The secure alternative to FTP for business

Is FTP secure?

No. The File Transfer Protocol (FTP) was initially developed without any significant security mechanisms, because the Internet was still small at the time and cybercrime was practically non-existent. Therefore, with the original FTP, all information is transmitted in plain text.

Since FTP transmits both the access data when logging in and the files when uploading and downloading in unencrypted form, they can be sniffed in so-called man-in-the-middle attacks.

What risks does FTP pose?

Once an attacker has obtained the access data from the FTP server, he can easily access the server and then download or delete data or even replace provided files as well as entire Internet pages with compromised material.

In this way, an Internet site can quickly become a virus distributor and damage the company's reputation.

Can FTP be secured?

Some web hosts offer their customers the option of allowing FTP access only to individual IP addresses. This actually makes it more difficult fo attackers to access the FTP server. But the data is still transferred insecurely and the concept remains insecure.

Is SFTP/FTPS secure?

Over the years, two secure alternatives to FTP have been developed. The Secure File Transfer Protocol (SFTP) and the SSH File Transfer Protocol (FTPS).

In both cases, communication takes place encrypted, whereby FTPS secures communication using Secure Socket Layers (SSL) or Transport Layer Security (TLS) and SFTP uses the Secure Shell (SSH) for secure transmission.

With SFTP and FTPS, data transmission is therefore secure. However, it is important to note that only the data transfer is secured. At the storage location itself, the files are still available for retrieval unencrypted.

Confidential data in the sense of the GDPR and business secrets should not be stored on an (S)FTP server.

Why FTP servers are no longer state-of-the-art

In the past, FTP servers were often used as an emergency solution. If a file was too large to be sent as an email attachment, the IT or marketing department uploaded it to the FTP server and copy it into the email as a download link.

In some organisations, this option was used so much that the IT department released specially created network drives to the staff. All folders and the files in them were then synchronised to the public FTP server on an event- or time-triggered basis, for example via rsync scripts.

As practical and established as such processes may be, they are also problematic.

No access control possible

FTP does have user names and passwords; in the above example, however, HTTP links were usually issued to recipients so that they did not have to overcome any further technical hurdles.

This results in a serious data security problem; since the recipient was already made aware of the folder structure and any file name conventions on the FTP server by simply looking at the HTTP link, he or she could change the link and gain access to further documents by simply trying around.

With FTP, there is no real traceability

Who accessed a file and when? Access to files is not logged by default. 

Data is often not deleted from FTP servers

Experience over the past decades has shown that files are not deleted "just like that". Who in the company is supposed to keep track of which files can be deleted and when? If you do delete a file, the phone is sure to ring after a few hours because it is needed. The result is a real "data graveyard".

High effort if external persons are to provide data via FTP

From time to time, external communication partners such as customers, suppliers or partners want to send larger files to a company. In the past, separate users and exclusive folders were set up on the company's own FTP server so that the company could retain "data sovereignty".

However, this means that the IT department is even busier with the administration of user accounts. The credentials for these must be communicated to the end users in each case - and in the worst case, the users must even be trained in the use of FTP.

How long these accounts will be needed and how long the data will be kept in the directories has not yet been clarified. Furthermore, FTP does not automatically notify users when data have been uploaded. After the upload, you have to send an email to the recipient yourself to let him know.

All in all, the handling of data transfers via FTP proves to be very inefficient and time-consuming. Precious time that employees would be better off dedicating to their main activities.

• Encrypted file transfer
• Encrypted file storage
• Automatic notification after upload

• No user accounts required
• Time-controlled data deletion on server
• Logging of all upload & download processes

• File transfers directly from Outlook
• File transfers directly from HCL Notes
• Automated file transfers

Are data room solutions secure alternatives to FTP?

Data room providers use to advertise that sophisticated user and rights management can solve the problems of FTP. In some respects this is certainly the case. However, the concept can also be viewed critically.

For although data room solutions initially transfer the data in encrypted form (often, even end-to-end encrypted) and protect it from unauthorised access, here, too, overly granular access and rights management poses the challenge of who is to keep track in the long term. 

For the reasons mentioned above, Cryptshare takes a different approach; with Cryptshare, data is not permanently provided on an additional storage location or access is granted to a file in the file system.

With Cryptshare, files are only provided temporarily and highly encrypted on a secure server and are automatically deleted from the server again after a set period of time, for example 21 days. After deletion from the Cryptshare server, the sender receives a summary of which recipient(s) accessed the provided data and when.