sftp pros and cons

We have some employees who send data to a 3rd party for processing via an SFTP server (that they own). Data isnt hugely sensitive but needs a degree of security assurance. there is a proposal to decommission the SFTP server and replace it with a web based application/portal. We don't know much about the configuration of the web portal as yet, but their tech team claim it is more secure than SFTP. From a laymans management perspective, what kind of features would you look for in terms of a web based app to ensure its more secure than SFTP? Does SFTP have its flaws? What data transfer protocols are seen as more secure (if any?)... Appreciate if you could keep your answers at any entry level so we are blinded with technical jargon, we just want to understand the risks...
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sir LearnalotCommented:
SFTP is secure and relies on the SSH protocol... however a web application (IF AND ONLY IF) setup properly can be more secure. For example you can add dual layer authentication (requiring users to use something additional to a username and password to login).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sir LearnalotCommented:
Ofcourse like anything, sftp has its flaws. For example SSH vulnerabilities (e.g. heartbleed) have been discovered before, but that doesnt mean a portal is immune to threats. Overall, I would recommend making the switch if you trust the tech team to do a good job and to setup dual factor authentication
0
Dr. KlahnPrincipal Software EngineerCommented:
My two cents worth:

Relying on the support (and more importantly, the goodwill) of an outside team is eventually going to be trouble.  Sooner or later, somebody will leave and it will be necessary to instantly find a different solution.

Eventually just about every encryption method in wide use is either broken or compromised.  Witness WEPcrack and the WPA Protected Setup exploits.

The security in a data transfer application lies as much in the constant support of an experienced team as it does in a secure protocol.  When the protocol is broken, as it eventually will be, quick response is required.

There are more hostiles trying to compromise Web data transfer than there are trying to compromise SFTP.

Trying to fix a security hole in every web server on the planet would be a support nightmare and could take a good long time if the software was "turnkey corporate".

If the data is critical, send it over an encrypted VPN using a strong encryption method.  Then encrypt it again over the VPN connection using SFTP or a secure web server.  Package the information using ZIP or RAR and encrypt the file.  Just because you're not paranoid doesn't mean somebody is not out to get you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.