WHAT IS NIST? THE COMPLETE GUIDE TO THE NIST CYBERSECURITY FRAMEWORK
Explore this comprehensive guide on how the NIST Cybersecurity Framework can be applied to your organization.
Control Questions to Ask When Comparing FTP Service Providers
Deciding to employ an FTP service (or an FTP alternative) for your organization’s file-sharing needs is only half the battle. Now you have to make a choice regarding which provider to use, and the selection process isn’t exactly an easy one. Unless you understand what factors will affect your organization in terms of security and productivity, you won’t be able to make an informed decision.
Choosing the right option begins with asking the right questions about key considerations. One of those most critical considerations is the level of control that your FTP service provider offers. Administrators should be able to exert a great deal of control over access, including permissions and restrictions, to ensure that files are transferred securely at all times. Otherwise, you’re opening up your data to serious risk.
So, how do you distinguish an FTP service provider that facilitates control and enables employees to share information without sacrificing security and compliance? Because there are many consumer-grade and enterprise-level options out there that put too much control in the hands of users, it’s in the best interest of your organization to ask the following questions before making a final selection.
ADDITIONAL RESOURCE: A Comparison Guide of the Top 7 File Sharing Softwares
Do you have control over what users see?
Never take administrative control and monitoring in enterprise file sharing for granted. Why? Well, use the following scenario as an example: An employee utilizes a generic file sharing solution and then leaves your organization. Regrettably, they still own that account and any company data stored in it. No one has to tell you the danger this poses to your organization.
If, on the other hand, your FTP service provider enables audit trails and granular access controls, your IT administrators will always have a handle on who has accessed what (and when), and they’ll be able to block user accounts when necessary.
Visibility and control are key aspects of ensuring information security. Your organization’s data assets are invaluable and must be protected from both internal and external threats. So if you can’t control exactly what your FTP users are seeing, your ability to safeguard these assets is severely limited.
Ultimately, the visibility of your enterprise data should be classified based on the sensitivity of that data, and only granted to those individuals specifically designated to access it. Make sure you find out whether any FTP service providers you’re considering give you the ability to have this high level of control over data visibility.
Can you set permissions for users to access only certain files or folders?
Truly secure file transfer demands the ability to manage user access on a supremely granular level. Administrators should be empowered to manage how each person interacts with company files, down to the individual user account. Not all employees will need access to all files, and your FTP service provider should be able to facilitate this.
Be sure to verify whether the providers in the running for use at your organization possess the capabilities to:
- Create private and shared folders as well as set unique permissions per user for each folder
- Deny access to certain files based on employees who shouldn't have access to them
- Prevent sensitive data from falling into the wrong hands (both within and outside your organization)
Be aware that there are many consumer-grade and subpar FTP providers that do not deliver the kind of granular user access controls your organization requires to ensure data privacy and security. These types of solutions can leave you in the dark about who accessed or altered a particular file and from where they did so -- which weakens your security efforts.
Most of the FTP providers you’ll encounter use operating system permissions that are limited to read and write only. So if you allow a user to upload, you must also allow them to delete. This lack of control is exactly what you need to avoid. It’s important to be able to set individual permissions for each user (in each folder), including:
- Upload – allows copying files to the FTP server from their local file system
- Download – allows copying files from the FTP server to their local file system
- Delete – allows deleting files from the FTP server
- List – allows directory listing
Additionally, your FTP service provider should enable each user or automation system to authenticate with an individual password or a private SSH key. With this level of access control, you have the power to create private and shared folders, maintaining vigilance over visibility.
Can user-specified folder and file access be restricted?
Access restrictions are an integral aspect of control when it comes to your file sharing process, so don’t choose any FTP service provider that doesn’t give you the following site-level and user-level control functionalities:
- Restrict the use of all protocols that are active or inactive at the site-level, perhaps to enforce encrypted Explicit FTPS on standard FTP port 21
- Block access to your FTP server based on country of origin to eliminate the risk of unwanted visitors on a global scale
- Benefit from advanced intrusion detection and automated prevention to protect against attacks from within allowed countries
- Allow site administrators to create user-level access rules that restrict individual user connections by their remote IP address and/or by protocol
- Meet requirements for two-factor authentication (username and IP address) over protocols such as FTP or SFTP
- Create unique user-level access controls based on the department a person works in or the client they’re assigned to
In summary, grant access to those who need it and improve security to block those who don't.
Can you have multiple site administrators, as well as sub-site administrators in charge of teams of users?
Without this capability, you’re unable to delegate administration based on specific departments. There are plenty of FTP service providers that make it possible to create standard user accounts, but only the most secure ones offer multiple site administrators and sub-site administrators. This should be an important requirement for you, as allowing multiple administrators to share the same login credentials violates a number of compliance regulations.
Therefore, make sure the provider you choose enables you to have multiple site administrators with separate logins, as well as delegate sub-site administration to group administrators who can create and manage users and workspaces within their respective group or department.
Equipped with these essential questions for determining the level of access control that each FTP service provider offers, you’ll have a more streamlined way of weeding out the options that won’t ensure high levels of data privacy and security at your organization. Be sure to consult A Comparison Guide of the Top 7 File Sharing Softwares to simplify your selection process.
About Martin Horan
Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.