To All Articles

How Secure are Your File Transfer Services?

Michael Nikitin

CTO & Co-founder AIDA, CEO Itirra

Published on November 13, 2018
Photo by Jannik Selz

After centuries of innovation, we have access to the most powerful technological tools that help us to achieve more for less. Modern businesses are much more productive and cost-efficient than ever before. However, one of our most important assets also became the most vulnerable – information. Every day your financials, client details, and proprietary data are at risk of falling into the wrong hands.

Without the necessary precautions, keeping data secure becomes close to impossible. Besides, if your file transfer system is not secure, how would you even know that you have been breached? You can begin by checking whether your company relies on an outdated File Transfer Protocol (FTP) servers. It is one of the often-overlooked areas that can leave your company vulnerable to cyber-attacks.

What is FTP?

FTP is the commonly used network protocol that allows to exchange and share information across the internet. Written by Abhay Bhushan in April 1971, FTP was one of the first technologies developed to enable people to transfer and exchange files with co-workers and clients across offices. Even though other, more secure, file-sharing systems emerged with time, FTP remains the current system for many businesses.

How Secure is it?

The cyber environment of today is a lot less forgiving than 47 years ago. Companies do their best to improve their security and cybercriminals to find a way around it. In 2017, almost 180 million records were exposed in data breaches. Sensitive data and intellectual property are under threat and there are no guarantees for any business, big or small.

Mechanisms for safe data transfer and sharing should be a high priority for every company. Security-conscious businesses must understand that the functions offered by FTP are not enough to protect their information. It is inherently risky to rely on FTP because it was not built to withstand current cyber threats.

FTP Weaknesses

1. User credentials often transmitted in plain text, unencrypted

2. User management is either a manual or a scripted process

3. No monitoring functions in place meaning that you have little control over who has access to your files

4. It is hard to track sent files using FTP

5. FTP does not automatically restart the file transfer process in case of failure.

6. FTP servers are not capable of handling large files

There are a few ways of making FTP more secure. Secure Shell (SHH) encrypts communications between the FTP server and client, including both authentication and message traffic, resulting in FTP turning to SFTP. The other is Secure Sockets Layer (SSL), which establishes an encrypted connection by verifying public and private keys issued by your server. This turns FTP into a protected FTPS.

Who Cannot Use FTP in Their Day-to-Day Business Operations?

You cannot use FTP if your business:

1. Is in highly regulated healthcare, finance, or manufacturing industries

2. Is sending or receiving sensitive information

3. Is publicly traded

If you are among businesses that have to comply with data security and privacy laws and regulations such as HIPAA and GDPR, you are not only vulnerable to cyber threats, but also risk hefty fines from the government.

There is a Solution

FTP is, by far, not the only file transferring system on the market. Representational State Transfer (REST) technology, for example, is a modern web-based API that uses HTTPS requests to receive, send, and delete information. The system offers proper authentication, authorization, and access management. REST is very useful in cloud applications. The technology can scale to accommodate various load changes. Every request can be directed to any instance of a component.  

Our Experience

One of our clients was a healthcare company that used SFTP to transfer patient information. The company’s users transferred, imported, and updated health data in different ways. Some had automated or semi-automated approaches, while others relied solely on manual input. With this system, logs were very limited and represented only system accounts. Meaning it was nearly impossible to monitor what files were transferred, when, and by whom.

Itirra’s experts built multiple integrations from the ground up to allow the exchange of data between clients and data vendors. We utilized REST API for the client but retained SFTP functionality only for vendors who could not use modern protocols. Certificate management and on the fly PGP encryption and decryption were implemented to provide an additional level of security for HIPAA-compliant data transfer. And row-by-row validation, alerts, and notifications were introduced to make sure the received data is well processed, and clients are notified if something goes wrong.

The company has improved client retention by managing their clients’ data more efficiently. Moreover, employees no longer had to spend hours managing data manually, which not only allowed them to focus on more important tasks but also significantly reduced the number of errors.

If you are ready to update from the outdated FTP to modern, highly secure systems, do not hesitate to contact us or arrange a meeting with me.