This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
File server is an important component of a network system. Sharing of files is the basic need of any organization to share information or data between people. Files or information can be anything including graphics, reports, simple text documents or spreadsheets. File transfer basically takes the concept of communication a step ahead by allowing the move of physically stored files over the telecommunications medium. This procedure of moving files between machines is a very common phenomenon that happen everyday in all the organizations. File sharing is one of the important services provided by the network operating system and a file server makes it possible by storing the data for sharing by all the network computers. There are many standard file transfer protocols to choose from in the market today and some common ones that are used today are FTP, SFTP, SCP, HTTP etc. However it is very important to consider certain factors before choosing a file transfer standard that not only does its job but also provides adequate security given the sensitivity of the data being transferred. Not all organizations have the same file transfer needs and the decision to choose which standard to use should be a cost effective and a secured solution. This paper will discuss the details on the importance of file transfer, security issues they are prone to and proper steps to implement, types of file transfer standards that are available etc.
File transfer is nothing but moving files from one machine to another machine and it is the basic need of any organization to share data or information between people almost on a daily basis. File transfer basically takes the concept of communication a step ahead by allowing the move of physically stored files over the telecommunications medium. Files or information can be anything including graphics, reports, simple text documents or spreadsheets. This procedure of moving files between machines is a very common phenomenon that happen everyday in all the organizations. In order to transfer files, a file transfer protocol has to be chosen to do the job. Some of the popular file transfer protocols in use are FTP, SFTP, SCP, HTTP etc and FTP is the most common file transfer standard chosen by many organizations today (itso.iu.edu). However it is very important to consider certain factors before choosing a file transfer standard that not only does its job but also provides adequate security given the sensitivity of the data being transferred. Not all organizations have the same file transfer needs and the decision to choose which standard to use should be a cost effective and a secure solution.
Importance of file transfer security
"As the demand for information sharing grows, the internet has become the medium of choice for organizations that want quick, easy and affordable file exchange", (attachmate.com). It is very important that organizations have to understand the importance of securing their file transfer process in order to maintain their long term trust with their customers, business partners etc. Today's businesses are driven by a lot of electronic sharing of critical information and sharing this information quickly and securely have become quite a challenge for many organizations. In order to remain competitive in the market, organizations are generally challenged with finding more secure, efficient and reliable methods to transfer files over a public network like the internet. Security has become a critical concern for all organizations today with the increased amount of sensitive data travelling over the internet and with the amount of growth in data security breaches by hackers at the same time. With these concerns, organizations have to consider implementing more strategic and tactical solutions to secure their file transfer process.
There are many reasons why companies should take it seriously to secure files during a file transfer process. "Not only is there the potential for a costly data breach, but there are requirements under mandate by Sarbanes-Oxley, HIPAA, GLBA and other regulations that dictate the handling of sensitive files and an organization in violation of these mandates can face hefty fines", (attachmate.com). Organizations also have to understand the fact that securing the file transfer process is not a very expensive or complicated thing to do especially considering the associated risks or threat effects when security is not in place. Most of the secure file transfer solutions are very easy to set up and maintain and they easily integrate with the corporate e-mail system and other directory service.
Image retrieved February 28th 2010 from http://de.wsftp.com/resources/whitepapers/compliance_evolution/SecureFileTransfer-Evolution.pdf
File Transfer Protocol or FTP is an old protocol and is the most preferred for moving files over any TCP (Transfer Control Protocol) based network. FTP is easy to setup, easy to use; it moves files efficiently and reliably; and is highly interoperable since it is a standards-based protocol. Since its introduction FTP has gained a lot of attention from many experts. Though FTP is liked by many, it has a serious issue when it comes to security. When you use FTP connection to transfer files from one machine to another machine, you have to login with your username and password. This username and password travels across the network in clear text (unencrypted) which means that any third person on the same network with a wrong intent can easily intercept this information and gain access to the private files. FTP standard do not provide any built-in safeguards to secure the data that is transferred across the network and FTP clearly fails to provide the security which is very important to any business. This limitation of FTP is clearly very risky to any business governed by stringent regulations aimed at protecting sensitive data. Many organizations still continue to use FTP in spite of its security issue and many web hosts still continue to offer FTP as the preferred file transfer standard for uploading new web pages to a website.
However, FTP is not a very good choice since it does not provide encryption of username and password and the organization's sensitive data is certainly at risk by using FTP. In order to overcome FTP's security problem it is suggested to use FTPS which is nothing but FTP over SSH (Secure Shell). When FTPS is used, the actual file transfer process is handled by the FTP server because the data in transit is encrypted over a secure tunnel. But this option is not the best either since it is difficult to ensure that all FTP channels run on SSH given the fact that FTP uses multiple TCP connections (Cobb, 2006).
Some of the advantages of using FTP:
* FTP is easier to setup and maintain and it transfers large amount of data quickly and efficiently on the internet.
* When FTP is used, it automatically creates backup files. So, whenever the system breaks down and looses data, the backup files are already there.
* When FTP over SSH is used, the user name and password are encrypted via secure tunnels during the transfer process.
Some of the disadvantages of using FTP:
* User name and password are sent in clear text which can easily be intercepted by an eavesdropper on the same network.
* With FTP, multiple TCP/IP connections are needed to download, upload, or control connection etc which requires additional logic to maintain these connections.
* FTP does not provide a built-in safeguard which helps to make sure if the computer on the other end is the right one to receive the data.
* When FTP is used, it may be possible to abuse the FTP's built in proxy features by telling the server to transfer data to an arbitrary port of a third machine.
Image retrieved February 28th 2010 from http://www.vandyke.com/solutions/file_transfer/securefilexfer.pdf
Secure File Transfer Protocol or SFTP is a very popular alternative to FTP today. SFTP is also called as SSH (Secure Shell) File Transfer Protocol. (SSH program provides strong authentication and secure communications over insecure channels.) SFTP standard is similar to FTP standard but it provides more security. SFTP standard uses SSH to encrypt the entire file transfer process which means that the username, password and the data are not sent in clear text like FTP. "Encryption is the secure method that converts readable information into unreadable format by keeping the content unchanged. This is considered as the ultimate security measure and restricts unauthorized to view the actual content of the files", (Hobach, 2006). Because the file transfer process is encrypted, it is very difficult for a third person to intercept the sensitive information in transit from the system that is using secure channels. When the transfer process is completed, these files are automatically unencrypted at the destination and can be accessed as usual.
Like FTP, SFTP also provides a similar interactive interface and SFTP is a subset to SSH which means that SSH will handle all the session management. One of the important feature of SFTP is it uses SSH; and with SSH's cryptographic functions it is easy to verify the server's identity to the client. Apart from file transferring, SFTP system also provides many other options to manage the files including deletion, renaming, interrupted transfer resumption and directory listings. For this reason, it is very important to set the correct permissions on your SFTP server to ensure the right privilege access (Cobb, 2006). SFTP is more platform independent in the recent versions when compared to FTP, and SCP; and is supported by both Linux and UNIX servers
Some of the advantages of using SFTP:
* With SFTP, username and password are always encrypted while in transit, so it is less likely to be intercepted.
* SFTP protocol offers more security to data transfer since it encrypts both data and command line channels.
* Also, with SSH's cryptographic functions it is easy to verify the server's identity to the client.
* SFTP protocol also includes extra features to manage files including deletion, renaming, interrupted transfer resumption and directory listings.
* SFTP is very easy to integrate and it provides cross platform support and maximum connectivity with more security.
Some of the disadvantages of using SFTP:
* SFTP protocol requires an SSH server that supports SFTP.
* Large files take a lot of time with SFTP since it has to encrypt all the channels during the transit.
* SFTP does not provide server-to-server copy and recursive directory removal operations.
Image retrieved February 28th 2010 from http://www.vandyke.com/solutions/file_transfer/securefilexfer.pdf
"Secure Copy Protocol or SCP is an old file transfer protocol that also uses SSH to encrypt the entire file transfer process. SCP was actually developed after the UNIX's rcp (remote file copy) command and it provides one-at-a-time file transfers. One of the common features between SFTP and SCP is the use of SSH's cryptographic functions to verify the server's identity to the client ", (itso.iu.edu). Like SFTP, SCP also relies on the SSH protocol to provide authentication and security for username, password and data in transit. But SCP is missing the additional features to manage files like SFTP does which is a disadvantage.
SCP also raises a security concern. "When an SCP client sends a request to download files or directories, the server feeds the client with its subdirectories and files, causing a server-driven download which makes the protocol a security risk if the server is malicious or has been compromised", (Cobb, 2006). WinSCP, OpenSSH etc are some of the applications that support SCP. SCP file transfer standard can only provide file transfer in both directions but will not be able to provide other functions like SFTP. However, WinSCP can offer other extra features using common shell commands but for this purpose WinSCP requires full shell access and permission to execute other commands besides the basic functions.
Some of the advantages of using SCP:
* With SCP, both logon credentials and data are encrypted in transit, thus it provides more security to the sensitive information from being intercepted.
* Since SCP uses SSH, SSH's digital functions will be able to verify the server's identity to the client.
Some of the disadvantages of using SCP:
* SCP is missing file managing features unlike SFTP and also when compared, it is not very flexible.
* When SCP is used, a file transfer that is in process cannot be canceled without actual termination of session.
SSL & SSH
File Transfer Protocol (FTP) is the most common standard that is used to protect the file transfer process and this is often deployed as a simple solution to enable the data or information exchange over the internet. Basic FTP fails to provide proper security and data management and it is simply not very secure. Since FTP is shared using a common open port, anybody can easily intercept the data transferred through FTP. With this in mind, it is recommended that a basic FTP is not a very practical and viable choice to provide the security to the confidential data that is needed except in situations where data is not that critical and has no risks associated or not considered high risk to actually need a security. The two common security protocols that were becoming quite popular today to help secure and increase the reliability of file transfer process are the Secure Sockets Layer (SSL) and Secure Shell (SSH). These two protocols are especially designed to encrypt the files in transfer and associated administration network traffic.
Both the protocols enhances the security and reliability of file transfer by using encryption to protect against unauthorized access and modification of confidential data during transmission across open networks such as the Internet. SSL secures transactions over the web by providing certificate based authentication and securing data transmissions using strong encryption. SSH or Secure Shell comes with own encrypted channels and the main idea behind developing SSH is to transfer data securely over the network by using strong encryption and authentication methods. Today, most operating systems support SSH including Linux and UNIX and for this reason SSH has become quite popular in IT environments for transferring files (SFTP). "SFTP is very firewall-friendly because it uses a single connection for uploading and downloading, and it improves on the security of standard FTP by encrypting all data transfer traffic, connection control data and passwords to eliminate eavesdropping, connection hijacking, and other attacks", (stonebranch.com).
File transfer has become a common phenomenon for all businesses today and as part of the process, millions of critical and confidential files are electronically exchanged every day. We have all seen and experienced some way or the other how insecure or unmanaged file transfers present a significant risk to the organizations. There are numerous alternatives available in the market today to transfer files from one place to another and if you look in detail, you will realize the various security characteristics associated to these alternatives. There are many aspects to consider when deciding on the suitable solution and I think the best solution to any organization's file transfer needs is the one that enables secure, reliable file transfer by providing integrated, strong security of SSL and SSH encryption, along with the tools to effectively manage the end to end file transfer process. Organizations shouldn't worry about the security breaches of critical data during file transfers which can only make them distract from their core business. All organizations needs are different and in order to make a decision, it is important that organizations differentiate and understand the features of the various protocols and what sets them apart. "Replacing or augmenting FTP with the industry standard SSH and SSL protocols is a practical, reliable, and affordable alternative", (attachmate.com). A secure and reliable file transfer solution will ensure that organizations stay confident on the security of their data so they can concentrate well on their businesses.
Cobb, M. (2006). Which Internet protocol is more secure: FTPS or SCP? Retrieved February 28th 2010 from http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1232457,00.html
Hobach, A. (2006). FTP Hosting Security - Comparison between SSL, TLS, and SSH. Retrieved February 28th 2010 from http://ezinearticles.com/?FTP-Hosting-Security---Comparison-between-SSL,-TLS,-and-SSH&id=214217
Secure File Transfer Alternatives. Retrieved February 28th 2010 from http://itso.iu.edu/Secure_File_Transfer_Alternatives
Internet File Transfers Security Holes and How to Fix Them. Retrieved February 28th 2010 from http://www.attachmate.com/NR/rdonlyres/F93F4427-8CE7-4323-8ED3-5A321F99FC98/0/060008A40607_Int_File_Trans_wp.pdf
Musthaler, L. (2007). The security concerns of file transfer. Retrieved February 28th 2010 from http://www.networkworld.com/newsletters/techexec/2007/0820techexec1.html
Osmanoglu, T E., Schramm, J R., Mitchell, M C. (2002). External data feeds: The new Web of trust; Business Communications Review. Jan 01st, 2002. Vol. 32, No. 1. Retrieved February 28th 2010 from ELibrary.
Phifer, L. (2006). An Overview of the Secure Shell (SSH). Retrieved February 28th 2010 from http://www.vandyke.com/solutions/file_transfer/securefilexfer.pdf
Securing Your Business with Managed File Transfer - Why FTP/SFTP solutions are no longer a viable option. Retrieved February 28th 2010 from http://www.stonebranch.com/whitepapers/Infitran_MFT_Secure_Your_Business.pdf
Stelzl, D. Evolution from FTP to Secure File Transfer. Retrieved February 28th 2010 from http://de.wsftp.com/resources/whitepapers/compliance_evolution/SecureFileTransfer-Evolution.pdf
TelecomWeb News Break. (2008). Alternatives For Enterprise FTP Needs. Potomac: Jan 8th, 2008. Retrieved February 28th 2010 from ProQuest.