Choosing secure file transfer products for your enterprise

Are you concerned about file transfer security? Expert Karen Scarfone discusses the best products for transporting files while maintaining their confidentiality.

Since the earliest days of computing, there have been mechanisms for transferring files from one system to another. Unfortunately, these mechanisms, such as the File Transfer Protocol (FTP) and email, have lacked built-in security features. As organizations became more security conscious and threats expanded, organizations needed ways to transfer files while ensuring their confidentiality, integrity and availability, as well as allowing for the monitoring and managing of them.

To help accomplish these goals, vendors have created a wide variety of file transfer products. In this guide, find out how secure file transfer products work and determine which may be the best fit for your particular environment.

Secure file transfer explained

At its most basic, file transfer technology is simply a mechanism to transport a file from one system to another system over a network. A secure file transfer adds security features to this transport, such as encrypting the file to preserve its confidentiality and integrity. This prevents eavesdroppers on the networks between the systems from accessing the file contents and reading or modifying them. Secure file transfer also involves some sort of reliable delivery, even if it's just provided by TCP/IP conventions. Most secure file transfers are based on standard protocols such as the Secure File Transfer Protocol (SFTP) or secure copy (SCP).

What makes file transfers confusing is that there are several ways to provide security. The most sophisticated type is known as managed file transfer (MFT), and it adds a wide variety of management, auditing, automation, security and reliability features to secure file transfers.

Another IT system that enables file transfer security is the file hosting service. Originally intended for end user collaboration, file hosting services also typically offer access control and encryption features that allow a user to email a link to a person that grants him or her secure access to a file hosted on the service.

What makes file transfers confusing is that there are several ways to provide security.

Email encryption technologies are yet another class of products that can offer file transfer security. These products have the ability to support large file transfers through email messages. Like the file hosting services, the email encryption product only transfers a link to the file to the recipient, not the file itself. The user then simply clicks on the link to securely download the file from its repository.

How secure file transfer works

Secure file transfer and other products -- MFT, file hosting services and email encryption products -- all have a common approach to protecting files: access control. How this access control is achieved may vary widely among classes of products, not to mention individual products within each class. But the basic idea is that there is some sort of shared secret between the sender and the recipient. It could be as simple as a hard-to-guess URL transferred via email (though that assumes, likely incorrectly, that email messages are secure) or an agreed-upon password. Or it could be as complex as integration with an enterprise identity and access management (IAM) system. This shared secret is used to encrypt the file before it is transferred from the sender to the recipient. After getting the encrypted file, the recipient's computer uses the shared secret to decrypt the file.

Secure file transfer features

The most basic types of secure file transfer, such as those based on SCP, are command-line interfaces only, so they are intended for automated instead of interactive use. They offer few features, but are relatively inexpensive to set up and use as compared to other classes of file transfer systems. They are often considered advantageous because the organization fully controls this type of transfer, not a third party (e.g., a cloud provider).

Secure file transfer based on SFTP is typically more feature-rich than those based on SCP. SFTP-based file transfers often have GUIs available, which make them easier to use. However, both SCP and SFTP-based systems generally lack most of the features that other file transfer systems provide.

An example is robust auditing. Many organizations need to audit some or all of their file-transfer activities for compliance reasons -- for example, because sensitive personally identifiable information (PII), such as financial records and health records, is being transferred from one system to another. Secure file transfer methods typically lack such auditing capabilities, so organizations that need these often use MFT instead. However, even file hosting services typically offer at least some file transfer auditing capabilities.

Another example of a feature that secure file transfer systems lack is automated scheduling. Although they might offer basic scheduling, such as scheduling the transfer of a certain file at a particular time, MFT systems have much more robust scheduling capabilities. For instance, MFT can stagger the transfer of files that are not time-critical so as to reduce demands on bandwidth or processing. By managing resource use, this intelligent scheduling can save the organization money and prevent inadvertent denials of service.

Secure file transfers typically work directly between a sender and a recipient. MFT usually provides an intermediary system, which may be a dedicated server within the organization's facilities or a cloud-provided service. The file is actually transferred from the sender to the MFT repository, where it is strictly protected through access control measures, including encryption of the stored file. Then the transfer to the recipient from the MFT repository occurs at a later time. This isolates the sender's system from the recipient's system, and also permits easier monitoring and tracking of repository and transfer usage by all parties. Sophisticated MFT technologies offer automatic archival and purging capabilities for the repository to ensure compliance with document-retention policies.

The Bottom Line

Secure file transfer systems offer a basic way to get files from one place to another while safeguarding their confidentiality, integrity and availability. They are inexpensive and have been widely used for decades, particularly for automated transfers that occur behind the scenes. However, depending on the nature of the files being transferred, it may be prudent to invest in using an MFT product because of its advanced management, auditing, security and other features. Organizations that occasionally need to allow individual users to transfer files securely should carefully consider file hosting services because they can provide adequate security if configured and used properly. Existing email encryption-based services are another potential option -- again, if there's an occasional need to have users transfer files securely. There is no shortage of options to be considered when planning file transfer security.

This was last published in April 2016

Dig Deeper on Network security