In our last post, we talked about the importance of applying the CIA Triad to enterprise file transfers. Interestingly, one of the most widely used file transfer protocols, FTP, fails to meet the security goals of that triad. If you're using FTP in your business operations, it's high time to find an alternative. This post introduces you to some of the top options.
Why replace FTP?
FTP first came into existence in the 1970's, at a time when people who developed solutions for the Internet were more focused on functionality and weren't really as concerned in security. That was expected. There weren't many threats to data then (or any at all). But times have changed. Today, Internet-based threats abound and we've now come to realize how vulnerable archaic systems like FTP actually are.
First of all, FTP transmits files in plaintext. This means, FTP file transfers are vulnerable to eavesdropping. Attackers can carry out man-in-the-middle attacks and use packet sniffers to grab confidential information like usernames and passwords. They can then use those login credentials to gain access into the server.
Secondly, FTP doesn't have any built-in data integrity mechanism. You'll need to integrate third party solutions in order to perform integrity checks on your transmitted files. Its lack of security mechanisms is the main reason why FTP is unsuitable for today's business file transfers. That explains why laws and regulations like HIPAA and PCI-DSS discourage covered entities from using it.
But why do people stick with FTP? Aside from its ubiquity, FTP's ability to transfer large files or a large number of files is one of the major reasons why FTP servers are still common in B2B communications. If you're ever going to replace FTP, it has to be with a file transfer protocol that has the same capabilities as FTP but doesn't have the security deficiencies. So if we can't use FTP, what are the possible options?
We believe these are the top choices to consider:
FTPS (FTP-SSL, where SSL stands for Secure Sockets Layer) is essentially a secure upgrade of FTP, so it retains all of FTP's functionality but gains a bunch of security features. Introduced in RFC 2228, FTPS gets its security features from SSL. Through SSL, FTPS provides:
- client and server authentication through digital certificates,
- data privacy through a combination of symmetric and asymmetric encryption, and
- data integrity checking through message authentication code (MAC) algorithms.
FTPS is great for businesses who still can't totally get rid of FTP and hence need to have some "backward compatibility" with FTP servers. This can be done through the explicit mode of FTPS, which still runs on port 21.
Unlike FTPS, SFTP is an entirely different protocol. It's based on SSH, where it draws its security functions. Like FTPS, SFTP also supports client and server authentication, data privacy, and data integrity checking.
SFTP operates on a single port (port 22). This makes it more firewall friendly than FTPS, which has to operate on two channels (a command channel and a data channel). The presence of those two channels and their modes of operation (active and passive) can cause firewall issues. Read the article "Active v.s. Passive FTP Simplified - Understanding FTP Ports" to understand what I mean.
Recommended post: Business Benefits Of An SFTP Server
AS2 is an entirely different creature altogether. It's common in industries that use EDI in their B2B transactions. AS2 typically runs over HTTP/S. Since HTTPS is also protected by SSL, it therefore has all the security features we mentioned above for FTPS. In addition, it's also equipped with what is known as an MDN, a sort of electronic return receipt that (if activated) the sender gets after the recipient receives the EDI document.
Electronic receipts can be quite handy in EDI transactions because what is being exchanged are business documents like invoices, purchase orders, ship manifests, price information, patient information, health care claims, and many others. Hence, sending parties need to ascertain that the document was received by the intended recipient. Because MDNs can be digitally signed, they allow trading partners to enforce non-repudiation.
We've included AS2 here because some businesses who carry out EDI transmissions actually employ FTP. So if you're using FTP to exchange EDI messages, you might want to seriously consider replacing it with the more appropriate AS2.
If you're operating in Europe, you might also want to check out OFTP. Like AS2, it's best known for transmitting EDI documents, except that majority of its user base is found in Europe.
As mentioned, AS2 runs over HTTPS. And yes, HTTPS is also a good alternative to FTP. Because admins usually set firewalls to allow HTTP/S traffic, HTTPS-based file transfers can likewise flow freely. In addition, HTTPS can be quite appealing to end users because they can use popular Web browsers like Chrome, Firefox, or Internet Explorer instead of file transfer clients, which most of them are unfamiliar with.
HTTP actually has an extension that's also a good FTP altnerative. It's called WebDAV. You might also want to check that out.
All FTP alternatives in one solution
All of the protocols listed above are better than FTP, particularly security-wise. And because they practically have the same bulk file transfer capabilities as FTP, they're also all suitable for business use. But at the end of the day, it really boils down to the question of interoperability. Which of these protocols do your suppliers, customers, and trading partners use? You can't insist on FTPS if all of them are using SFTP.
Unless your company is big enough to dictate the terms, you'll likely need to adapt. Does that mean you have to set up multiple file transfer servers? Not necessarily. There's an easier way. You can use a multi-protocol managed file transfer server like JSCAPE MFT Server. JSCAPE MFT Server supports all major file transfer protocols, including: FTPS, SFTP, AS2, OFTP, HTTPS, WebDAV and even insecure protocols like FTP and HTTP.
A single multi-protocol solution will allow you to easily interoperate with all your trading partners without requiring a significant increase in administrative overhead. JSCAPE MFT Server comes with a free, fully-functional evaluation edition, so you can try it out now.