FTPS or SFTP? It’s not Agatha Christie

FTPS or SFTP? It’s not Agatha Christie

In 1941 crime novelist Agatha Christie published her detective book “N or M?”; while selecting between FTPS or SFTP is hardly the same thing, you still might need to use some sleuthing skills to make the right choice.


Partners in crime

Let’s start by looking at which protocol was around first; FTP by a mile – but not in a secured state initially. FTPS makes use of either the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols to provide connection security through encryption; this is provided by the FTPS servers x.509 format public key certificate. The certificate may be trusted (provided by a trusted certification authority), or else self-signed. Using a self-signed certificate does not mean the level of encryption is any less, just that you have to be sure that the host is who they say they are. FTPS connections are made secure either implicitly or explicitly. FTPS servers generally listen for implicit connections on port 990 and explicit connections on port 21 – although of course the server administrator may choose to use different ports if they desire.

An implicit connection starts with the client issuing a TLS “Client Hello” message; this message implies that the connection should be secure and if the server doesn’t receive it, the connection is immediately dropped. If however the server does receive the “Client Hello” message, it will send the server certificate to the client, which will authenticate it and use it to encrypt a session key which it then sends back to the server to encrypt the session with.

In the case of explicit FTPS, the client explicitly requests security by sending an “AUTH TLS” (or AUTH SSL) command straight after the connection is made. If the AUTH command is not sent, the FTPS server will treat the client connection as a ‘regular’ non-secure FTP session instead.

Interestingly, implicit connections are not listed in RFC 2228 (the FTPS documentation), only explicit connections.

In either case, once the session has started, the client will need to authenticate to the FTPS server – normally this will be by userid and password, but may also include client certificates if required. All FTP commands are quite naturally passed along the control channel (normally 21 for explicit or 990 for implicit), but FTPS then needs a separate channel for data communications (the actual sending of files or directory lists). The data channels are by default port 20 for explicit FTPS and port 989 for implicit FTPS. Data channels are opened as they are required, then immediately closed again (the control channel remains open for the duration of the session).



In the style of so many detective story plots, SFTP is not what you might immediately suspect it to be – a form of FTP. In fact, FTPS and SFTP are completely unrelated and bear only a passing resemblance in the structure of many commands. SFTP is not FTP over an SSH connection, rather a distinct protocol in its own right which makes use of the underlying SSH protocol to provide connection security and authentication. Because it is using the underlying SSH protocol, it is normal to use the SSH port (generally port 22).

With SFTP we move away from using certificates for encryption and instead use public/private key pairs, which are not signed by trusted authorities. Like an FTPS self-signed certificate, the only area of doubt is that the server is who it professes to be – once you are confident that you have connected to the right server, you simply accept the server key and proceed to exchange files over an encrypted session.

The most important difference between FTPS and SFTP is that SFTP requires just one port to operate on – there is not a separate data and control channel to take care of.

In contrast to FTPS where clients occasionally provide a certificate for authentication, it is common practice for SFTP batch clients to authenticate by key only to avoid the need to store and maintain passwords.


Cards on the table

So having considered some basics of both FTPS and SFTP, let’s look at some of the details and see what each can do that the other can’t. Mostly speaking, what one can do the other can too – there are a few exceptions though:

  • FTPS will allow you to create custom commands
  • SFTP has better control of file permissions, ownership and properties
  • FTPS allows use of Trusted x.509 certificates
  • SFTP only requires a single port to be open on the firewall
  • FTPS supports EBCDIC transfers
  • SFTP allows creation of symbolic links
  • Windows servers and clients don’t natively support SFTP
  • SFTP is simple to install and manage on Linux and Unix servers


And then there were none

Mostly the decision on which protocol to use comes down to the requirements of the organisation; if there is a prevalence of linux/unix servers in a network, SFTP may be the better choice. Conversely, in a Windows only environment it makes no sense to install SFTP as it would require clients to be installed everywhere.

In addition, some firewall administrators would be happier to use SFTP with it’s single port, while some server administrators may not want SSH access to their servers enabled.

Otherwise it makes sense where possible to invest in file transfer server software that supports both protocols and leave the choice up to the clients.


Resources Available For You

The Expert Guide to Managed File Transfer

Includes definitions, requirements assessment, product comparison, building your business case and much more.

Managed File Transfer Needs Analysis

200 essential questions to consider before implementing your chosen Managed File Transfer solution.

Managed File Transfer Comparison Guide

A full feature comparison of Managed File Transfer solutions from the eight leading vendors in the industry.

Impact of Brexit on the GDPR

How is GDPR impacted by Brexit vote

The opening statement of Information Commissioner Sir Christopher Graham’s last annual report talked about “responding to new challenges, and preparing for big changes, particularly in the data protection and privacy field.” Delivering his speech in the early aftermath of Brexit, everyone was keen to get his view on the implications for the roll out of the General Data Protection Regulation (GDPR).

Prior to Brexit

In April of 2016, after two years of debating, the final terms of the European GDPR were agreed. The legislation comes into effect for member states in May 2018 and includes key changes such as:

  • The right to be forgotten
  • New stricter conditions for the adequate protection of file transfers
  • Privacy notices for individuals on how their data is handled
  • Tighter legislation around active consent for processing data
  • And a shared liablity for breaches between data controllers and data processors.

The change that many CIOs will be concerned about is the increase in sanctions for data breach, which have increased to 4% of annual global turnover.


Moving forward

When asked about the uncertainty, the Commissioner stated “We now need to consider the impact of the referendum on UK data protection regulation. It is very much the case that the UK has a history of providing legal protection to consumers around their personal data which precedes EU legislation by more than a decade, and goes beyond current EU requirements.” He stressed that “Having clear laws with safeguards in place is more important then ever given the growing digital economy, and we will be speaking to parts of the government to present our view that reform of the UK law remains necessary.”

But will EU GDPR still effect us?

The changes in EU Legislation are due to come into effect in May 2018. As the debate over Article 50 continues, CIOs face on-going uncertainty. However, whether the UK is still a member of the EU or not, the new rules will still apply to many organisations. The newly agreed scope states that the law will apply to non-EU companies that are offering goods and services to EU citizens. Any UK organisation selling in Europe will still need to comply with GDPR.

In closing, the Commissioner reiterated that the ICO would continue to make sure that the current standard of excellence remains intact. “We must maintain the confidence of businesses and of consumers. The ICO stands ready to enforce the rules that remain and make the case for the highest standards going forward.”

Whatever the law is called, data protection is not going away.

If you’re unsure how any of the current or upcoming data protection legislation effects your businesses’ file transfer requirements give our team of experts a call on 0207 118 9640.

Resources Available For You

The Expert Guide to Managed File Transfer

Includes definitions, requirements assessment, product comparison, building your business case and much more.

Managed File Transfer Needs Analysis

200 essential questions to consider before implementing your chosen Managed File Transfer solution.

Managed File Transfer Comparison Guide

A full feature comparison of Managed File Transfer solutions from the eight leading vendors in the industry.

South River Technologies’ Cornerstone MFT and DMZedge Servers Support Latest Security Standards

South River Technologies’ Cornerstone MFT and DMZedge Servers Support Latest Security Standards

South River Technologies, Inc. (SRT) have announced today that versions 2016 of the popular Cornerstone MFT Server and DMZedge Server now include even more advanced security updates.

The latest version of Cornerstone’s SSH/SFTP engine now has upgraded support for SHA2 and SHA3 Hashing (the newest security standard recently adopted by NSA). SRT is the only MFT vendor currently supporting the SHA3/Keccak standard.

In addition, this version now features Diffie-Hellman key exchange algorithms for group1-sha256 and group14-sha256, advanced methods of digital encryption that allow for the secure exchange of cryptographic keys over a public channel.

These advanced security features allow users to stay proactive and ahead of security issues instead of being reactive, once a security standard has been compromised. These features also ensure that Cornerstone and DMZedge remain the most secure file sharing solutions available.

“As an MFT vendor, our philosophy is to stay ahead of commonly accepted security standards, rapidly adopting the most recently approved standards, customers should never find themselves suddenly vulnerable because an encryption technology has been compromised, and then have to wait for their vendor to catch up.”

Michael Ryan, CEO, South River Technologies

Cornerstone MFT Servers are installed in government, healthcare, financial services and major corporations worldwide. The 2016 versions of Cornerstone MFT Server and DMZedge Server are available for immediate purchase, please contact us on 0207 118 9640 or info@pro2colgroup.

Secure File Sharing at the Local Government Strategy Forum

Secure File Sharing being discussed at the Local Government Strategy Forum

Heythrop Park, April 12th – 13th

This month I attended my second Local Government Strategy Forum, at the beautiful Heythrop Park Resort in Oxfordshire. Invited by our partner Maytech, I was the ‘independent industry expert’ and had the pleasure of spending two days in this lovely environment, talking with senior management and C-suite executives from councils all around the UK.


Before attending these events I had, what I believe to be a commonly held opinion, that council workers were underworked and overpaid. I’d read all the stories in the local press about the six-figure salaries and the cancellation of services to ensure their lavish lifestyle. However I’d never stopped to think what they actually did. Listening intently at these events has given me a small insight into the workings of councils, and whilst I’m sure there is still more efficiencies to be realised, I couldn’t have more admiration for the wide range of services they provide and the challenges they have prioritising them to balance the books.

The financial challenges being faced by councils has lead to them adopting a more business-like approach. They are looking at every aspect of their business to drive out wastage and streamline operations, and that’s where my expertise came in.

John Lynch, CEO, Maytech – presenting Quatrix on day one

Over the duration of two days I spoke with in excess of 50 delegates about their data sharing, collaboration, secure file transfer and business process automation challenges. Our experience in this area, working with council’s such as Cambridgeshire County Council, North East Lincolnshire Council and most recently Mid-Sussex Council, ensured we already had a view on some of the challenges being faced for data sharing in the public sector.

As ever there’s not one technology, which addresses the wide range of data sharing requirements of councils, our council customers are using solutions from five of our suppliers. The service we provide is to help them to fully understand their requirements and then choose the right solutions for their needs and budget.

If your council or company needs to address its file sharing, collaboration and secure file transfer requirements why not download one of our free resources below:

What is Managed File Transfer?

Managed File Transfer Starter Pack

Comparison Guide

Building a Business Case for MFT

Globalscape Webinar | Simplify PCI Compliance

Webinar on how to simplify PCI compliance utilising Globalscape EFT

Payment Card Industry Data Security Standard (PCI DSS 3.0) Became Mandatory from January 1st 2015

Join Globalscape on this webinar to learn tips and best practices from Security Industry leading experts.

If credit card processing or payments touch your organisation, the time is now to make sure you are in total compliance with Payment Card Industry Data Security Standards (PCI DSS). Make sure your growing organisation is protected at every branch, facility, office, or online—wherever card data is transmitted, stored, or archived.



Webinar Agenda:

  • What is PCI?
  • Why do I need to worry about this?
  • What has changed in PCI-DSS Version 3.0
  • What are the best practices
  • How can I be sure that I’m compliant?
  • Q & A

Event Type: Live Webinar

Event Date: Thursday 22th January – 17.00 Hrs GMT


Review this Webinar


  • Payment Card Industry Data Security Standard version 3 (PCI DSS 3.0) became mandatory Jan. 1, 2015.
  • Prepare for PCI Qualified Security Assessors (QSA) using PCI 3.0 when it comes to merchant assessments and how well data security requirements are met.
  • Globalscape sits on the PCI Security Standards Council and was chosen for membership in the Participating Organisation program. Globalscape has active involvement in the advance review of standards and input into the direction of the PCI DSS.


  • Globalscape EFT comprises of a full suite of data protection tools that achieves or exceeds compliance and security practices by the most rigorous standards. EFT’s High Security module facilitates compliance with PCI DSS v3, exceeding security practices mandated by the most rigorous standards, including PCI DSS, FIPS 140-2, HIPAA, DPA, and Sarbanes-Oxley (SOX).
  • EFT also monitors, reports and provides key compliance alerts to keep your organisation up to date on compliance requirements.

Biggest UK Fines By The ICO in 2014

Biggest UK Fines By The ICO in 2014

The Information Commissioners Office (ICO) is a government body set up to regulate those organisations which handle personally identifiable data. Retaining a register of companies and their nominated data handler ensures that the ICO can follow up on any reported data leaks or mishandling of data.

The ICO has the ability to serve a company with an undertaking, prosecution, enforcement notice or a monetary penalty. None of these are good for business or for the individual involved, especially as all details are available in the public domain. In the past 12 months, the ICO took action on 88 individuals or companies. Below is a list of the worst performing businesses and the fines levied.


British Pregnancy Advice Service £200,000 – 7 Marchico-logo-blue-grey
Kent Police £100,000 – 19 March
Amber Windows £50,000 – 3 April
Think W3 Limited £150,000 – 23 July
Reactiv Media Limited £50,000 – 28 July
Ministry of Justice £180,000 – 26 August
EMC Advisory Services Limited £70,000 – 1 October
Worldview Limited £7,500 – 5 November
Parklife Weekender £70,000 – 5 December
Kwik Fix Plumbers Ltd £90,000 – 22 December


Not all of these cases were data breaches, but data had been misused or not protected sufficiently to comply with current legislation by the company or individuals involved. Without the correct processes and policies in place or tools for the job, employees can easily make simple decisions that can put personally identifiable data at risk.

Implementing the right Managed File Transfer or Enterprise File Sync & Share solutions for your organisation need not be difficult and can be a key component of your data security plan. With our assistance we can help you move this up your priority stack assisting with needs analysis through to implementation, helping you comply with regulations such as the Data Protection Act or PCI DSS.

Pro2col’s friendly team of experts have over 15 years experience in keeping data secure in transit and at rest so why not give them a call on +44 (0) 333 123 1240 or contact us via our web site here.

CFTP Managed File Transfer Training