One of the best solutions for protecting your FTP transmissions is to utilize “Secure FTP” encryption technology.
The two popular Secure FTP protocols are named SFTP (meaning FTP over SSH) and FTPS (meaning FTP over SSL). Both SFTP and FTPS will create encrypted tunnels between your system and your trading partners. In essence, anything that flows over those tunnels will be protected, including any user ids, passwords, commands, as well as any data that is transmitted.
One of the main differences between SFTP and FTPS is the way authentication is performed. With SFTP, clients can be authenticated with just a password or a Private Key. With FTPS, clients and servers can be authenticated with certificates, which are either self-signed (by your organization) or signed by a Certificate Authority (e.g. Verisign).
Choosing the right type of Secure FTP protocol to use will depend on your trading partner’s capabilities and authentication requirements.
You should not leave it up to your users to decide which secure protocol or methodology works best. This can create a hodgepodge of approaches, none of which may meet your overall security and authentication policies.
This is an area where IT’s expertise is required to ensure that the right form of encryption is utilized, that authentication mechanisms are properly implemented and that regulatory requirements have been met.
Every day, millions of files are exchanged all over the world by corporations, government entities and other organizations. These electronic transfers include the critical data needed to conduct business, such as customer and order information, EDI documents, financial data, payment information, as well as employee and health-related information.
Most file transfers use a popular protocol known as FTP. This is a very aged protocol, since it was designed and implemented in the infancy of computing networks; even before the Internet was even heard of. Few managers realize the security and management risks that have blossomed in their organization with the prevalent use of FTP. Fewer still have begun to take measures to bring the use of FTP into compliance with regulations such as PCI, SOX, HIPAA, State Privacy Laws or other mandates.
The best solution to securing your FTP implementations will be one that best centralizes and manages the control of those transfers. The practice of distributing file transfers off the main information system complicates management and opens security holes. How does centralizing FTP reduce the number of management issues?
Centralization:
Maintains the rigor of the native operating system’s security mechanisms.
Sustains the compliance requirements that have been already been implemented on the host system. This includes authority controls and reporting prerequisites.
Provides a single-point of maintenance for all FTP user profiles and passwords.
Contains standardized data encryption techniques and centralized key management.
Instead of building subsystems for encryption on individual user platforms, IT can engineer a comprehensive solution that provides better control and security.
Provides a centralized logging system of all file transfer activity for auditing purposes, along with descriptive error logs and message alerts when transfers fail.