Know Your FTP Service Provider — Beware the Public Cloud!

Posted on by

With the advent of the cloud, anyone with a little experience in applications like FTP can open up shop as an FTP hosting provider. This puts a heavy burden on you to know your FTP provider as intimately as, if not more intimately than you would know your own IT security staff if you were hosting your own FTP server in-house.

What Does “The Cloud” Mean?

To some, “I am using the cloud” may just mean “I am outsourcing this application.” But, the word “cloud” is not a synonym for “outsourcing”. A cloud is a platform for building servers virtually instead of physically. This platform allows someone to instantly provision a virtual CPU, virtual memory and virtual storage as a virtual server. They can then install an operating system (e.g. Linux or Windows) just as if they were building and configuring a physical server. Applications like an FTP server and web server go on top of that.

There are three types of clouds — public, private and hybrid clouds.

  1. Public cloud: In Public cloud the computing infrastructure is hosted by a vendor (such as Amazon) at the vendor’s premises. An FTP service provider using a public cloud has no visibility or control over where the computing infrastructure is hosted. This public computing infrastructure is shared between many organizations and individuals.
  2. Private cloud: The computing infrastructure is dedicated to a particular FTP service provider and is not shared with other organizations. Private clouds are significantly more expensive and more secure when compared to public clouds.
  3. Hybrid cloud: This is the combined use of on-premise private clouds with off-premise public or private clouds.

Organizations should host critical applications on private clouds and applications with relatively less security concerns on the public cloud.

Public vs Private

So, you’ve decided that the hassles of building, managing and securing an in-house FTP server are not for you and you have decided to outsource to an FTP hosting specialist. The biggest mistake you can make in choosing an FTP hosting company for your secure file transfer is to choose a provider that uses a public cloud.

Why? Because, if they utilize a public cloud, they do not own, nor do they manage any infrastructure. As it says above, the FTP host has no visibility or control over where the computing infrastructure is hosted. This type of FTP host has even signed off on terms of service from their cloud platform provider (e.g. Amazon) that absolves the cloud platform provider of any and all responsibility in the event of any downtime, security breach or other failure.

A public cloud based FTP provider may make their public-cloud partnership into a selling point because of “infinite scalability” or the fact that the data is replicated automatically to storage systems all over the world for “99.999999999% file durability”. But, you should know better than to fall for these marketing ploys.

This is your data! You should know at all times where your data is and you should also be guaranteed that it is secure.

See this CRN article: Researchers Uncover ‘Massive Security Flaws’ In Amazon Cloud

CONCLUSION

Your FTP site is a mission-critical business application. Not only should it use secure Internet protocols (SSL), but you should also make sure your data is safe and isolated. You should know where your data is physically kept and should be assured that no copies are kept elsewhere in the name of “redundancy”.

Choose an FTP service provider that owns and manages their own private cloud. They have all the benefits of instantly provisioning new FTP servers and push-button scalability, but none of the potential down sides in using public infrastructures.

Secure FTP

Posted on by

The intent of this article is to explain how FTPS, SFTP and HTTPS protocols differ from one another, and the advantages and disadvantages of each method of encryption.

FTPS (FTP using SSL) – Best for Secure and Automated Transfers

Advantages:

  1. Uses 256-bit SSL encryption
    • Username and password are encrypted, as opposed to being sent over the Internet as clear text, as with standard FTP.
    • Data files are sent over an encrypted channel. [Note - This may be user-selectable on stand-alone client software]
    • No one can snoop or sniff out your login information or the contents of your data files on the public Internet.
  2. Third party FTPS client software compatible
    • Many standalone FTPS client software packages can automate and schedule unattended transfers… a BIG ADVANTAGE.
    • Some of your users may already have FTPS client software and prefer it to our web-based method (next).
  3. Users are jailed to their private FTP folders based upon username.
  4. Activity log keeps track of all user activity.

Disadvantages:

  1. Your end users will have to license and install FTP client software ($0 to $50) with FTPS capabilities.
  2. FTPS is not always “firewall-friendly”, therefore you and your clients with firewalls may have to arrange for certain TCP/IP ports to be open to your FTP Today FTP site’s IP address. This is not a major hurdle and our support staff will guide you.

FTP – over – HTTPS (SSL Tunnel) – Best for Secure Web-based Transfers

Advantages:

  1. Uses up to 2048-bit SSL encryption
    • Username and password are encrypted, as opposed to being sent over the Internet as clear text, as with standard FTP.
    • Data files are sent over an encrypted channel. [Note - This may be user-selectable on stand-alone client software]
    • No one can snoop or sniff out your login information or the contents of your data files on the public Internet.
  2. Web browser based
    • Requires no software to be installed by the end user, except a Java Virtual Machine (plugin that is free and everyone usually already has).
    • Loads quickly and seamlessly in their web browser window, and is automatically unloaded when that window is closed.
  3. Users are jailed to their private FTP folders based upon username.
  4. Activity log keeps track of all user activity.
  5. HTTPS is firewall-friendly, therefore you should have no client-side issues to deal with.

Disadvantages: [NONE]

SFTP using SSH2 – Another choice for Secure and Automated Transfers

Some standalone FTP client software offer “SFTP”. SFTP is not a generic acronym for “Secure File Transfer Protocol”; The “S” stands for encryption using Secure SSH (Secure SHell). Like FTPS, this is another secure protocol.

Advantages:

  1. Uses up to 256-bit SSH2 encryption
    • Username and password are encrypted, as opposed to being sent over the Internet as clear text, as with standard FTP.
    • Data files are sent over an encrypted channel.
    • No one can snoop or sniff out your login information or the contents of your data files on the public Internet.
  2. Third party SFTP client software compatible
    • Many standalone SFTP client software packages can automate and schedule unattended transfers… a BIG ADVANTAGE.
    • Some of your users may already have SFTP client software and prefer it.
    • Firewall friendly since all commands and files are transfered over a single port — TCP port 22.

Disadvantages:

  1. Your end users will have to license and install SFTP software on their computers.
  2. You may also have to support your end users in installing, configuring and using their SFTP software.
  3. Most SFTP server deployments use OpenSSH/SFTP on the server, which does not jail a user inside of a particular folder based on their username & password authentication. Because of this lack of privacy among multiple users, SFTP is best deployed in a single-usr environment. [see UPDATE below]
  4. SSH/SFTP keeps no log of user activity. There may therefore be no no audit trail whatsoever. [see UPDATE below]

UPDATE – As of April 1, 2010, FTP Today is the only service we are aware of that does NOT have the limitations described above in items 3 & 4.
Click here to Learn more…

HTTPS (HTTP using SSL) – Not designed for File Transfer applications.

Disadvantages:

HTTPS is used in hosting websites with e-commerce applications. This is great for securing order forms while customers enter credit cards, but functions like user-authentication and folder privacy are not best handled by HTTP or HTTPS. The HTTPS protocol is not natively meant for transferring files. It is meant for displaying web content over a secure connection from a web browser to a web server.

How to Choose the Right FTP Host

Posted on by

FTP (File Transfer Protocol) has changed the way that small companies and big businesses alike share information across the Web. Once used only by serious web professionals who needed an efficient, fast way to upload and download large files, FTP has evolved into a common way to download and distribute files by companies like Microsoft, Adobe, and others.

FTP offers many advantages over simply emailing large files to business partners, vendors and clients. Instead of tying up server space and time and waiting and waiting and waiting for an email attachment to get delivered (if your inbox is big enough for the attachment at all), you simply upload the file to a secure FTP site, where the intended recipient can download it at their leisure.

There’s no doubt that even the casual user could benefit from having their own account with a reputable FTP hosting company, much less a major corporation. But how do you know what to look for in an FTP host?

Fortunately, there are some common services that FTP hosting companies should offer that will help you find the right provider to suit your individual and business needs:

  1. Dedication to File Transfer Applications. Choose a company that is dedicated to multiple username, private FTP hosting ONLY. Having this as their core business means they take their job-and your data-seriously. Make sure they are not co-mingling other resource hungry services like web site hosting and email on the same server with your FTP site.
  2. The Need for Speed. Your FTP host should consistently offer extremely high rates of transfer speeds. It’s not advantageous to use a hosting company whose transfer speeds are the same or only slightly better than the cable service or DSL connection at your home or office.
  3. The More the Merrier. The best FTP hosts allow for an unlimited number of users to simultaneously transfer files at any given time-and their systems are robust enough to handle it. This is essential for even small companies, not to mention those who have thousands of employees who share project and informational files constantly.
  4. Capacity is King. Find a provider that allows you unlimited transfer or bandwidth usage and doesn’t surprise you at the end of the month with “overage” fees. The best FTP hosts offer unlimited bandwidth for your quoted rates and stand by that.
  5. Compatibility. Let’s say you’re in Prague for a big meeting, and your computer crashes before you can download the presentation. What next? That Internet cafe around the corner will serve you well if your host offers a browser-based FTP client program at no extra charge. The more multiple platform connection options you have for convenience and ease of use, the better.
  6. Service You Can Depend On. You want technical support provided by a dedicated technical staff that is intimately familiar with the network, without having to flip pages in a manual to give you the answers you need.
  7. Stability. You want a company that’s not only been around the block, but has a house there. Choose a provider with a proven track record in the industry that is committed to hosting-not someone that resells third-party hosting services out of their basement.
  8. Uptime Guarantees. The phone company won’t do this, but good FTP hosts will. If it’s anything less than 99.9%, you’re really taking a chance that those important files won’t be there when you absolutely have to have them.
  9. Security. You need the peace of mind that only an industry certification like SAS-70 offers. This will eliminate the anxiety of wondering whether your files are safe from hackers-and competitors.
  10. Dedicated IP Address for You Alone. Having a unique IP address for your FTP site means you can point your own DNS hostname to it if you want, or simply use the IP address on its own.

With these top 10 features to serve as your guide, you’re sure to find a great FTP host you can depend on for all your file transfer needs.