SFTP Security – Is It Truly Secure?
Is SFTP enough to keep my files secure when shared? We understand the worry and have compiled ways to keep your data as secure as possible through SFTP.
Is SFTP transfer encrypted? Yes, SFTP encrypts everything being transferred over the SSH data stream; from the authentication of the users to the actual files being transferred, if any part of the data is intercepted, it will be unreadable because of the encryption.
What Is SFTP and Why Is it So Widely Used?
File transfers are a way of life for most large businesses. However, when it comes to transferring extremely large files, or a large volume of files, or even when batch files need to be transferred quickly, then these companies need to rely on something more than email or flash drives. That’s where File Transfer Protocol (FTP) comes into play.
FTP is one of the oldest protocols around. Built to facilitate direct file transfers between computers, FTP leverages the client-server model of networking to allow users to upload and download files to and from servers quickly.
FTP is lightweight and easy to use, so much so that nearly every operating system has some sort of FTP capabilities in place. Additionally, most operating systems also support several FTP applications to make transfers even easier.
FTPs availability and speed come at a cost, however. FTP transmissions are not encrypted in any way. This means two things:
- All data, both stored in an FTP server and transmitted between computers, is potentially vulnerable to attack. If someone, for example, intercepts an FTP transmission between computers then the data is open to read as-is.
- Login credentials are also most likely unencrypted, meaning that this information can also be stolen by a hacker from an FTP server. Furthermore, most FTP servers don’t use advanced authentication measures to protect access to data.
With that being said, FTP is not secure in and of itself, and as such doesn’t meet even the minimum requirements for any compliance framework. Without the necessary security in place, it isn’t a safe solution for protecting data. That’s why most organizations have turned to SFTP.
SSH (or Secure) FTP attempts to address the problem of security by utilizing an encryption algorithm as part of its operation. SFTP includes Secure Shell (SSH) protocol in the storage and transfer process. What does that mean for users? It means that the data is encrypted in the server and during transmission. Should that date be stolen during an SFTP transfer, the thief will not be able to read it without cracking the encryption.
To ensure security, modern SSH protocol uses modern encryption:
- SSH uses Advanced Encryption Standard (AES) to encrypt data. AES is a symmetric block cipher that leverages complex mathematics and the unique properties of prime numbers to encrypt data with a key, the length of which determines the difficulty of breaking the cipher. Typically, this means the use of AES-128 or AES-256 algorithms, which use a 128-bit or 256-bit key respectively.
- SSH uses a hashing algorithm, usually SHA-2, to determine data integrity. A “hash” is a unique alphanumeric value created by processing the data through a hashing algorithm. The idea is that if the data is run through the same hashing algorithm, it will produce an identical hash. Accordingly, if data produces a different hash than the one provided, it signals that the data has been modified.
SFTP, using SSH technology, brings these security measures to FTP transfers. Additionally, it allows for additional authentication measures for user access beyond the transfer of clear-text user IDs and passwords.
What Issues Might Businesses May Face with File Transfer and GDPR Compliance?
SFTP, when configured correctly, can help with GDPR compliance. However, it isn’t necessarily so out of the box for a few reasons:
- SFTP doesn’t stop the unauthorized transfer of data to third parties. This can lead to non-compliant disclosures of data, which breach GDPR rules on confidentiality and privacy.
- SFTP doesn’t manage cross-script vulnerability. FTP transfers are often automated, as is SFTP. However, because automation scripts and applications can sometimes expose data outside of the SFTP application, they provide an attack surface for hackers. Data exposed in outside scripts will breach GDPR.
- SFTP does not include centralized audits or documentation. Most compliance frameworks, including GDPR, require some documentation to demonstrate compliance. SFTP can include audit logs, but without a centralized SFTP server documenting access across multiple systems can make documentation hard and raise red flags for assessors. Likewise, documentation must also adhere to privacy laws, which becomes exponentially more difficult over multiple SFTP servers.
- SFTP doesn’t natively support file and folder expiration needed for regulations and internal policies. Many frameworks require automated access automation so that files aren’t open into perpetuity.
- SFTP doesn’t natively provide encryption at rest. This is a configuration that an admin must make, which usually entails that it is being modified for other purposes.
While SFTP can support compliance more broadly, the technology is not necessarily compliant out of the box.
What Can I Do to Make Sure My SFTP Server Is Secure?
There are several approaches you can take to better secure your SFTP servers to support compliance:
- Disable FTP. If you are using your own server, disabling FTP is a good way to lock down a potential attack vector. Likewise, if you work with a third-party vendor, you can ask if they have disabled FTP and, if not, what security protocols they have in place to protect it.
- Use the strongest encryption. AES-256 is currently the strongest standard encryption around, and SHA-2 hashing currently represents the strongest hash encryption to authenticate data. It’s straightforward to get an SFTP server that includes both.
- Use file and folder security for external access. Have proper practices in place to monitor and protect data when third parties need to see it during or before an SFTP transfer. This includes proper user access and identity management features.
- Use folder security for internal access. Access controls can be a pain to set up because somebody has to do it manually on individual folders. Business users typically don’t have the skills or permission to do this, so organizations often resort to these users writing help desk tickets for IT to undertake access management tasks. The Kiteworks Platform has a solution that provides web-based (or even mobile) self-service for business users to set and automate these security settings.
- Include documentation and auditing. Most frameworks require some capacity to document things like compliance and file access. Utilizing a method to monitor file access as well as document things like user consent and other requests is a critical part of GDPR compliance.
- Use IP blacklisting and whitelisting. It may be necessary to simply block access to your servers through blacklists to protect data, particularly if there is no reason to accept traffic from, say, foreign countries or specific regions.
- Provide logging integration with your SIEM so your SOC team can detect and mitigate attacks.
- Require certificate-based authentication for external users. This way, you can ensure that anyone accessing your system at least has a security certificate to verify who they are.
- Harden your SFTP Server. Or leverage a provider (like Accellion and the Kiteworks Platform) that employs hardened servers.
- Protect the SFTP server behind your corporate firewall, and only expose a proxy tier through your firewall as a DMZ against unauthorized access.
Discover more about Accellion SFTP and compliance features by learning about how the Kiteworks® Content Firewall is modernizing enterprise SFTP.