Two types of secure FTP exist: FTPS and FTPES. While they are both built on the same protocol, FTPS and FTPES have subtle differences that make them better for different secure file transfer scenarios. In this blog, we’ll compare the differences between FTPS and FTPES to help you make an informed decision between the two protocols.
Understanding the Basics of Secure FTP
FTP, or File Transfer Protocol, has been a staple for transferring files over the internet. However, in its basic form FTP transmits data in clear text that is vulnerable to intercepts and data breaches. Engineers created two types of solutions to this problem by allowing FTP connections to upgrade to encryption at different points of the transfer process: FTPS and FTPES.
What is FTPS?
FTPS stands for File Transfer Protocol Secure or SSL (Secure Sockets Layer.) FTPS requires a secure connection to be established via SSL/TLS before the FTP session begins. Regular FTP commands are then sent over the secure connection in order to transfer file data. This traffic is protected from prying eyes by the SSL/TLS encryption.
FTPS’s required connection encryption approach is known as implicit encryption, because it assumes that all connection attempts will be transmitted over SSL or TLS and it will not accept unencrypted connection requests.
FTPS Pros
- Port Management: FTPS’s use of implicit SSL allows it to use a dedicated port reserved for secure connections. This dedicated port requires less overhead when establishing a session because it will always be on and requires no manual activation.
- OS Compatibility: FTPS is broadly used across operating systems like Windows, Linux and Unix, which makes it a versatile option for many users
FTPS Cons
- Firewall Concerns: LAN FTPS connections can suffer from connection errors when communicating through NAT gateways
- “One-Size-Fits All” Encryption: FTPS only supports SSL/TLS encryption, and does not allow an administrator to specify other encryption methods or requirements. Depending on your organization’s requirements, this may make FTPS a risk for your transfers
- Age and Comptibility: FTPS is an older version of encrypted FTP. Although it is still in widespread use, it may not be up to the task of negotiating connection requirements with other components of your network
What is FTPES?
FTPES is a form of FTPS that will explicitly upgrade an unencrypted connection request to a secure connection during initial authentication (remember that FTPS will not accept an unencrypted request). FTPES also allows administrators to specify which aspects of a secure transfer should be encrypted, and at what level of encryption.
FTPES Pros
- Customizable Encryption: Administrators can use FTPES to specify the types and levels of encryption that a server will accept from a client. This feature lets organizations tailor their data protection for use cases such as legacy equipment connections or compliance with information protection standards
- Firewall Compatibility: FTPES is more firewall-friendly, as it initiates communication over standard FTP ports. Organizations with strict firewall controls will likely find this approach to be easier to configure and manage.
- Legacy Connections: if you are working with older systems or hardware, an initial connection request in the clear may require less hand-holding to support
- Speed: FTPES can help improve transfer speed by allowing some information to be transmitted without encryption
FTPES Cons
- Security Risk During Encryption Negotiation: FTPES connections can be less secure during the initial negotiation phase, which occurs before the establishment of an encrypted connection and could expose some data regarding your security protocols.
- More Complex Port Configuration: FTPES servers may require more active monitoring of firewall/port configurations depending on your transfer encryption settings (you may need to open both your control port and your FTP PASV ports)
When Should You Use FTPS vs. FTPES?
Both FTPS and FTPES will provide strong security for most user cases, but each protocol does have certain advantages for specific transfers:
FTPS will likely be the better choice if you:
- Prefer to “set and forget” your firewall settings
- Want to ensure that initial connections and credentials are transmitted under encryption
- Need to balance compatibility and security across a larger number of hardware and software tools
FTPES will likely be the better choice for organizations that:
- Do not need to encrypt all data in a typical transfer
- Have the resources and attention to manage increased firewall and port configuration complexity
Industry-Specific Applications of FTPS and FTPES for Secure File Transfers
Healthcare Industry
Healthcare organizations handle sensitive patient data that must be protected under regulations like HIPAA in the United States. FTPS could be the preferred choice for such organizations due to its broad compatibility with legacy systems. For example, when transferring patient records between departments or with external partners like insurance companies, FTPS ensures data is encrypted and compliant with privacy standards. An example could be a hospital system that integrates FTPS into their electronic health record (EHR) systems for secure file transfers.
Financial Services
Banks and financial institutions often require the highest levels of security and compliance with regulations such as GDPR in Europe or Sarbanes-Oxley in the United States. In these scenarios, FTPES might be favored for its explicit security negotiation, ensuring that each file transfer session starts securely. An instance of this could be a financial firm using FTPES for transmitting sensitive financial reports or customer information to regulatory bodies, ensuring that data encryption is explicitly initiated for each transfer.
Retail and E-commerce
In the retail sector, especially e-commerce, protecting customer information during transactions is paramount. FTPES could be particularly useful for small to medium-sized e-commerce platforms that deal with a high volume of personal customer data and need to ensure secure file transfers between their websites and payment processors. A case in point might be an online retailer that uses FTPES to securely send customer order details to a fulfillment center, which requires explicit encryption to safeguard data over a network that includes various security postures.
Manufacturing and Supply Chain
Companies in the manufacturing sector often exchange proprietary design files and supply chain information that is sensitive and requires secure handling. FTPS, with its compatibility across various systems, could be essential for ensuring that files transferred between partners and suppliers are encrypted. For example, an automotive manufacturer might use FTPS for exchanging design specifications with parts suppliers, ensuring that data is encrypted and securely transferred across different technology platforms.
Government and Public Sector
Government agencies dealing with public data, national security information, or internal communications might opt for FTPS or FTPES depending on their specific security protocols and firewall configurations. For instance, a federal agency might utilize FTPES for transmitting sensitive documents between departments, taking advantage of explicit SSL/TLS encryption requests to comply with strict government cybersecurity standards.
Educational Institutions
Universities and educational institutions often share research data and student information, requiring secure file transfer methods. FTPES could be a good choice for these institutions, especially when they need to ensure that data transfers between departments or with external research partners are encrypted. An example here could be a university using FTPES to securely share research data sets with a global consortium, requiring explicit security measures due to the sensitive nature of the research.
Learn more about FTPS and FTPES support in Cerberus FTP Server | Vew which protocols Cerberus FTP Server supports