SFTP is not dead, it’s alive and well… and you need it

The SSH file transfer protocol has been around for some time, and while its main relevance is providing security in data transfer & access, there’s more to it.

Developed by the Internet Engineering Task Force, this interactive protocol is practical now more than ever. The protocol was initially defined in the frame of the SSH-2 protocol, but it has uses in many other applications.

In this article, we walk you through the ins and outs of SFTP, its applications, and why you should make the switch (if you haven’t already) to SFTP. If you thought SFTP was getting obsolete, you’re in for a treat. Read on.

How it works

SFTP works over the Secure Shell data stream to create a secure connection that offers top-grade file transfer protection. It employs encryption algorithms to securely transmit files and keep the data indecipherable in the course of transit. The authentication element thwarts users from unauthorized file access.

Although SFTP doesn’t expressly necessitate two-factor authentication, it gives you the options of both the user ID and password, as well as SSH keys. The latter is especially handy as they ensure fraudsters don’t stand a chance in connecting to the server.

SFTP Capabilities

SFTP allows you to handle a wide range of operations for sensitive files beyond transfer. Some of the activities possible in SFTP are file removal, resumption of paused/interrupted transfers, and remote directory listings.

Not only does this give it the edge over other protocols, but it also makes it the most reliable choice for system administrators whose primary concern is security. SFTP is also primarily used as a subsystem of SSH-2 implementations. It still is feasible to run SFTP over SSH-1 or other data streams for that matter.

Why SFTP?

The world we live in is far from safe, and sadly, we use the same internet as cybercriminals, hackers, and fraudsters. With so many threats to data transfer over the internet, there is a need for companies to adopt stringent security measures.

Today, there isn’t a file transfer protocol that protects against attacks to data at rest or in transit better than SFTP. It is why SFTP is the fail-safe protocol for file transfer operations.

Real-life SFTP application instances

Data protection in firms and companies

Initially, to secure data in transit using FTP, port forwarding was used to establish an encrypted connection over which username and password credentials could be transferred.

Secondary connections for the actual files to be sent would later be created, but they weren’t secured.

They exposed data to vulnerabilities such as eavesdropping while in the data stream. Despite several efforts, no security measures applied dealt with the issue at hand — user/host identity verification.

SFTP brought into play protections that resolved all the issues. Here, users’ credentials, such as passwords and public keys, are verified during user authentication. On the other hand, the server is authenticated via host identity verification.

Millions of companies all around the world use and trust SFTP because only a single secure connection is established. This connection allows all data to be securely transmitted. To ensure data integrity and security, SFTP utilizes SSH2 Message Authentication Code (MAC) to hashed data payload packets that are encrypted.

Inherent forward secrecy

Forward secrecy is an aspect of specific key agreement protocols that ensures session keys aren’t compromised even when the private key of the server is compromised. It shields past sessions from any future compromises of secret keys or passwords.

By generating a unique session key each time a user initiates a session, the compromise of a single session key doesn’t in any way impact or alter any data other than that transmitted in the specific session protected by that specific key.

SFTP is used with the SSH-2 protocol to achieve secure file transfer. The SSH protocol can renegotiate the actual channel encryption key in-session and provides inherent forward secrecy. This gives SFTP a side advantage over SSL/TLS-enabled servers as it doesn’t require additional configuration.

Isolated subsystems with isolated privileges

Isolation is a practical way of containing any exploits to systems, and its importance can’t be understated. However, it is not an easy thing to achieve, especially with all the complexity surrounding modern systems & networks. That doesn’t necessarily mean that it can’t be achieved.

With the right resources, systems administrators can create SFTP servers with isolated directory access. This prevents users from seeing files/directories outside the transfer director. The configuration process requires an OpenSSH server software and, of course, a user group for SFTP access.

Virtual file systems (VFS)

A virtual file system is essentially an abstract layer at the top of a concrete file system. VFS’s fundamental goal is to allow client applications to access [in an organized manner] different types of concrete file systems.

Virtual file systems specify contracts between concrete file systems and kernels. This simplifies the process of extending support for new file system types to the kernel by fulfilling the contract. It is a versatile implementation that lets individuals mount various types of file systems into one file system.

VFS is one of the commonly used file systems in SFTP. Using VFS, a user can access both local and network storage devices transparently without the client application noticing the difference.

Compliance

Legislations and Acts outline the security standards of sensitive data such as (e.g., medical & financial information) in transit. Even though these guidelines don’t stipulate the file transfer protocols that should be used to achieve compliance, it is only logical to go with the best.

SFTP has proved to be the best protocol to meet the explicitly outlined benchmarks in several legislations as we shall see below:

i. Payment Card Industry Data Security Standard

Cardholder data (CHD) is one of the sensitive data, and that’s why there is PCI to govern the rules and regulations for securing credit card data. The PCI contains a couple of requirements that dissuade organizations that handle credit card data from using FTP for file transfers.

Any organization that accepts credit/debit cards to process payments is obligated to comply with PCI — failure to which it’ll be liable to fines. The relevant requirement of PCI concerning secure file transfer is tracking and monitoring all access to network resources and CHD.

Implementing this and other PCI SSC requirements calls for the capture the following in your logs:

• An audit log that includes more than one year of audit trails
• All events involving data access, not excluding failed logins and changes to user privileges
• File access for each user that has access to cardholder information

SFTP is de facto gold-standard for securing data transfers and remote system administration as it ensures that the sensitive data is protected. The protocol does the following to secure the credit card information:

• Blocks any man-in-the-middle attacks
• Gives secure access to the cardholder data environment for app developers and sys/net admins
• Offers authentication of users and devices as well
• Encrypts file transfers between two endpoints and protects cardholder data while in transit
• Thwarts unauthorized cardholder data access

This explains why it is the preferred choice for PCI compliance.

ii. GDPR

The European Union (EU) General Data Protection Regulation (GDPR) took effect on the 25th of May in 2018. Unlike the PCI requirements, the General Data Protection Regulation standards aren’t well-defined. The standards outline high-level guidance for data security and access for enterprises/organizations that collect & process information on persons from Europe.

Compliance to GDPR standards requires that your server logs satisfy the listed provisions:

• Must have the ability to restore data loss in the unfortunate event of server failure, i.e., have backups
• Constant logging of security access
• Keep a record (written and electronic format) of all data processing activities, including who has received what data
• Distinct access levels to data depending on the data’s sensitivity and protections required
• Guarantee the security of data processing. By extension, this includes enforcing measures that ensure only authorized processes have access to data
• Track individuals that access what customer data, why, and any other actions

While it has been a subject of criticism in the past for falling short in this area, SFTP remains a practical choice to help your business comply with GDPR.

iii. HIPAA

The Health Insurance Portability and Accountability Act is a clearly established Act that applies to the health sector and protects patients’ confidential information. Anyone listed as a covered entity (including health care providers, health care plans, information clearinghouses, and even business associates) is obligated to comply with HIPAA’s mandates for the transfer and access of any personal health record or information.

Healthcare institutions frequently transfer files that have ePHI to the cloud. This information could be anything from test results to medical transcriptions.

The Act stipulates that the data’s integrity, availability, and confidentiality must be maintained at all times in all electronic protected health information (ePHI) situations irrespective of its state (in motion or at rest).

To be HIPAA compliant, logs must track all individuals that access PHI and any related personally identifiable information. You might also be required to track other details, such as failed logins or potential security issues. The latter, however, depends on your environment.

Most, if not all, HIPAA-covered institutions use SFTP to transfer ePHI due to its secure nature. SFTP servers provide the best route to abide by the HIPAA Act.

Conclusion

At this point, it is beyond clear SFTP is still relevant in many of our day-to-day work operations. SFTP remains a critical component to IT departments and network security teams all around the world as it adequately addresses all concerns regarding the security & integrity of data. It is worth noting that SFTP isn’t a turnkey solution, and therefore it has to be configured before being put to use.