The File Transfer Protocol (FTP) is one of the oldest protocols on the Internet. It was defined in 1985 in RFC 959. Accordingly, this free standard for transferring files is still widely used in companies today.
Fortunately, nowadays, there is a secure, user-friendly alternative available. Welcome to Cryptshare, a part of our Pointsharp Secure Information Exchange solution.
Let us answer your questions about FTP
First of all, FTP is an abbreviation for File Transfer Protocol. Protocols are definitions of how communication between endpoints needs to be done. FTP was developed specifically for transferring files in a network and was already used for this purpose in 1974. However, the actual "FTP" standard was not defined until 1985 in RFC 959.
FTP allows the creation, editing, and deletion of entire folder structures on so-called FTP servers. Files can be uploaded and then downloaded. The command line of the desired operating system is sufficient to use FTP. However, there are also numerous user-friendly alternatives in the form of graphical FTP clients, such as WinSCP or FileZilla.
Thanks to FTP, files can be easily and inexpensively made available to other network participants.
No. The File Transfer Protocol (FTP) was initially developed without any significant security mechanisms because the Internet was still small at the time, and cybercrime was practically non-existent. Therefore, with the original FTP, all information is transmitted in plain text.
Since FTP transmits both the access data when logging in and the files when uploading and downloading in unencrypted form, they can be sniffed in so-called man-in-the-middle attacks.
Once an attacker has obtained the access data from the FTP server, he can easily access the server and download or delete data or even replace provided files and entire Internet pages with compromised material.
In this way, an Internet site can quickly become a virus distributor and damage the company's reputation.
Some web hosts offer their customers the option of allowing FTP access only to individual IP addresses. This actually makes it more difficult for attackers to access the FTP server. However, the data is still transferred insecurely, and the concept remains insecure.
Over the years, two secure alternatives to FTP have been developed. The Secure File Transfer Protocol (SFTP) and the SSH File Transfer Protocol (FTPS).
In both cases, communication takes place encrypted. FTPS secures communication using Secure Socket Layers (SSL) or Transport Layer Security (TLS), and SFTP uses the Secure Shell (SSH) for secure transmission.
Data transmission is secure with SFTP and FTPS. However, it is important to note that only the data transfer is secured. The files are still available for retrieval unencrypted at the storage location itself.
Confidential data, such as GDPR and business secrets, should not be stored on an (S)FTP server.
Why FTP servers are no longer state-of-the-art
In the past, FTP servers were often used as an emergency solution. If a file was too large to be sent as an email attachment, the IT or marketing department uploaded it to the FTP server and copied it into the email as a download link.
In some organizations, this option was used so much that the IT department released specially created network drives to the staff. All folders and their files were then synchronized to the public FTP server on an event- or time-triggered basis, for example, via rsync scripts.
As practical and established as such processes may be, they are also problematic.
No access control is possible
FTP does have user names and passwords; in the above example, however, HTTP links were usually issued to recipients so that they did not have to overcome any further technical hurdles.
This results in a severe data security problem; since the recipient was already made aware of the folder structure and any file name conventions on the FTP server by simply looking at the HTTP link, they could change the link and gain access to further documents by simply trying around.
With FTP, there is no real traceability
Who accessed a file and when? Access to files is not logged by default.
Data is often not deleted from FTP servers
Experience over the past decades has shown that files are not deleted "just like that". Who in the company is supposed to keep track of which files can be deleted and when? If you delete a file, the phone will surely ring after a few hours because it is needed. The result is a real "data graveyard".
High effort if external persons are to provide data via FTP
From time to time, external communication partners such as customers, suppliers, or partners want to send larger files to a company. In the past, separate users and exclusive folders were set up on the company's own FTP server so that the company could retain "data sovereignty".
However, this means that the IT department is even busier with the administration of user accounts. The credentials for these must be communicated to the end users in each case - and in the worst case, the users must even be trained to use FTP.
How long these accounts will be needed and how long the data will be kept in the directories has not yet been clarified. Furthermore, FTP does not automatically notify users when data has been uploaded. After the upload, you have to send an email to the recipient yourself to let him know.
All in all, handling data transfers via FTP proves to be very inefficient and time-consuming. Precious time is something that employees would be better off dedicating to their main activities.
Cryptshare is the secure alternative to FTP
Encrypted file transfer
Encrypted file storage
Automatic notification after upload
No user accounts required
Time-controlled data deletion on server
Logging of all upload and download processes
File transfers directly from Outlook
File transfers directly from HCL Notes
Automated file transfers
Are data room solutions secure alternatives to FTP?
Data room providers used to advertise that sophisticated user and rights management can solve the problems of FTP. In some respects, this is undoubtedly the case. However, the concept can also be viewed critically.
Although data room solutions initially transfer the data in encrypted form (often, even end-to-end encrypted) and protect it from unauthorized access, overly granular access, and rights management pose the challenge of who is to keep track in the long term.
For the reasons mentioned above, Cryptshare takes a different approach; with Cryptshare, data is not permanently provided at an additional storage location, nor is access granted to a file in the file system.
With Cryptshare, files are only provided temporarily and highly encrypted on a secure server. They are automatically deleted from the server again after a set period of time, for example, 21 days. After deletion from the Cryptshare server, the sender receives a summary of which recipient(s) accessed the provided data and when.
