Key MFT Protocols and Their Security Implications

Deciding how to securely send files doesn’t have to be difficult. There are plenty of file transfer protocols that can do the job efficiently and securely (as well as a few that should be out of consideration).

File Transfer Protocols and Their Security Considerations

FTP (File Transfer Protocol

• Security considerations: Transmission of files is unencrypted, and data is sent in plaintext (including commands and credentials). FTP came about before the internet and has not kept up with the security needs of organizations today against sophisticated cybercriminals, or even simple human error when handling sensitive data (although the secure version of FTP, FTPS can). It is still sometimes used for non-sensitive, internal transfers.
• Recommendation: Not recommended due to its vulnerability to attacks such as brute-force, man-in-the-middle, and packet sniffing. Dated FTP scripts can provide a clear pathway for malicious software or hackers to exploit an organizations sensitive information, as credentials are exposed.  In addition, it lacks any built-in data integrity checks, so files could potentially be altered in transit without detection.

In addition, FTP lacks secure logging and auditing capabilities, making it challenging to track and monitor file transfer activities effectively and risking noncompliance with HIPAA, PCI DSS, and GDPR and other industry requirements around data handling and privacy. Instead, use a more secure protocol such as FTPS or SFTP.

FTPS (FTP Secure)

• Security considerations: This more secure version of FTP uses TLS (SSL’s replacement) as its security mechanism for transferring data. The control connection is encrypted from the beginning, even before transferring, and between transfers as well.  
• Recommendation: Encouraged. FTPS uses multiple strong encryption algorithms but does require multiple ports for control and data channels, which can complicate firewall configurations. Proper SSL/TLS certificate management is essential to avoid vulnerabilities.
• Latency can affect each protocol. FTPS is much more efficient for larger files in long distance or high-speed than SFTP. It is not as speedy as accelerated solutions, such as FileCatalyst, but performs better than SFTP.

 HTTPS (Hypertext Transfer Protocol Secure)

• Security considerations: Data being transferred uses SSL/TLS for secure transmission. Most sites will just redirect a plain HTTP connection to the HTTPS equivalent. Customers should look for the lock icon on the address bar to be sure it is secure before transferring files.
• Recommendation: Encouraged with caveat. This protocol, while secure, may still be vulnerable to mismanagement of certificates and to SSL vulnerabilities.
• HTTPS works well over long distance networks, but it may not be as resilient with disconnects and resuming transfers.  

Further Reading: SFTP vs. HTTPS

SFTP (SSH File Transfer Protocol)

• Security considerations: Encryption of data and credentials is via SSH (Secure Shell), a cryptographic network protocol which operates network services securely over an unsecured network. This protocol is more firewall-friendly than FTPS and is considered more secure in general. Key management is via SSH key or password authentication.
• Recommendation: Encouraged. SFTP is the most secure and widely used protocol used in Managed File Transfer (MFT) In addition, it is firewall friendly as it requires only a single port (typically port 22) be open.
• Note: SFTP is not recommended for long-distance, high-speed links, due to poor performance.

AS2 (Applicability Statement 2)

• Security considerations: This protocol ensures that there is data integrity in transit through message-level encryption and signing. And non-repudiation of receipts and digital signatures provide the needed audit trails required for some compliance requirements for file exchanges in distribution and retail. There is some movement away from AS2 to AS4, as AS4 adds improvements to the reliability, strong security and flexibility of AS2. AS2 applies security via S/MIME (Secure/Multipurpose Internet Mail Extensions). This is a standard for public key encryption and for signing MIME data. Using it helps ensure files exchanged via AS2 are encrypted and signed.
• Recommendation: Encouraged with caveat. Setting up trading partner agreements and certificates can add a layer of complexity when used for business-to-business file exchanges.
• AS2 is not recommended for huge files (100MB) due to the long time needed to compute a file transfer signature.

Further Reading: SFTP vs. AS2

AS4 (Applicability Statement 4)

• Security considerations: Like AS2, AS4 is highly secure, can support many document formats, compresses exchanged files, and requires signing and encryption as uses non-repudiation.  AS4 is based on the WS-Security standard, which adds security features including message integrity, authentication to SOAP-based web services, and authentication.
• Recommendation: Encouraged as it is a more modern and compatible protocol to use with trading partners for external integration. AS4 is more compatible for any organizations that use technologies like SOAP and XML for their internal integration(s). AS4 allows the extension of these technologies for external integration, for seamless operation. In brief, AS4 builds on AS2 but can be better suited for organizations that already take advantage of web services, B2B integrations, and SOAP.
• Not recommended for large file 100MB+

Further Reading: AS4 vs. AS2

MFT-Based Transfers

• Security considerations: Robust and comprehensive MFT solutions, such as GoAnywhere MFT, offer end-to-end encryption as well as centralized policy enforcement, and granular access control to help reduce the risk of user error. In addition, all file movements can be audited and reported to meet stringent compliance requirements for file checksums and logging.
• Recommendation: Recommended. Secure file transfers can be executed automatically, moved forward for further processing with advanced workflows and be initiated from anywhere around the world with deployment on-premises, via the cloud, or as a service.

In addition, GoAnywhere offers alerts, should a transfer fail or access be attempted by an unauthorized user. It also protects data at rest and in motion. And GoAnywhere can help meet stringent compliance requirements such as PCI DSS, HIPAA, GDPR, and SOX with full audit trails and data encryption for files in transit and at rest.

Further Reading: MFT vs. SFTP