Innovate. Accelerate. Win.
September 18-19 | Las Vegas and Virtual
#MIMSummit2023 is the frontier for unstoppable innovation. The gathering ground for security leaders looking to redefine what’s possible. The must-see industry event of 2023. Register today and save with special Early Bird rates!
In a previous blog discussing Secure Copy Protocol (SCP), we mentioned that in April 2019, OpenSSH developers recommended the use of SFTP instead of the “outdated” SCP protocol. SFTP stands for Secure File Transfer Protocol, and it is also known as SSH File Transfer Protocol.
What is SFTP?
SFTP is a network protocol that provides file access, file transfer, and file management over any reliable data stream. It was designed by the Internet Engineering Task Force (IETF) as an extension of the Secure Shell protocol (SSH) and provides secure file transfer capabilities. Even though SFTP is described in the context of the SSH protocol, it can be used in various applications, such as secure file transfer over Transport Layer Security (TLS), and transfer of management information in VPN applications.
Compared to the SCP protocol, which only allows file transfers, the SFTP protocol allows for a range of operations on remote files, which make it more like a remote file system protocol. An SFTP client's extra capabilities include resuming interrupted transfers, directory listings, and remote file removal.
This protocol assumes that it is run over a secure channel, such as SSH, that the server has already authenticated the client, and that the identity of the client user is available to the protocol. SFTP transfers files securely. It uses SSH and encrypted FTP commands to avoid password sniffing and exposing sensitive information in plain text. Since the client needs to be authenticated by the server, SFTP also protects against man-in-the-middle attacks.
SFTP can be handy in all situations where sensitive data needs to be protected. For example, proprietary data and intellectual property (IP) may not be covered by any particular data privacy rule, but it can be devastating to fall into the wrong hands. An organization might use SFTP to transmit files containing trade secrets or other similar information.
How SFTP works
SFTP is a client-server protocol that can be launched either as a command line or through a graphical user interface (GUI).
- In command line setup, the user types in specific command lines to generate the SFTP protocol.
- The GUI option makes use of a program that abstracts the use of SFTP visually for end users.
The SFTP protocol runs over the SSH protocol using the normal SSH port 22 and supports multiple concurrent operations. The client identifies each operation with a unique number that must match the server response. Requests can be processed asynchronously. The SFTP protocol is initiated only when the user logs into an SSH server to avoid leaving additional ports exposed or maintaining additional authentications.
Before you can use an SFTP, you need both an SFTP client and server. An SFTP client is the necessary software that provides you with the ability to connect to the server. It also makes it possible to upload files to be stored to the server, as well as download files that are already being stored.
An SFTP server is the place in which files are stored and retrieved. The server provides its services so users can store and transfer data safely. The server uses the SSH file transfer protocol to keep the connection secure. A software vendor may store software updates on their SFTP server so that customers can download secure files with an SFTP client.
An SFTP server requires both communicating parties to authenticate themselves either by providing a user ID and password, or by validating an SSH key (or both). One half of the SSH key is stored on the computer of the two clients (private key), while the other half is loaded on the server and associated with their account (public key). Only when the SSH key pair matches, authentication occurs.
When to use SFTP
SFTP, as a successor to FTP, is used in situations where file security is important, such as complying with security and privacy standards like HIPAA, CCPA or GDPR. SFTP can become really useful for securing sensitive and confidential data while in transit.
This can be especially important in remote working scenarios. For example, any doctor or third-party working with a hospital or healthcare provider, must keep its electronic PHI (ePHI) confidential, including during its transition through networks. SFTP is one of several options for shielding that data in transfer, to make sure that criminals do not compromise its confidentiality and integrity, and that the company does not unwittingly perform a HIPAA violation.
SFTP can also complement VPN. Both systems will protect data, but they are not the same. SFTP is a protocol, whereas VPN is a secure encrypted tunnel for data. With that in mind, information can also be sent using SFTP protocol through a VPN, making the transfer even more secure.
SFTP can also be seen as an improvement over the FTPS, which is just an FTP protocol run over TLS/SSL. FTPS requires complex firewall configurations as ports 989 and 990 need to be open, depends on a centralized public certificate authority, and is prone to file corruption since it defaults to ASCII mode.
Advantages of SFTP
There are many reasons why businesses choose to implement SFTP into their security and privacy controls.
- Speed: The servers used with SFTP can easily support large file transfers, as well as transferring multiple files at once, saving time when moving data from one server to another.
- Security: Thanks to encryption, public key authentication, and data security, SFTP can preserve the confidentiality and integrity of your data
- Manageability: SFTP gives you the ability to easily manage your server using a web interface or an SFTP client.
- Integration: SFTP and firewalls go hand in hand. Data, commands, and sensitive information are all sent over a single connection to Port 22, which is by default enabled with firewalls in their security parameters.
Although SFTP has many features and benefits for users and businesses, its security depends on the lifecycle management of SSH keys. Poor management of SSH keys can expose these critical cryptographic assets to criminals who can leverage them to access corporate networks and move undetected. Therefore, organizations need to establish robust and effective procedures to protect their SSH keys. The Venafi SSH Protect platform can help you safeguard the host-to-host connections that SSH and SFTP enable by discovering, protecting and automating the SSH machine identities lifecycle.