Why can’t I use SFTP for secure file transfer?

With most businesses still adapting to the new normal of remote and decentralized work, we wanted to take a quick look at two of the tools / techniques some businesses have dusted the cobwebs off of to share data with their employees and partners around the world – FTP, SFTP, and FTPS. While these can certainly get the job done, there are some serious security concerns that must be accounted for (not to mention they don’t meet many industry and government compliance standards).

Still using FTP or SFTP to share data? Maybe it’s time for a modern E2EE data sharing platform like HighSide!

Never heard of SFTP, FTPS, or FTP? You aren’t alone – FTP was invented on April 16th 1971, making it a 5 decades old technology for file transfer. FTP is an unsecured way to transfer files from a server to a client that saw security added in 1997 through two modernizations, FTPS (secured with SSL) and SFTP (secured with SSH). In January 2021, support for the FTP protocol was disabled in Google Chrome (as of version 88), and other browsers, such as Firefox (as of version 88.0).

For purposes of this blog we are going to focus mostly on SSH FTP (SFTP) as it’s the more common file transfer protocol.

Encryption in transit, but no at-rest data security exposes data

SFTP provides a form of encryption in transit through an SSH tunnel, however the encryption ends when the data reaches the client or the server. If a user uploads a file to be sent / retrieved via an SFTP connection, the data is not encrypted while it waits for the client to connect and pull the data down.

SFTP is ONLY a transfer protocol. It never protects data at rest, so any file that is sent through the protocol has to reside somewhere and when it is in the destination directory, it is available to any server administrator who has access to the destination directory

SSH key handling and username / password reliance is security nightmare

SFTP relies on SSH keys and username / passwords to broker access to the data stored in the server. While simply saying the word keys makes you think of strong data security, in reality SSH keys have no encryption integrity if they were generated prior to October 2019, they have known vulnerabilities which can be exploited (Return of Coppersmith Attack).

Let’s operate on the assumption your SSH keys are not vulnerable to this ROCA exploit – how then do you move those keys around and share them with the relevant clients without exposing them?

There is no built-in or easy to secure way to do SSH key management. Any system that requires key and certificate management is a major overhead for organizations’ IT department, time consuming, and costly. When there are cumbersome systems, there are not just technical vulnerabilities to worry about, but human vulnerabilities to consider.

High overhead, serious security concerns and no E2EE make SFTP a non-compliant choice

SFTP does not meet US DoD and US Dept. of Commerce ITAR / EAR export controlled data security requirements, nor does it meet the UK MOD requirements as outlined in ISN 2020/07 for MODII (MOD Identifiable Information) due to lack of end-to-end encryption.

SFTP and FTP in general don’t have high fault tolerances for poor connections leading to lots of failed connections during the upload / download of data. This causes usability issues which drive users to find work arounds.

Additionally, the user interface is not conducive to the average user leading many companies to invest in building a front end to the SFTP service. This adds usability, but increases overhead costs significantly.

How HighSide dramatically improves on SFTP

HighSide’s file attachment / transfer capability, available in both our stand-alone E2EE secure collaboration platform and our Microsoft Teams extension (SecureTeams), sends documents and files in an end-to-end encrypted state. Additionally, the SecureDrive capability (cloud file storage & sharing) not only allows users to easily share files with team members, but stores those files in the cloud fully end-to-end encrypted.

No tough to navigate interface with HighSide! E2EE file transfer is built into the collaboration platform enabling users to easily attach a file to a message and hit “send” rather than requiring the receiver to take action to search and download the file. Additionally, with SecureDrive, a user can be shared on an entire folder / drive of files that are end-to-end encrypted and made available via local OS file synchronization.

HighSide’s native compliance management suite and event logging APIs enable security and compliance teams to have provability that data was only accessed by authorized users and even highlight the geo location and device it was accessed with.

HighSide’s built-in data access controls enable organizations to control who can access what data, from what devices and in what geographical locations (down to the square meter) they can access said data. Control access with any number of factors, and ensure compliance while enabling your users to access data easily within bounds.

HighSide’s file transfer system uses a bit-torrent style upload / download mechanism enabling large files to be easily sent and received even on unstable and poor connections. Additionally, the fault tolerance for our distributed encryption protocol ensures that no matter how poor the connection, the cryptographic handshake remains engaged throughout the transfer.

The HighSide E2EE secure collaboration platform is a passwordless application, virtually mitigating the threat of phishing – our SecureTeams E2EE extension for Microsoft Teams is also resilient against phishing/spoofing with double password requirements and key rotation capabilities.

This goes without saying, but HighSide’s distributed Encryption & Authentication Protocol (HEAP) powers all file sharing across the HighSide applications, empowering users to take advantage of E2EE without needing to manage keys, store keys or share them via unsecured channels.

HighSide, simply put, makes everyone’s lives easier when it comes to data sharing – from the end-user to the security & compliance team to the executive risk management group.