of operations to be performed on remote files, acting somewhat like a remote file system protocol. SFTP allows operations such as resuming from halted transfers, directory listings and remote file removal. There are some additional capabilities that SFTP offers when compared to the earlier Secure Copy Protocol (SCP). SFTP is designed to be more platform-independent and is available on most platforms. Although both SCP and SFTP use the same SSH encryption during file transfer, the file transfer speed of SFTP is a bit slower than SCP due to the back and forth nature of the SFTP protocol. All data is encrypted before they are sent across the network. File transfer can be cancelled without terminating the session.
The Final Word on FTP Versus SFTP
It’s true that FTP enables organizations to achieve greater productivity and collaboration, which is what makes this file sharing protocol so popular. When your business is conducted in such a data-sensitive field as financial services, however, it’s important to make security your most pressing concern. That is why, given the need for heightened security and control, many financial institutions would be better served with SFTP software.
With that in mind, consult A Comparison Guide of the Top 7 File Sharing Softwares to narrow your search and ensure that you’re choosing the best solution for your financial organization.