Filter by Category

SFTP vs. FTPS: The Key Differences

SFTP vs FTPSFTP, SFTP, FTPS, HTTPS, AS2… The many options for transferring files can make it confusing to answer the question that matters—what is the best way to secure your company’s data during transfer? Use this article as an introduction to the differences between two mainstream secure FTP protocols, SFTP and FTPS, and which is the best choice to protect your file transfers.

Can’t I Just Use FTP?

FTP is a popular file transfer method that has been around longer than the world wide web—and it hasn’t changed much since it’s invention. Back then, it was usually assumed that internet activity was not malicious, so FTP wasn’t created with features to deal with the kind of cybersecurity threats we now see in the news every day.

FTP exchanges data using two separate channels known as the command channel and data channel. With FTP, both channels are unencrypted, leaving any data sent over these channels vulnerable to being intercepted and read.

Even if a man-in-the-middle attack is a risk that you are personally willing to take, industry regulations such as PCI DSS, HIPAA, and others require data transfers to be encrypted. Unfortunately, despite escalating security risks and the high cost of non-compliance, FTP is actually growing in popularity.

We highly recommend you avoid the basic FTP protocol and choose a more secure option.

 

See how SFTP and FTPS stack up in this free checklist.

Download the PDF 

 

What is FTPS?

Concern about internet security grew during the 1990s. In response, Netscape created the Secure Sockets Layer (SSL, now known as TLS) protocol to protect communications over a network. SSL was applied to FTP to create FTPS. Like FTP, FTPS uses two connections: a command channel and a data channel. You can choose to encrypt both connections or only the data channel.

FTPS authenticates your connection using a user ID and password, a certificate, or both. When connecting to a trading partner's FTPS server, your FTPS client will first check if the server's certificate is trusted. The certificate is considered trusted if either the certificate was signed by a known certificate authority (CA) or if the certificate was self-signed by your partner and you have a copy of their public certificate in your trusted key store. Your partner may also require that you supply a certificate when you connect to them. If your certificate isn’t signed by a third-party CA, your partner may allow you to self-sign your certificate, sending them the public portion beforehand to load into their trusted key store.

User ID authentication can be used with any combination of certificate and/or password authentication.

What is SFTP?

While FTPS adds a layer to the FTP protocol, SFTP is an entirely different protocol based on the network protocol SSH (Secure Shell). Unlike both FTP and FTPS, SFTP uses only one connection and encrypts both authentication information and data files being transferred.

SFTP provides two methods for authenticating connections. Like FTP, you can simply use a user ID and password. However, with SFTP these credentials are encrypted, giving it a major security advantage over FTP. The other authentication method you can use with SFTP is SSH keys. This involves first generating a SSH private key and public key. You then send your SSH public key to your trading partner and they load it onto their server and associate it with your account. When they connect to your SFTP server, their client software will transmit your public key to the server for authentication. If the public key matches your private key, along with any user or password supplied, then the authentication will succeed.

User ID authentication can be used with any combination of key and/or password authentication.

What's the Difference between FTPS and SFTP?

Both FTPS and SFTP offer strong protection through authentication options that FTP can’t provide. So why should you choose one over the other?

One major difference between FTPS and SFTP is that FTPS uses multiple port numbers. The first port for the command channel is used for authentication and passing commands. However, every time a file transfer request or directory listing request is made, another port number needs to be opened for the data channel.

You and your trading partners will therefore have to open a range of ports in your firewalls to allow for FTPS connections, which can be a security risk for your network. SFTP needs only a single port number for all SFTP communications, making it easy to secure.

While both protocols have their benefits, we recommend SFTP thanks to its better usability with firewalls. For an enterprise, it is ideal to have a managed file transfer (MFT) solution that can manage, monitor, and automate file transfers using a variety of protocols, including FTPS and SFTP. MFT software is extremely valuable if you have trading partners with different requirements, and it has additional features like detailed audit logs to help you comply with industry regulations.

Find Out What's Beyond FTP

You know there's more than FTP. Now it's time to make the leap.

Download the white paper to learn how to bring your FTP implementation into a more modern, secure framework with file transfer practices that not only protect your critical data but improve efficiency and ease-of-use.

Get the White Paper

 

 

Add a Comment

Allowed tags: <b><i><br>

Related Posts


No Such Thing as a Free File Transfer, Part I: How MFT Saves Time

Every business engages in some kind of information exchange, whether it’s a small retailer attaching an invoice to an email or a hospital sending hundreds of patient records between…


How Does MFT Work?

Compared to using a variety of standalone FTP and SFTP tools and scripts, managed file transfer (MFT) technology allows professionals to streamline how data is transferred. Managed file…


How to Create a Cybersecurity Policy for Your Organization

The cyberattacks and data breaches that make the news are usually the ones that happen at big corporations like TJX or Home Depot. But every organization, large or small, needs to be concerned about…


Managed File Transfer: It's More than SFTP

For many, MFT and SFTP are a package deal. You can’t seem to have a managed file transfer solution without relying on an SFTP server to secure your file transfers. But this leaves a lot of…


WinSCP Free SFTP Client or an MFT SFTP Client?

If you’re looking for a SFTP client to use for your organization’s file transfers, it might be tempting to go with one that’s free—and bonus points if it’s open source.…