SFTP Security – Is It Truly Secure?

Is SFTP enough to keep my files secure when shared? We understand the worry and have compiled ways to keep your data as secure as possible through SFTP.

Is SFTP transfer encrypted? Yes, SFTP encrypts everything being transferred over the SSH data stream; from the authentication of the users to the actual files being transferred, if any part of the data is intercepted, it will be unreadable because of the encryption.

What Is SFTP?

SFTP (SSH File Transfer Protocol or Secure File Transfer Protocol) is a secure file transfer protocol used for transferring files over a secure shell. It provides strong authentication and encrypted data transfers between two computers over an insecure network, and is typically used for uploading and downloading files from a remote server.

Businesses use SFTP for its tight security, which is especially important when transferring sensitive or proprietary data. SFTP provides an encrypted connection for data transfers, eliminating the risk of data being accessed by unauthorized users during the process. It also allows for authentication of both the server and the client, ensuring that only the party intended is able to access the data. By using SFTP, businesses are able to securely transfer files between multiple locations and systems, as well as back up data to off-site storage. This also eliminates the need for sending physical hard drives or CDs to transport data. SFTP is also used for website hosting, as it is the most secure form of transfer for web content.

Businesses benefit from using SFTP by having the assurance that data is securely transferred. It allows for fast and reliable data sharing, which can help boost productivity, as well as save time and money. SFTP is also cost-effective, as it does not require additional hardware or software to be purchased. The encryption offered by SFTP also provides an extra layer of security over other data transfer methods, ensuring that confidential information is kept safe.

How does SFTP work?

Secure File Transfer Protocol (SFTP) is a secure protocol used to transfer files between two computers over a secure connection. It is a networking protocol that provides encryption, authentication, and data integrity for file transfers. It operates on port 22 and uses SSH to create a secure connection and encrypt data. Once the connection is established, the user can then send and receive files using the SFTP protocol. Files can also be transferred by creating copies of the files within the remote directory or through the use of a script. Ultimately, SFTP provides a safe and secure way to transfer files over the internet.

What Is the Difference Between FTP and SFTP?

File transfers are a way of life for most large businesses. However, when it comes to transferring extremely large files, or a large volume of files, or even when batch files need to be transferred quickly, then these companies need to rely on something more than email or flash drives. That’s where File Transfer Protocol (FTP) comes into play.

FTP is one of the oldest protocols around. Built to facilitate direct file transfers between computers, FTP leverages the client-server model of networking to allow users to upload and download files to and from servers quickly.

FTP is lightweight and easy to use, so much so that nearly every operating system has some sort of FTP capabilities in place. Additionally, most operating systems also support several FTP applications to make transfers even easier.

FTPs availability and speed come at a cost, however. FTP transmissions are not encrypted in any way. This means two things:

1. All data, both stored in an FTP server and transmitted between computers, is potentially vulnerable to attack. If someone, for example, intercepts an FTP transmission between computers then the data is open to read as-is.
2. Login credentials are also most likely unencrypted, meaning that this information can also be stolen by a hacker from an FTP server. Furthermore, most FTP servers don’t use advanced authentication measures to protect access to data.

With that being said, FTP is not secure in and of itself, and as such doesn’t meet even the minimum requirements for any compliance framework. Without the necessary security in place, it isn’t a safe solution for protecting data. That’s why most organizations have turned to SFTP.

SSH (or Secure) FTP attempts to address the problem of security by utilizing an encryption algorithm as part of its operation. SFTP includes Secure Shell (SSH) protocol in the storage and transfer process. What does that mean for users? It means that the data is encrypted in the server and during transmission. Should that data be stolen during an SFTP transfer, the thief will not be able to read it without cracking the encryption.

To ensure security, modern SSH protocol uses modern encryption:

1. SSH uses Advanced Encryption Standard (AES) to encrypt data. AES is a symmetric block cipher that leverages complex mathematics and the unique properties of prime numbers to encrypt data with a key, the length of which determines the difficulty of breaking the cipher. Typically, this means the use of AES-128 or AES-256 algorithms, which use a 128-bit or 256-bit key respectively.
2. SSH uses a hashing algorithm, usually SHA-2, to determine data integrity. A “hash” is a unique alphanumeric value created by processing the data through a hashing algorithm. The idea is that if the data is run through the same hashing algorithm, it will produce an identical hash. Accordingly, if data produces a different hash than the one provided, it signals that the data has been modified.

SFTP, using SSH technology, brings these security measures to FTP transfers. Additionally, it allows for additional authentication measures for user access beyond the transfer of clear-text user IDs and passwords.

How Secure Is SFTP?

SFTP (Secure File Transfer Protocol), as a reminder, is a secure version of the File Transfer Protocol (FTP), which is used for transferring files over the internet. It is a secure protocol, as it provides strong encryption for data transferred over the network, as well as user authentication. It uses Secure Shell (SSH) to encrypt the data and session information, so that the data is not exposed while transferring. Additionally, it allows the server to authenticate the client and the client to authenticate the server before any data is exchanged. This ensures that only authorized users have access to sensitive data. Finally, users can also employ digital signatures to verify the integrity of their data.

SFTP is more secure than FTP, as it encrypts all data transferred between the client and server, including usernames and passwords. Additionally, SFTP requires user authentication, meaning that only authorized users have access to the data. Moreover, SFTP allows the server to authenticate the client and the client to authenticate the server before any data is exchanged, providing an extra layer of security. All of these features make SFTP more secure than FTP.

IT departments prefer using SFTP, as it offers a high level of security for data transferred over the network. It also allows users to easily configure access control, so that only authorized users have access to sensitive data. Furthermore, with SFTP, they can also use digital signatures to verify the integrity of their data. All of these features make SFTP the preferred choice for IT departments.

How Does SFTP Authentication Work?

Secure File Transfer Protocol (SFTP) authenticates users by using public-key cryptography. This requires the user to upload a public key to the server, which is used to verify the user’s identity. When the user attempts to log in, the server uses the public key to generate an encryption key that the user must use to log in. The server then decrypts the key the user entered, verifies the user’s identity, and then allows the user access to the server.

What Issues Might Businesses May Face with File Transfer and GDPR Compliance?

SFTP, when configured correctly, can help with GDPR compliance. However, it isn’t necessarily so out of the box for a few reasons:

• SFTP doesn’t stop the unauthorized transfer of data to third parties. This can lead to non-compliant disclosures of data, which breach GDPR rules on confidentiality and privacy.
• SFTP doesn’t manage cross-script vulnerability. FTP transfers are often automated, as is SFTP. However, because automation scripts and applications can sometimes expose data outside of the SFTP application, they provide an attack surface for hackers. Data exposed in outside scripts will breach GDPR.
• SFTP does not include centralized audits or documentation. Most compliance frameworks, including GDPR, require some documentation to demonstrate compliance. SFTP can include audit logs, but without a centralized SFTP server documenting access across multiple systems can make documentation hard and raise red flags for assessors. Likewise, documentation must also adhere to privacy laws, which becomes exponentially more difficult over multiple SFTP servers.
• SFTP doesn’t natively support file and folder expiration needed for regulations and internal policies. Many frameworks require automated access automation so that files aren’t open into perpetuity.
• SFTP doesn’t natively provide encryption at rest. This is a configuration that an admin must make, which usually entails that it is being modified for other purposes.

While SFTP can support compliance more broadly, the technology is not necessarily compliant out of the box.

What Can I Do to Make Sure My SFTP Server Is Secure?

There are several approaches you can take to better secure your SFTP servers to support compliance:

1. Disable FTP. If you are using your own server, disabling FTP is a good way to lock down a potential attack vector. Likewise, if you work with a third-party vendor, you can ask if they have disabled FTP and, if not, what security protocols they have in place to protect it.
2. Use the strongest encryption. AES-256 is currently the strongest standard encryption around, and SHA-2 hashing currently represents the strongest hash encryption to authenticate data. It’s straightforward to get an SFTP server that includes both.
3. Use file and folder security for external access. Have proper practices in place to monitor and protect data when third parties need to see it during or before an SFTP transfer. This includes proper user access and identity management features.
4. Use folder security for internal access. Access controls can be a pain to set up because somebody has to do it manually on individual folders. Business users typically don’t have the skills or permission to do this, so organizations often resort to these users writing help desk tickets for IT to undertake access management tasks. The Kiteworks platform has a solution that provides web-based (or even mobile) self-service for business users to set and automate these security settings.
5. Include documentation and auditing. Most frameworks require some capacity to document things like compliance and file access. Utilizing a method to monitor file access as well as document things like user consent and other requests is a critical part of GDPR compliance.
6. Use IP blacklisting and whitelisting. It may be necessary to simply block access to your servers through blacklists to protect data, particularly if there is no reason to accept traffic from, say, foreign countries or specific regions.
7. Provide logging integration with your SIEM so your SOC team can detect and mitigate attacks.
8. Require certificate-based authentication for external users. This way, you can ensure that anyone accessing your system at least has a security certificate to verify who they are.
9. Harden your SFTP server. Or leverage a provider (like Kiteworks and the Kiteworks platform) that employs hardened servers.
10. Protect the SFTP server behind your corporate firewall, and only expose a proxy tier through your firewall as a DMZ against unauthorized access.

To learn more about Kiteworks’ SFTP and compliance features, schedule a custom demo of Kiteworks today.

Additional Resources

• Blog PostShopping for the Best Managed File Transfer Software
• Blog PostSecure External File Sharing Solutions
• Blog PostWhat to Look For in an Enterprise SFTP Server Solution
• GlossaryWhat is SFTP?
• Blog PostSecure Business File Sharing