SFTP vs. FTP

Know the Difference and What to Expect From Hosting Providers

About This Guide

Does SFTP simply add the word “secure” to “file transfer protocol”? Do you really know what that entails? What type of security is added? How can you be sure? Do you need it? Simple terms can sometimes be confusing when they don’t have to be. In the decision between SFTP vs. FTP, you need to learn a little bit about both before you can determine which one is right for you.

Use this as a guide to break down everything you need to know about FTP vs. SFTP and what you can expect from a hosted SFTP provider.

The Difference Between FTP and SFTP

FTP has been used for decades to facilitate basic file transfers over the internet. However, even though most FTP transfers involve login with a username and password, these file transfers aren’t necessarily secure. When data is sent from one party to another using the FTP protocol, all the data is sent in clear, unprotected, unencrypted text. This makes FTP transfers particularly vulnerable to packet sniffing, where an hacker intercepts data that’s exposed to the web. If you deal with secure data, this lack of protection can be a huge problem.

While SFTP and FTP perform the same basic function – transferring files – there is one key difference. When it comes to security, SFTP has FTP beat. SFTP closes the loop on this potential data security threat. While many people refer to SFTP as “secure” file transfer protocol, the “S” actually stands for SSH (secure shell) file transfer protocol. With SFTP, data is always encrypted when it’s transferred.

While it is true that FTPS (FTP over SSL) is an encrypted version of FTP, FTPS requires either the FTP client (the end user) or the FTP server to require SSL in order to be secure. Thus, either the end user must manually choose FTPS over FTP or the server must have a setting to force the end user’s hand. With SFTP, there is simply no choice.
SFTP also offers public key authentication in lieu of password authentication. Public key authentication is far more secure. FTP and FTPS only offer password authentication. As we all know, passwords are easily compromised either by being guessed, brute force attacked or stolen.

Using SFTP to transfer a file, a secure shell connection is always established first. This essentially scrambles the information being transferred, which is the only decipherable by the client and the server using a specific SSH key. Also, SFTP defaults to port 22 for data exchanges. This is in contrast to FTP, which uses many separate ports to communicate. SFTP uses just the one encrypted channel for login, commands and data transfers, which makes the process both secure and firewall friendly.

Thus, data that could otherwise be vulnerable when sent using FTP is now secure with SFTP. The best way to remember the difference between FTP and SFTP is think of SFTP as performing the same functions of FTP, just with the added encryption and security.

When To Use SFTP

In the FTP vs. SFTP debate, it can be hard to tell when you should use FTP or when an SFTP solution would be the better option. While both options allow you to send data with ease, there are times when SFTP is the smarter alternative. Here are a few examples of when SFTP is the best choice for your business:

When You Have Sensitive Data to Protect

When it comes to protecting data, you never want to risk a data breach, which could cost your business millions of dollars. Using FTP can’t adequately protect your data, so any time you’re sending secure files, SFTP is the best option.

When Your Employees Need to Align with Security Standards

While you may realize it’s essential to align with data security best practices, sometimes it can be hard to convince your employees to do the same. It’s common for employees sacrifice data security for convenience. Maybe they don’t change their passwords often enough, or their passwords aren't strong enough. If that’s the case, SFTP should always be used to ensure your data stays safe, regardless of how your employees handle it.

When Compliance is a Factor

Compliance has a huge impact on the way many companies operate. Often, these regulations outline data security practices that are imperative for businesses in the applicable industry to follow, or these businesses will face noncompliance fines. So, if your organization is subject to any compliance regulations, SFTP is key to aligning with them. SFTP can help you maintain compliance with the following regulations and more:

HIPAA
ITAR
GLBA
SOX
PCI-DSS

Featured Resources

See all resources here

Guides

Common Features to Look for
in FTP and SFTP Providers

While all SFTP providers use basically the same technology across the board to facilitate file transfers, there are some key differences that can indicate the difference between a top provider and one that falls short.

High Availability Failover

High Availability Failover

Some SFTP providers operate on servers without protection for hardware failures. Think of this as two SFTP servers operating in tandem. If something happens to the first one, the sevcond one automatically takes over. When evaluating SFTP providers, make certain that your provider includes HA. Note that using the cloud does not automatically include HA.
Country Access Restriction

Country Access Restriction

If your company only operates in specific countries, access attempts by IP addresses from other countries is a definite sign that your data is being threatened. Country access restriction is particularly useful from a compliance perspective, too. For example, if you’re a government contractor expected to align with ITAR regulations, it’s mandated that you keep international entities away from secure government data. Partnering with a hosted SFTP provider that gives you the power to restrict access by country makes that process simple.
IP Address Restriction

IP Address Restriction

Do you want to take country access restriction to an even more granular level? With IP access restriction, you can grant access to each user only when they are attempting to log in from a pre-approved IP address. This can help you ward off access in the event of a compromise to usernames and passwords.

If a hacker stole an employee’s login credentials and attempted to use them to gain access to your data, access would be denied because they’re trying to gain access to your solution from a different IP address.
Granular Access Controls

Granular Access Controls

Granular access controls give administrators the power to restrict who can access, upload, download, delete files by granting such access and permissions only to specific folders. Top hosted SFTP providers offer these controls as a way for administrators to limit file access on a need-to-know basis.

That way an intern doesn’t have access to the same data that the CEO has access to. And, with these granular access controls, you can generate an audit of who has accessed files, so if there is ever a breach, you’re able to identify the source.
Backup & Disaster Recovery

Backup & Disaster Recovery

Hackers aren’t the only threat to your data. Power outages, floods, fires, or any other unexpected disaster could cause you to lose both data and productive work time. When you’re evaluating hosted SFTP solutions, evaluate the contingency planning features potential providers have in place, like offsite backup servers and regularly scheduled automatic backups.

You never want to be in the middle of a huge data transfer, only for your server to go down. With the proper disaster recovery safeguards in place, your hosted SFTP provider will have a solution that runs reliably.

High Availability Failover

Some SFTP providers operate on servers without protection for hardware failures. Think of this as two SFTP servers operating in tandem. If something happens to the first one, the sevcond one automatically takes over. When evaluating SFTP providers, make certain that your provider includes HA. Note that using the cloud does not automatically include HA.

Country Access Restriction

If your company only operates in specific countries, access attempts by IP addresses from other countries is a definite sign that your data is being threatened. Country access restriction is particularly useful from a compliance perspective, too. For example, if you’re a government contractor expected to align with ITAR regulations, it’s mandated that you keep international entities away from secure government data. Partnering with a hosted SFTP provider that gives you the power to restrict access by country makes that process simple.

IP Address Restriction

Do you want to take country access restriction to an even more granular level? With IP access restriction, you can grant access to each user only when they are attempting to log in from a pre-approved IP address. This can help you ward off access in the event of a compromise to usernames and passwords.

If a hacker stole an employee’s login credentials and attempted to use them to gain access to your data, access would be denied because they’re trying to gain access to your solution from a different IP address.

Granular Access Controls

Granular access controls give administrators the power to restrict who can access, upload, download, delete files by granting such access and permissions only to specific folders. Top hosted SFTP providers offer these controls as a way for administrators to limit file access on a need-to-know basis.

That way an intern doesn’t have access to the same data that the CEO has access to. And, with these granular access controls, you can generate an audit of who has accessed files, so if there is ever a breach, you’re able to identify the source.

Backup & Disaster Recovery

Hackers aren’t the only threat to your data. Power outages, floods, fires, or any other unexpected disaster could cause you to lose both data and productive work time. When you’re evaluating hosted SFTP solutions, evaluate the contingency planning features potential providers have in place, like offsite backup servers and regularly scheduled automatic backups.

You never want to be in the middle of a huge data transfer, only for your server to go down. With the proper disaster recovery safeguards in place, your hosted SFTP provider will have a solution that runs reliably.

How to Choose the Best FTP and SFTP Hosts

Now that you know what to look for in a file sharing solution, let’s walk through the process of actually choosing the right hosted SFTP or FTP option. Follow the steps below to ensure you make the best decision for your company’s future, and you’re solving all of your data security problems.

Prioritize Your Needs

Now that you know what to look for in a file sharing solution, let’s walk through the process of actually choosing the right hosted SFTP or FTP option. Follow the steps below to ensure you make the best decision for your company’s future, and you’re solving all of your data security problems.

Evaluate Account Options

Many top file sharing solution providers offer a variety of account options to align with the size and storage demands of different companies. These account options vary by price, the number of user accounts facilitated, and storage space. Choose an account size that meets your needs today, and make sure you are partnering with a hosted SFTP provider that can adjust your account to meet your needs in the future.

Try the Solutions Out for Yourself

The best way to determine if a solution is right for your business is to see it in action. Schedule a demo or consultation with the SFTP providers you’re interested in. This gives you the opportunity to ask questions and see for yourself if the features and usability are right for your company's needs. Plus, these demos are free, so you’re only investing time in a process that’s sure to give you greater insight in the solutions.

Do you want more insight on how to choose the best SFTP host for your business’ needs?

Contact Sharetru to talk to the file sharing experts. We can help you navigate this important decision process.