• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 450
  • Last Modified:

sftp pros and cons

We have some employees who send data to a 3rd party for processing via an SFTP server (that they own). Data isnt hugely sensitive but needs a degree of security assurance. there is a proposal to decommission the SFTP server and replace it with a web based application/portal. We don't know much about the configuration of the web portal as yet, but their tech team claim it is more secure than SFTP. From a laymans management perspective, what kind of features would you look for in terms of a web based app to ensure its more secure than SFTP? Does SFTP have its flaws? What data transfer protocols are seen as more secure (if any?)... Appreciate if you could keep your answers at any entry level so we are blinded with technical jargon, we just want to understand the risks...
0
pma111
Asked:
pma111
  • 2
1 Solution
 
Sir LearnalotCommented:
SFTP is secure and relies on the SSH protocol... however a web application (IF AND ONLY IF) setup properly can be more secure. For example you can add dual layer authentication (requiring users to use something additional to a username and password to login).
0
 
Sir LearnalotCommented:
Ofcourse like anything, sftp has its flaws. For example SSH vulnerabilities (e.g. heartbleed) have been discovered before, but that doesnt mean a portal is immune to threats. Overall, I would recommend making the switch if you trust the tech team to do a good job and to setup dual factor authentication
0
 
Dr. KlahnPrincipal Software EngineerCommented:
My two cents worth:

Relying on the support (and more importantly, the goodwill) of an outside team is eventually going to be trouble.  Sooner or later, somebody will leave and it will be necessary to instantly find a different solution.

Eventually just about every encryption method in wide use is either broken or compromised.  Witness WEPcrack and the WPA Protected Setup exploits.

The security in a data transfer application lies as much in the constant support of an experienced team as it does in a secure protocol.  When the protocol is broken, as it eventually will be, quick response is required.

There are more hostiles trying to compromise Web data transfer than there are trying to compromise SFTP.

Trying to fix a security hole in every web server on the planet would be a support nightmare and could take a good long time if the software was "turnkey corporate".

If the data is critical, send it over an encrypted VPN using a strong encryption method.  Then encrypt it again over the VPN connection using SFTP or a secure web server.  Package the information using ZIP or RAR and encrypt the file.  Just because you're not paranoid doesn't mean somebody is not out to get you.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now