FTP is an outdated, unsecure protocol that nevertheless remains in widespread use.
Editor's Note: This article introduces "Beyond FTP: Securing and Managing File Transfers," a free white paper that you can download from the MC White Paper Center.
Every day, millions of files are exchanged all over the world by corporations, government entities, and other organizations. These electronic transfers include the critical data needed to conduct business, such as customer and order information, EDI documents, financial data, payment information, as well as employee- and health-related information.
Most file transfers use a popular protocol known as FTP, yet few managers realize the security and management risks that have blossomed in their organization with the prevalent use of FTP.
How FTP Became the "Standard"
FTP stands for File Transfer Protocol and was one of the first formalized networked applications provided by TCP/IP. The early FTP designs, created almost 40 years ago, look remarkably similar to what we use today. And because it has not evolved, FTP is a protocol rife with security exposures and management issues.
The good news is that every computer has a built-in capability to exchange data: the file transfer application that enables FTP is embedded in the services of TCP/IP.
The bad news is that—after nearly 40 years of casual implementation—many business-to-business FTP implementations are uncontrolled and insecure, robbing corporations of productivity and endangering the security of their critical data.
Pitfalls of FTP Implementations
There are three basic pitfalls of FTP deployments: user interaction, complexity, and security.
User Interaction and Complexity
Many organizations allow their employees to perform file transfers directly from their desktops using PC-based tools. However, these tools require manual intervention and are error-prone (e.g., the user may accidently choose the wrong files to send).
When the settings (e.g., host names, IP addresses, folder names) for FTP servers change, IT often has to devote resources to reconfigure FTP clients or maintain embedded scripts. The same problem exists when user ID credentials and passwords change or when new business partners are added.
If the underpinnings of FTP transactions are decentralized, IT may have to send someone to various locations to update the changes. Any decision to distribute corporate FTP functions away from the central server and out to PCs should be carefully considered because decentralizing FTP functions often introduces inefficiencies and could increase labor costs.
However, when it comes to problems for management, nothing compares to FTP's security exposure, which can be one of the gravest security threats facing an organization.
FTP was designed as an easy mechanism for exchanging files between computers at a time when networks were new and information security was an immature science. Today, the security of business file transfers is of paramount importance. FTP's basic security mechanisms—the user ID and password—have long ago been outdated by hackers, malware, advances in network sleuthing technologies, and the proliferation of millions of network-attached users.
Too many organizations have moved the functionality of business-to-business file exchanges to personal computers, leaving sensitive files vulnerable. Yet, unless IT implements specific security steps, it's difficult to ensure that data sent through a personal computer has been adequately scrubbed from its hard-disk after the transfer.
Additionally, native FTP does not encrypt data, often leaving files to be transferred as "clear text," open to hacking.
Best Practices for Secure File Transfers
Clearly, the procedures governing how businesses today use FTP need to be reexamined and strengthened, yet where do we start such an undertaking?
The first step is to examine how FTP is being used in your organization. The next step is to identify how the organization needs to manage and secure everyone's file transfers.
In the past, IT had no system-wide approach to file exchange: standalone FTP tools and scripts were considered to be enough to get the job done. But today, as business-to-business transfers proliferate, it's time for IT to deploy a strategy that meets the overall requirements of security, flexibility, and ease of use. The best solution to securing your FTP implementations will be one that best centralizes and manages the control of all file transfers.
Home-built or custom applications that nest FTP functions within application code are management time bombs in our opinion. They obscure the configurations and activities of file transfers, and they can leave user IDs and passwords out in the open, unprotected. If an IT department is using applications such as these, they should ensure they instead utilize a centralized approach to access encryption and FTP functions through a controlled framework.
Upgrading to Secure FTP
One of the best solutions for protecting your FTP transmissions is to upgrade to "Secure FTP" encryption technology. The two popular Secure FTP protocols are SFTP (meaning FTP over SSH) and FTPS (meaning FTP over SSL). Choosing the right type of Secure FTP protocol to use will depend on your trading partner's capabilities and authentication requirements.
This is an area where the expertise of those in IT is required in order to ensure that the right form of encryption is utilized, that authentication mechanisms are properly implemented, and that regulatory requirements have been met.
Controlling the FTP Exposure
As a file transfer mechanism, FTP has had a long and illustrious history. But the past ad hoc implementation of FTP tools throughout the enterprise, the past attempts to automate its functions, and the inherently weak security of its basic design has often left IT departments with infrastructures that do not meet the requirements of manageability or security. In our opinion, IT must bring FTP into compliance, must secure the file transfer processes, and must reengineer how the facility is utilized and controlled within the organization.
There are several approaches to this conundrum, and we encourage readers to explore all of them, including those offered by Linoma Software, which has been serving the technology needs of companies since 1994 and is a specialist at managing, automating, and securing data transmissions.
For more information, download "Beyond FTP: Securing and Managing File Transfers," a free white paper available from the MC White Paper Center.
MC Press Online