In the Information Age, data is currency. Controlling the flow of information and more importantly, protecting it has increasingly become a focal point for companies who want to remain competitive in modern markets. Improving data efficiency, integrity, and security is often how companies separate themselves from their peers.
We present two of the most common methods for data transfers: FTP and SFTP. These are an acceptable entry point on how data transfers work and how to employ them in a practical setting, so we’ll cover their respective purpose of the protocols and the differences between them.
What are FTP and SFTP?
Before we can sort out the differences between FTP and SFTP, it’s a good idea to understand exactly what the protocols are and how they’re used with data:
FTP is short for File Transfer Protocol, is the means by which computers communicate with one another across a network, with the end-goal of transferring data. FTP has been in use since the early 1970s before the Internet was in every home, and it is still used every day by everyone to transfer files at work and on the World Wide Web. In fact, each of us has almost certainly used FTP countless times over the years to download files directly or to install a patch for software.
In business, FTP is a simple way to send files between servers and clients that don’t require a high level of security; that is, it’s ideal when you need to keep the data moving in an inherently secure network without security checks slowing down the packets. For instance, web developers and administrators may prefer it as a means to implement and test new functionality on a website without adding security. However, this is only applicable in an environment where the controlling party can be sure there is no chance of external interference that may breach the server. That’s not to say that countless web users don’t take on this risk if the data transfer is coming from a trusted source.
SFTP is short for Secure File Transfer Protocol. This protocol began circulation by the Internet Engineering Task force (IETF) around the late 1990s, likely when Web experts gathered that a more secure way to send data was necessary. Its origins are tied heavily into the advancement of SSH, and it can be seen as an extension of this technology (more on SSH in the ensuing section).
Despite the similarity in naming conventions, SFTP is not a secure extension of FTP; rather, it is an entirely different protocol that was built from scratch with FTP’s groundwork as a spiritual predecessor. The word ‘secure’ is the obvious difference between the two protocols, and much of this article will be centered around that basic idea. FTP is simple and fast, but not secure; SFTP is a bit less efficient, but it protects the data in ways FTP doesn’t.
What is SSH?
SFTP is usually secured using SSH, an acronym that stands for ‘secure shell’ or ‘secure socket shell’, both of which are synonymous. It is a remote administration protocol used as a secure alternative to direct client-server transactions. Authentication in SSH is completed using a public key that is sent from client to server, after which the server verifies that a required private key is present on the client and negotiation commences.
This method was created with automation in mind, so users don’t need to physically enter their username and password to gain access to a server, provided they are attempting access on a node the server recognizes. Automation is particularly useful in the case of synchronous applications that need to communicate data between one another sporadically, else there would need to be user authentication each time data is sent.
Main Differences Between FTP and SFTP
|Inherently unsecured due to lack of encryption||Inherently secure via SSH encryption present in each packet|
|Uses two channels to send data, opening an additional avenue for attack||Uses a single channel to send data, limiting possible entry points for attack|
|Employs client-server architecture as part of TCP/IP||Employs SSH protocol as part of remote login application mechanisms|
|Uses direct transfer method, so packages are not encapsulated||Uses ‘tunneling’ transfer method, so packets can be encapsulated|
|Plain text authentication and data are more easily phished by external threats||Encrypted data his a very high level of resistance to phishing attacks|
Why Should I Use SFTP Instead of FTP?
The short answer is that you should use SFTP whenever a security risk is present during a data transfer, and when compliance with data security standards is necessary. It is the discretion of the user whether or not the risk constitutes a need for security, but generally this means whenever sensitive data is in play or the transaction has potential to grant access to a server.
An admin may decide that a local-area network (LAN) is closed enough that there is no risk of a breach and use FTP to send files to a coworker, whereas that same admin might decide encryption is needed to send that same data across a wide-area network (WAN).
Generally, any data transfers that travel through the Internet are inherently at risk. Security concerns make SFTP the minimum for businesses that operate on the web, who handle sensitive consumer or employee information, or those that want to protect their own sensitive data assets from prying eyes. Conversely, administrators who need a simple means to pass data and want to avoid having to manage SSH keys and jump through hoops each time a client-server transaction occurs would likely be more suited for FTP.