Secure FTP 101 - Page 2

Printer Friendly Version

Some secure FTP products use SSL to perform the encryption. However, this should not be confused with the fact that SSL can be used by itself with a browser to perform file transfer encryptions. SSL by itself is limited in its capabilities. With FTP, including secure FTP, you can change directories, list directories, and grab entire batches and directories of files in one fell swoop. Also, SSL is generally used for getting files, and is rather limited when used for putting batches of raw files in remote locations. While SSL is ideal for online web based financial transactions, since it requires no client side software except a browser, it's not what you want to use to execute large-scale batch file transfers. SSL coupled with FTP gives you the encryption capabilities of SSL with the advanced features of FTP.

The Secure FTP Market
The size of the secure FTP market is hard to quantify since there are no clear market leaders, and industry analysts will likely disagree on whether or not certain products (such as certain PKI based products) qualify as secure FTP products. Clearly though, it is a market segment that will grow steadily as global security concerns increase.

Table 1. Secure FTP vendors and products

One of the biggest challenges for IT decision makers is that they are not properly educated on why they need to use secure FTP products, and under what circumstance they should use them. In some cases using ordinary FTP is may not pose much for a risk. For example, using ordinary FTP while on the inside of a VPN is not that risky, but using it across the unsecured Internet creates increased risk.

To avoid liabilities, vendors who build standard FTP into their products should advise and educate customers if no security measures have been implemented. By qualifying whether or not products have built-in security, vendors will limit their liabilities since customers will be forewarned of the risks involved. If these same vendors license or build in a secure FTP product for integration into their product, they will be able to achieve notable marketing leverage in advertising embedded file transfer security features.

Vendors who sell secure FTP products need to educate prospective customers on why they need to use these products. Many system and network administrators may not understand the risks they are taking when using FTP products that do not offer advanced security features.

User Recommendations
The following are some of my recommendations for anyone considering a secure FTP implementation

• If you're a U.S. Federal Agency, you'll probably want to pick a secure FTP product that is FIPS-140 Certified. If a vendor tells you their product is FIPS-140 Certified, ask to see the FIPS-140 Validation Certificate.
• If you don't want to manage and administer client side software, you'll want to find an application service provider (ASP) model that offers secure FTP functions.
• If you want to use secure FTP for collaboration and file sharing, you may want to consider using a digital vault with an address book that has built-in FTP security. (A digital vault is a secure online storage receptacle typically set up as an ASP service.)
• If you are a web master updating a web site using a secure FTP product will ensure that your website login and password information does not get compromised.
• If you are transferring any sort of financial information or credit card numbers across public networks you should use a secure FTP product if you are not protected by a VPN.

As Secure FTP products become more prevalent, you can expect the number of products available to grow along with the standardization of features.

Go to page: 1  2