With so many options for transferring files, it can be confusing to answer the most important question: what is the best way to secure your company’s data during transfer?
Use this article as an introduction to the differences between two mainstream secure FTP protocols, SFTP and FTPS, and which is the best choice to protect your file transfers.
What's the Difference: SFTP vs. FTPS
Both FTPS and SFTP offer strong protection through authentication options that FTP can’t provide.
Why Should You Choose One Over the Other? SFTP vs. FTPS Ports
One major difference between FTPS and SFTP is how they use ports.
SFTP needs only a single port number for all SFTP communications, making it easy to secure.
FTPS uses multiple port numbers. The first port for the command channel is used for authentication and passing commands. However, every time a file transfer request or directory listing request is made, another port number needs to be opened for the data channel.
You and your trading partners will therefore have to open a range of ports in your firewalls to allow for FTPS connections, which can be a security risk for your network.
Know Your Terms: GoAnywhere Glossary
While Both Protocols Have their Benefits, We Recommend SFTP
We recommend SFTP thanks to its better usability with firewalls. For an enterprise, it is ideal to have a managed file transfer (MFT) solution that can manage, monitor, and automate file transfers using a variety of protocols, including FTPS and SFTP.
Our MFT software, GoAnywhere MFT, runs on multiple platforms, including Microsoft Azure (for organizations using the cloud), Microsoft Windows, and Linux. Secure file transfer protocols have additional features like detailed audit logs to help you comply with industry regulations, is flexible if you exchange data with trading partners that have different requirements, and can automate file encryption, workflows, and other data transfer processes.
FTP vs. FTPS: Can I Just Use FTP?
FTP is a popular file transfer method that has been around longer than the world wide web—and it hasn’t changed much since it’s invention. Back then, it was usually assumed that internet activity was not malicious, so FTP wasn’t created as a secure file transfer protocol to deal with the kind of cybersecurity threats we now see in the news every day.
How FTP Works
FTP exchanges data using two separate channels known as the command channel and data channel. With FTP, both channels are unencrypted, leaving any data sent over these channels vulnerable to being intercepted and read.
What Makes FTP Unsecure?
Even if a man-in-the-middle attack is a risk that you are personally willing to take, industry requirements such as PCI DSS, HIPAA, and others require data transfers to be encrypted. Unfortunately, despite escalating security risks and the high cost of non-compliance, FTP is actually growing in popularity.
When it comes to selecting a transfer method between FTP vs. SFTP or FTP vs. FTPS, we highly recommend you avoid the basic FTP protocol and choose a more secure option.
The History of FTPS: Expanding on FTP's Successes
Concern about internet security grew during the 1990s. In response, Netscape created the Secure Sockets Layer (SSL, now known as TLS) protocol to protect communications over a network. SSL was applied to FTP to create FTPS. Like FTP, FTPS uses two connections: a command channel and a data channel. You can choose to encrypt both connections or only the data channel.
How FTPS Works
FTPS authenticates your connection using a user ID and password, a certificate, or both. When connecting to a trading partner's FTPS server, your FTPS client will first check if the server's certificate is trusted. The certificate is considered trusted if either the certificate was signed by a known certificate authority (CA) or if the certificate was self-signed by your partner and you have a copy of their public certificate in your trusted key store. Your partner may also require that you supply a certificate when you connect to them. If your certificate isn’t signed by a third-party CA, your partner may allow you to self-sign your certificate, sending them the public portion beforehand to load into their trusted key store.
User ID authentication can be used with any combination of certificate and/or password authentication.
FTP vs. SFTP vs. FTPS
While FTPS adds a layer to the FTP protocol, SFTP is an entirely different protocol based on the network protocol SSH (Secure Shell). Unlike both FTP and FTPS, SFTP uses only one connection and encrypts both authentication information and data files being transferred.
What is SFTP?
SFTP (SSH File Transfer Protocol) is a secure FTP protocol that sends files over secure shell (SSH), providing a high level of protection for file transfers. SFTP provides two methods for authenticating connections:
SFTP Authentication: ID & Password
Like FTP, with SFTP you can simply use a user ID and password. However, unlike in FTP these credentials are encrypted, giving SFTP a major security advantage.
SFTP Authentication: SSH Keys
The other authentication method you can use with SFTP is SSH keys. This involves first generating a SSH private key and public key. You then send your SSH public key to your trading partner and they load it onto their server and associate it with your account. When they connect to your SFTP server, their client software will transmit your public key to the server for authentication. If the public key matches your private key, along with any user or password supplied, then the authentication will succeed.
User ID authentication can be used with any combination of key and/or password authentication.
Related Reading: Are SSH Keys or Passwords Better for SFTP Authentication?