Which is Higher: SFTP vs. FTPS?
How do you transfer sensitive files? Business requirements and security standards have increased in recent years across industries and continents, but many organizations have struggled to keep up. Manual scripts, legacy tools, and single-use software are still utilized by IT and security teams despite their risks, causing more problems than they solve.
In fact, a good majority of our secure file transfer users migrated from old methods of moving data between their private network and trading partners, like scripts and FTP, to a more secure strategy.
Is it time to replace your legacy processes like the user above? If so, you can transition from standard FTP file transfers to safer, stronger methods like SFTP and FTPS. But if you’re not sure which one to use, you’re not alone. Many users wonder which secure FTP protocol they should use in their organization.
Let’s simplify the confusion. In this article, we’ll examine both protocols, SFTP and FTPS, to determine which is better for your unique situation and requirements.
What is SFTP?
SFTP (SSH File Transfer Protocol) is a secure FTP protocol that sends files over secure shell (SSH), providing a high level of protection for file transfers. SFTP implements AES, Triple DES, and other algorithms to encrypt data that flows between systems. It also offers several ways to authenticate a connection—with a user ID and password, SSH key, or a combination of a password and SSH key—for organizations that require stronger authentication.
Need to meet requirements for laws and regulations? SFTP can also help you check file transfer-related needs off your list for PCI DSS, HIPAA, the GDPR, and more.
What is FTPS?
FTPS (FTP over SSL) is a secure FTP protocol that allows you to protect and exchange files with trading partners, employees, and clients. Like SFTP, FTPS also implements strong algorithms like AES and Triple DES to encrypt critical file transfers. For connection authentication, FTPS uses a combination of user IDs, passwords, and/or certificates to verify a system’s authenticity.
If compliance is a concern, you can achieve various file transfer requirements with FTPS, including PCI DSS, HIPAA, HITECH, SOX, and state privacy laws.
When to Choose SFTP versus FTPS
If SFTP and FTPS are both secure protocols with similar protection, when is it best to use one over the other? The answer is: it depends. Your choice comes down to your organization’s IT infrastructure, trading partner requirements, how you want to authenticate file transfers, and which ports you want to use.
When to Use SFTP:
SFTP has the upperhand over FTPS when it comes to authentication and firewalls. For example, when authenticating a connection, you can:
- Use a user ID and password to connect to an SFTP server; OR
- Use SSH keys with or instead of passwords for extra authentication
Key-based authentication does require you to generate an SSH key pair beforehand, so keep that in mind if you’re planning to use SFTP. You may want to look into Key and Certificate Management along with your SFTP Client/Server if you plan to use SSH keys to authenticate connections.
SFTP wins when considering ease of implementation. A very firewall friendly protocol, SFTP needs a single port opened (port 22) to transmit initial authentication, issued commands, and file transfers between itself and another server.
When to Use FTPS:
If you’re required to use FTPS by a trading partner or you want to use certificates to authenticate connections, FTPS will be your best option for secure file transfer.
FTPS uses TLS (and SSL, though SSL is now considered insecure by PCI DSS and most industry standards) to encrypt server connections. X.509 certificates are used to authenticate these connections. They contain identifiable information like issuer name, subject name, subject public key details, and signature.
When using certificates, they’re considered trustworthy if either signed by a known certificate authority (CA) or self-signed by a trading partner. Certificates signed by a CA are easy to validate using the chain of trust that is built into the standard. To validate self-signed certificates, you must have a copy of the trading partner’s public certificate in your trusted key store.
There is a downside. If you choose FTPS for your organization, be aware that FTPS can be difficult to connect through firewalls with high levels of security. FTPS uses multiple port numbers for implicit and explicit connection types, so every time a file transfer or directory listing request is made, another port will open. This can put your network at risk and open you up to vulnerabilities if you aren’t careful and alert.
Infographic: The Best Protocol for Secure FTP
How do FTPS and SFTP compare when viewed side by side? (View the infographic as a PDF.)