Secure Shell is a cryptographic component of internet security. SSH and SFTP were designed by the Internet Engineering Task Force (IETF) for greater web security. SFTP transfers files security using SSH and encrypted FTP commands to avoid password sniffing and exposing sensitive information in plain text. Since the client needs to be authenticated by the server, SFTP also protects against man-in-the-middle attacks.
SFTP can be handy in all situations where sensitive data needs to be protected. For example, trade secrets may not be covered by any particular data privacy rule, but it can be devastating for them to fall into the wrong hands. So a business user might use SFTP to transmit files containing trade secrets or other similar information. A private user may want to encrypt his or her communications as well.
This term is also known as Secure Shell (SSH) File Transfer Protocol.
SFTP is a client-server protocol that can be launched either as a command line or through a graphical user interface (GUI). In the first type of setup, the user has to type in specific command lines to generate the SFTP protocol, usually in a Linux environment. The latter option makes use of a program that abstracts the use of SFTP visually for end users.
The SFTP protocol runs over the SSH protocol using the normal SSH port 22 and supports multiple concurrent operations. The client identifies each operation with a unique number that must match the server response. Requests can be processed asynchronously. The SFTP protocol is initiated only when the user uses the SSH to log into the server to avoid leaving additional ports exposed or maintaining additional authentications.
An SFTP server requires both communicating parties to authenticate themselves either by providing a user ID and password, or by validating an SSH key (or both). One half of the SSH key is stored on the computer of the two clients, while the other half is loaded on the server and associated with their account (public key). Only when the SSH key pair matches then authentication can occur.
SFTP as a successor to FTP is used for many situations where file security is important.
One of the biggest ones is to comply with standards like the federal Health Insurance Portability and Accessibility Act (HIPAA) act that governs protected health information.
Any business, even a third party working with a hospital or healthcare provider, must keep its PHI confidential, and that includes during its transition through networks in digital packet form. That’s why SFTP can be useful in securing this type of data.
SFTP is one of several options for shielding that data in transfer, to make sure that hackers don't obtain it, and that the company does not unwittingly perform a HIPAA violation if that law applies. SFTP can also satisfy other standards for data protection.
Some users who are relatively new to SFTP as a protocol ask whether it is preferable to use SFTP or a virtual private network (VPN). Both systems will protect data, but they're not the same. SFTP is a protocol, whereas VPN is a secure encrypted tunnel for data. With that in mind, information can also be sent using SFTP protocol through a VPN, making the transfer even more secure.
SFTP can also be seen as an improvement over the FTPS, which is just an FTP protocol run over Transport Layer Security (TLS), or Secure Sockets Layer (SSL). FTPS does, in fact, require complex firewall configurations as ports 989 and 990 need to be open, depends on a centralized public certificate authority, and is prone to file corruption since it defaults to ASCII mode.
The use of SSH and SFTP are part of a sea change toward Internet security as we approach Web 3.0, the semantic web.
Using a secure file transfer service, such as an MFT solution, is an essential part of data security best practices. The right solution will provide:
- Encryption for data in motion and at rest
- Protection from unauthorized data modifications
- Strong authentication methods
- Virus scanning and DLP
- Reporting and Logging capabilities
- Automation capabilities