In a previous blog discussing Secure Copy Protocol (SCP), we mentioned that in April 2019, OpenSSH developers recommended the use of SFTP instead of the “outdated” SCP protocol. SFTP stands for Secure File Transfer Protocol, and it is also known as SSH File Transfer Protocol.
What is SFTP?
SFTP, or Secure File Transfer Protocol, is a critical network protocol created by the Internet Engineering Task Force (IETF). Designed to extend the capabilities of Secure Shell protocol (SSH), SFTP provides a secure, reliable stream for accessing, transferring, and managing files of any size or sensitivity over a network. Although SFTP finds its roots in SSH, its secure file transfer functionality is versatile enough to be utilized in a wide array of applications, including secure file transfer over Transport Layer Security (TLS) and in the management of information for Virtual Private Network (VPN) applications. This broad applicability makes SFTP an essential tool for network security and file management.
Compared to the SCP protocol, which only allows file transfers, the SFTP protocol allows for a range of operations on remote files, which make it more like a remote file system protocol. An SFTP client's extra capabilities include resuming interrupted transfers, directory listings, and remote file removal.
This protocol assumes that it is run over a secure channel, such as SSH, that the server has already authenticated the client, and that the identity of the client user is available to the protocol. SFTP transfers files securely. It uses SSH and encrypted FTP commands to avoid password sniffing and exposing sensitive information in plain text. Since the client needs to be authenticated by the server, SFTP also protects against man-in-the-middle attacks.
SFTP can be handy in all situations where sensitive data needs to be protected. For example, proprietary data and intellectual property (IP) may not be covered by any particular data privacy rule, but it can be devastating to fall into the wrong hands. An organization might use SFTP to transmit files containing trade secrets or other similar information.
How does SFTP work?
Understanding how SFTP, or Secure File Transfer Protocol, works is key to harnessing its power for secure file transfer. Designed as a client-server protocol, SFTP can be implemented either via command line inputs or a more user-friendly graphical user interface (GUI). In the command line approach, users input specific commands to activate the SFTP protocol, while the GUI option utilizes a program that visualizes SFTP operations for users. Unique to SFTP is its capacity to run on the SSH protocol, using the standard SSH port 22, and the ability to support multiple concurrent operations. Each operation is identified with a unique number, ensuring that server responses match their corresponding requests. Moreover, the SFTP protocol is activated only upon user log-in to an SSH server, enhancing security by eliminating the need for additional exposed ports or authentications. This dual-layer of security makes SFTP a reliable tool for file transfer across different systems.
Before you can use an SFTP, you need both an SFTP client and server. An SFTP client is the necessary software that provides you with the ability to connect to the server. It also makes it possible to upload files to be stored to the server, as well as download files that are already being stored.
An SFTP server is the place in which files are stored and retrieved. The server provides its services so users can store and transfer data safely. The server uses the SSH file transfer protocol to keep the connection secure. A software vendor may store software updates on their SFTP server so that customers can download secure files with an SFTP client.
An SFTP server requires both communicating parties to authenticate themselves either by providing a user ID and password, or by validating an SSH key (or both). One half of the SSH key is stored on the computer of the two clients (private key), while the other half is loaded on the server and associated with their account (public key). Only when the SSH key pair matches, authentication occurs.
When to use SFTP
SFTP, as a successor to FTP, is used in situations where file security is important, such as complying with security and privacy standards like HIPAA, CCPA or GDPR. SFTP can become really useful for securing sensitive and confidential data while in transit.
This can be especially important in remote working scenarios. For example, any doctor or third-party working with a hospital or healthcare provider, must keep its electronic PHI (ePHI) confidential, including during its transition through networks. SFTP is one of several options for shielding that data in transfer, to make sure that criminals do not compromise its confidentiality and integrity, and that the company does not unwittingly perform a HIPAA violation.
SFTP can also complement VPN. Both systems will protect data, but they are not the same. SFTP is a protocol, whereas VPN is a secure encrypted tunnel for data. With that in mind, information can also be sent using SFTP protocol through a VPN, making the transfer even more secure.
SFTP can also be seen as an improvement over the FTPS, which is just an FTP protocol run over TLS/SSL. FTPS requires complex firewall configurations as ports 989 and 990 need to be open, depends on a centralized public certificate authority, and is prone to file corruption since it defaults to ASCII mode.
Advantages of SFTP
There are many reasons why businesses choose to implement SFTP into their security and privacy controls.
- Speed: The servers used with SFTP can easily support large file transfers, as well as transferring multiple files at once, saving time when moving data from one server to another.
- Security: Thanks to encryption, public key authentication, and data security, SFTP can preserve the confidentiality and integrity of your data
- Manageability: SFTP gives you the ability to easily manage your server using a web interface or an SFTP client.
- Integration: SFTP and firewalls go hand in hand. Data, commands, and sensitive information are all sent over a single connection to Port 22, which is by default enabled with firewalls in their security parameters.
Although SFTP has many features and benefits for users and businesses, its security depends on the lifecycle management of SSH keys. Poor management of SSH keys can expose these critical cryptographic assets to criminals who can leverage them to access corporate networks and move undetected. Therefore, organizations need to establish robust and effective procedures to protect their SSH keys. The Venafi SSH Protect platform can help you safeguard the host-to-host connections that SSH and SFTP enable by discovering, protecting and automating the SSH machine identities lifecycle.
(This post has been updated. It was originally published on October 18, 2021.)