Is SFTP just another data transfer protocol, and is it the same as FTPS? These answers may surprise you, so keep reading to find out.

What does SFTP stand for? SFTP stands for Secure File Transfer Protocol or SSH File Transfer Protocol. SFTP is a protocol that encrypts information as it is being transferred to protect the data from attacks.

What Is SFTP?

Secure File Transfer Protocol is a form of file transfer that provides security for data during transmission using Secure Shell protection.

One of the fundamental forms of file transfer, which is still used today, is File Transfer Protocol. FTP uses a two-channel approach to establishing connections between computers:

  1. The command channel initiates and sends FTP commands between each computer to help facilitate the transfer.
  2. The data channel is where the actual movement of data happens.

Managed File Transfer | Overview & Solutions

FTP is rather simple: A single computer (the client) attempts to connect to an FTP server to download or upload files. The server handles the incoming connection and accepts login credentials if configured to require authentication. Once the connection is established, the server and the client can exchange files.

The limitation of FTP is that it includes no inherent security. While a data server may have some form of encryption, FTP does not include encryption for data in transit. Because of this fact, a man-in-the-middle attack or other forms of data theft could steal data transmitted via FTP and immediately read it. This kind of approach is not useful for any application that needs any form of security.

Enter Secure FTP. This protocol models its functionality off of FTP but makes connections via SSH. That means that the file transmission is protected through encryption.

SFTP has several advantages over FTP:

  • Encryption: SSH uses encryption to protect data during transit. If that data is stolen or listened to during a transfer, the hacker would still need to break the encryption to read it. Because of this, secure FTP is suitable for applications that call for data security.
  • Simplified Use: FTP uses multiple channels to execute transfers, which means multiple connections to various ports on the server. Users only connect to a single port (the SFTP port, typically defaulting to port 22) on an SFTP server.
  • Tunneling: SSH supports a process of tunneling, where data is transferred through an encrypted “tunnel.” Unlike direct transfers (of which FTP is an example), when SFTP uses SSH, it can protect all data transmitted, including authentication credentials. SSH tunneling also allows users to use multiple applications within an encrypted tunnel.

Because of these advantages, SFTP is a common form of secure file transfer for many enterprise documents and data management solutions.

What Is FTPS?

File transfer providers often offer secure FTP and FTP over SSL (FTPS) features. It’s important to understand that while it only seems like a small change in a name, the differences between SFTP and FTPS are significant.

SFTP is based on the FTP protocol, but it is an implementation of FTP logic within the SSH protocol. Conversely, FTPS is FTP run through another protocol known as the Secure Sockets Layer (SSL).

As a side note, the original SSL specification has gone dormant, and the Transport Layer Security (TLS) is in its place. TLS essentially does the same thing, with a modern implementation.

The difference between SSL and SSH goes down to functionality. SSH creates a tunnel between computers through which commands and applications can operate. SSL/TLS, however, does not allow for such commands. Instead, it leverages SSL certificates as authentication proofs to encrypt direct transfers.

SFTP and FTPS accomplish the same tasks, and because of this, they can often be used as effective and secure file transfers. However, secure FTP offers a more robust and elegant implementation that plays better with modern security measures like firewalls (due to tunneling), meaning that SFTP is used more often than FTPS. Many security experts and compliance managers have essentially moved focus to SFTP, meaning FTPS is fading from use year after year.

Is SFTP the Same as a Virtual Private Network?

A virtual private network (VPN) is a private internet connection over public internet channels, typically connecting to a local area network (LAN) for professional purposes. With a VPN, a user’s computer and network traffic are routed over a “private” virtual connection that tunnels into a larger, “private” network. The private aspect of this network still operates on top of a public internet connection. SFTP software commands and encryption combinations , essentially making this traffic private to outside users.

There are some commonalities here, particularly the notion of using encrypted communications to run private data over public networks. However, SFTP is dedicated solely to file transfer and sharing, whereas a VPN essentially allows a user to enter an entire public network and its resources. This kind of application provides two advantages over SFTP:

  1. Business LAN Access: With a VPN and the right credentials, a user can access a private LAN as if they were on a device within the LAN itself. As such, the computer connecting to the LAN over the VPN has similar, if not identical, capabilities to a computer within a private office.
  2. Private IP Protection: Users can connect to a remote SFTP server through a VPN, which means their IP address is protected from unauthorized tracking.

SFTP can be used with a VPN for additional security, but they do not accomplish the same things individually.

FedRAMP Private Cloud: The Gold Standard

What Role Does SFTP Play in Compliance?

Almost every compliance framework requires some form of encryption for data at rest and data in transit between devices. Solutions like FTP simply do not meet these requirements, unlike secure FTP.

That is not to say that secure FTP meets all requirements out of the box. Secure file transfer solutions can come with stronger or weaker encryption algorithms in place, limiting their usefulness for compliance. For example, if an older SFTP program uses defunct encryption algorithms like DES or MD5, they will not meet encryption requirements.

In general, if an SFTP host uses AES-128 or AES-256 symmetric cryptography on server-stored information and in-transit encryption utilizing RSA 2048 keys (like TLS 1.2 or higher), then it will almost certainly meet most encryption standards, including those for regulations like HIPAA, FedRAMP, or SOC 2.

Additionally, platforms like SFTP gateways can help large enterprises facilitate secure, fast, and high-volume transfers between legacy and cloud systems without breaking compliance.

What Should I Look For in an SFTP Solution?

A secure FTP solution should satisfy three crucial criteria:

  1. Security: The server and the transmission protocol must have proper encryption. Additionally, dedicated firewalls, strict identity and access management with multi-factor authentication, and role-defined access controls are all important for top-notch security and most compliance standards.
  2. Usability: Even the most secure solution must be usable by people in an organization. User experience not only makes the program effective and useful, it promotes better security through features like passwordless authentication and ease of implementation across multiple platforms.
  3. Scalability: An enterprise-grade secure FTP platform should support the kind of scalability necessary to support rapid company growth. This includes features like unlimited bandwidth, unlimited file sizes, and unlimited connections.

SFTP: A Critical Function for Data-driven Enterprises

SFTP serves two critical functions across an enterprise. On the one hand, employees can rely on secure FTP for important, secure file sharing where speed and privacy are paramount. On the other hand, SFTP can serve as the foundation for more extensive managed file transfer solutions where batch processing, scheduled transfers, and event-driven transfers are part of day-to-day business operations.

Take a look underneath the hood of Kiteworks, including our SFTP capabilities, by scheduling a tailored demo based on your business requirements.


Back to Risk & Compliance Glossary


Get email updates with our latest blogs news