Four Modern Alternatives to FTP Explained

Today's data-driven world is demanding, requiring accuracy, speed, integrity and above all -- security. It's a tall order to fill, and in the past, many organizations relied heavily on the legacy FTP protocol to transmit files. But over time, the security of this method has been tested by hackers.

FTP AlternativesFor example, a serious breach occurred at Yale University in 2001, when more than 43,000 user IDs were exposed and all data was carefully harvested from an FTP server. Acer customer details were stolen in a similar fashion the same year. And most recently, 7,000 FTP sites had their credentials circulated in underground forums, including an FTP server run by The New York Times.

Security and file transfers are a significant concern for IT security professionals, but what is the best way to safeguard your company's data?

Leveraging More Secure Options

As many organizations have evolved past traditional FTP, they are opting for modern and secure options for transmitting data, including:

SFTP. Also known as FTP over SSH, SFTP brings down the risk during data exchange by using a secure channel between computer systems to prevent unauthorized disclosures during transactions. Authentication of an SFTP connection involves a user id and password, SSH keys, or using both.  It is also firewall friendly, only needing a single port number to be opened.

HTTPS. Many sites are gravitating to HTTPS instead of the traditional HTTP, but what are the major differences? For starters, traditional HTTP doesn't encrypt traffic to your browser, which poses a security risk. In contrast, HTTPS provides an added encryption layer using Transport Layer Security (TLS). This creates a secure channel so the integrity of the data is not changed without your knowledge. HTTPS is ideally suited for file transfers where a trading partner requires a simple, browser-based interface for uploading data.

AS2. This is a popular method for transporting EDI data safely and reliably over the Internet. The AS2 generates an "envelope" for the data, allowing it to be sent using digital certifications and encryption. For example, Walmart has become well known for using EDI through AS2 and has played an important role in driving adoption in the retail industry.

Managed File Transfer. A method that supports the above options and makes FTP more secure is managed file transfer (MFT). This secure option streamlines the exchange of data between systems, employees and customers. Numerous protocols and encryption standards are supported, and MFT provides extensive security features that meet strict security policies to comply with PCI DSS, HIPAA, GLBA and other regulatory requirements.

MFT solutions provide advanced authentication and data encryption to provide secure and reliable file transfers. You can also track user access and transfer activity through reporting features.

Overall, managed file transfer offers the best option for securely managing the transfer of data quickly, efficiently with detailed audit trails. It's preventive, rather than reactive, which is what security professionals in today's environment need most.  

SFTP vs FTPS - Best Solution for Secure FTP (Infographic)

With large data breaches recently taking center stage in the media, many businesses have begun paying close attention to internal practices and taking action to improve internal systems and processes. As a result, an increasing number of businesses (people) who rely on data transfers are looking to move away from standard FTP in favor of a more secure method.

We are often asked about the key differences between SFTP and FTPS. There are potential pros and cons with each method, which is why businesses should weigh the differences carefully to determine what option would serve them best.

Over the years, we have tried explaining SFTP vs FTPS in a variety of ways. Between lists and charts and drawings, we found that most people were easily able to comprehend unique aspects of each transfer protocol when it was presented visually.

We created the following infographic to highlight the positives and negatives of using SFTP vs FTPS. You can also view the original blog post for a more detailed comparison.

sftp vs ftps infographic  

Share this Image On Your Site

SFTP Server in the DMZ or Private Network

Many organizations have an SFTP server installed where their trading partners can connect to securely upload and download sensitive files.

SFTP Server in the DMZ

Traditionally SFTP Servers have been installed in the DMZ (or public facing) segment of the network since organizations were fearful of opening inbound ports into the Private (internal) network.

sftp server - DMZ

Keeping the SFTP Server in the DMZ, however, has posed several problems. The primary issue is that files have to be stored in the DMZ when they are dropped off by partners, or otherwise staged temporarily for pickup. Those staged files have a higher risk of being accessed by hackers since the DMZ is more exposed to the Internet. You could require those staged files to be encrypted with something like Open PGP, but many auditors don't like to see any sensitive files in the DMZ, encrypted or not. Another issue is that you often have to write scripts to copy the files back and forth between the DMZ and private network, which takes programmer effort and can lead to errors.

SFTP Server in the Private Network

To keep sensitive files out of the DMZ, some organizations have moved their SFTP server into the private network.

sftp server - private network

This approach eliminates the need to write scripts for moving files back and forth. The big downfall of this approach is that ports were traditionally opened into the private network for trading partners to gain access to the SFTP server. These open ports could create a potential risk for attackers to gain access to the private network. In today's security-conscious environment, most IT auditors do not like to see any inbound ports opened into the private network... especially if you are storing sensitive PCI or HIPAA data on those servers.

Gateway in the DMZ while keeping the SFTP Server in the Private Network

An approach that is quickly gaining in popularity is to implement a gateway component in the DMZ. The gateway will serve as an enhanced reverse proxy which does not require inbound ports into the private network.

sftp server - gateway

At startup time, the SFTP server will establish a special control channel with the gateway, which is kept alive continuously. When partners connect to the gateway, it will make requests over the existing control channel to the SFTP server. The SFTP server will then open any data channels needed back through the gateway to service the trading partners. The whole process is transparent to the trading partners. No data is ever stored in the DMZ since it is simply streamed through the gateway.

A gateway in the DMZ therefore solves two major security issues:

  1. No files need to be stored in the DMZ, including user credentials
  2. No inbound ports need to be opened into the Private network

Since a proprietary control channel is used to communicate between the gateway and the SFTP server, you will need to purchase both components from a single vendor. When looking for the right gateway for your organization, make sure it is easy to set up and manage. It is critical that it does not require inbound ports into the private network or require any data to be stored in the DMZ.

Contact a Linoma Software representative today to learn more about an enhanced reverse proxy solution on your network.

What Is Your High Availability Plan for Your SFTP Server?

As your organization and its trading partners become more and more integrated, it is becoming critical that file transfers are performed without delays or disruptions. For instance, a document containing a batch of transactions could traditionally be delivered within a window of several hours without causing any issues. But today, in the effort to make business processes as efficient as possible, that same document must now be delivered within seconds.

Organizations are therefore taking a closer look at how they can provide the best high availability for their systems to minimize any potential disruptions to their file transfers.

Comparing High Availability Strategies

Many of the secure file transfers from your trading partners are probably going through an SFTP server in your organization's network.  If that SFTP server were to go down (for example, due to a CPU or drive failure), then you would need to fail over to a redundant backup system to continue to service your trading partners, thus maintaining high availability.

Two common approaches for providing high availability for SFTP servers and most other applications are Active-Passive or Active-Active.


With an Active-Passive approach, only one SFTP server will be active at a time to service your trading partners. A backup copy of the SFTP server would exist on your network as a "passive" system, meaning that it is installed and configured, but it is not actively running.

To prepare in the event of a failure of the active SFTP server, it is important that you frequently replicate all settings and configuration files from the active SFTP server to the passive system. If the active SFTP server fails, then the passive SFTP server could be launched and your network configured to point to this new system.

In an Active-Passive configuration, the downtime for your trading partners (when a failure occurs) can be a few seconds or several hours depending on how the passive system is started.

The least efficient and often slowest implementation of an Active-Passive approach is to rely on human intervention to detect the failure and then manually start up the passive system.  This could take several hours depending on when the outage is reported, the process to start the passive system, and the complexities of configuring the network to route traffic to the new system.

A much better approach would be to have a third-party system monitoring tool that would immediately detect when the SFTP server fails, and then would automatically start up the passive system.  The result should be a a much shorter disruption for trading partners of only a few seconds.

Active-Active, or Clustering

The next level in high availability is to use an Active-Active approach, also referred to as "clustering."

With Active-Active, two or more installations of the SFTP server can be running concurrently, sharing the same set of configurations and trading partner accounts. The SFTP servers in the cluster are in constant communication with each other, so if one of the SFTP servers were to fail, the remaining systems in the cluster will continue to service the trading partners. This configuration will provide the maximum high availability since it is not dependent on human interaction or third-party tools to start up other systems.

If you need maximum up-time for your SFTP server, GoAnywhere Services now offers clustering.

Another advantage of an active-active configuration is that you can load balance the traffic over multiple systems, which is important when you need to service a large number of trading partners.  This will require that you install a load balancer like GoAnywhere Gateway in front of the cluster.  Typically this load balancer will be in your DMZ and will be your trading partners' initial point of contact.

The Bottom Line

Both Active-Passive and Active-Active methods provide high availability for your SFTP server environment if configured properly.  However, Active-Active will provide the maximum up-time because it keeps multiple SFTP servers running concurrently in a cluster, along with the added benefit of load-balancing.

How critical up-time is to your bottom line will be the best guide to determining which high availability approach best fits your organization.