IT Operations & Cybersecurity Encyclopedia

Secure FTP and SFTP security guide

File transfer systems often move invoices, reports, healthcare records, customer data, exports, backups, vendor files, and automation feeds. Plain FTP should be retired for sensitive data, while SFTP and managed file transfer platforms need disciplined authentication, key governance, folder restrictions, logging, partner review, and patch management.

SFTPSecure file transferSSH keysPartner accessTransfer logging

Why it matters

Protect file transfer paths as business data pipelines

Legacy FTP sends credentials and data without modern protection and should not be used for confidential business data. SFTP, FTPS, and managed file transfer platforms can improve confidentiality and control, but only when accounts, keys, folders, logs, and partner access are governed.

A practical file-transfer security program should inventory transfer servers, protocols, users, partners, service accounts, source and destination folders, data types, authentication methods, firewall rules, logs, and retention requirements.

This guide helps IT managers and security teams improve FTP and SFTP security. It is for planning and education, not a replacement for professional cybersecurity audit, penetration testing, legal review, or vendor-specific hardening.

Practical rule: If a file transfer account can move sensitive data, it needs an owner, least privilege, monitored authentication, key rotation, and transfer logs.

Review scope

FTP and SFTP security domains

Protocol selection

Retire plain FTP for sensitive data and document where SFTP, FTPS, HTTPS upload portals, or managed file transfer should be used.

Account and key governance

Review service accounts, partner accounts, SSH keys, passwords, MFA, vaulting, rotation, source restrictions, and disabled accounts.

Folder restrictions

Use chroot, jail, least-privilege folders, upload and download separation, retention, quarantine, and malware scanning where practical.

Network exposure

Restrict source IPs, firewall rules, ports, VPN requirements, cloud security groups, and public internet exposure.

Logging and monitoring

Monitor authentication, file activity, failures, admin changes, partner usage, unusual volume, and SIEM alerts.

Partner and vendor review

Document partner owners, data types, agreements, schedules, retention, encryption expectations, and offboarding.

Review matrix

Secure FTP and SFTP control matrix

AreaWhat to verifyQuestions to answerEvidence
InventoryServers, protocols, ports, folders, partners, owners, data types, schedules, and criticality.What file transfer paths exist?Server list, firewall rules, partner register, folder map, and schedule inventory.
ProtocolPlain FTP retirement, SFTP or FTPS configuration, TLS/SSH settings, host keys, certificates, and cipher policy.Is data protected in transit?Protocol scan, configuration export, certificate review, host key record, and exception list.
AccessUsers, partners, service accounts, SSH keys, source IPs, passwords, MFA, and folder permissions.Who can transfer files and from where?Account export, key list, permission review, source-IP list, and access approval.
Data handlingUpload/download folders, quarantine, malware scanning, retention, cleanup, encryption at rest, and file naming.How is transferred data controlled?Folder ACLs, retention job, malware scan result, encryption setting, and cleanup record.
MonitoringAuthentication, uploads, downloads, deletes, failed logins, admin changes, unusual activity, and SIEM export.Would suspicious transfer activity be noticed?Log samples, SIEM rule, alert examples, report, and incident ticket.
LifecyclePartner onboarding, access review, key rotation, patching, vulnerability review, offboarding, and incident response.Can access be safely maintained and removed?Partner approval, rotation log, patch record, vulnerability scan, and offboarding ticket.

Step-by-step review

Secure FTP and SFTP security runbook

1

Inventory transfer systems and partners

List servers, protocols, ports, partners, users, service accounts, data types, folders, schedules, owners, and business purpose.

2

Retire or isolate plain FTP

Identify any FTP use, replace it for sensitive data, or document temporary compensating controls and retirement date.

3

Harden authentication and keys

Review SSH keys, passwords, MFA where supported, source restrictions, service account ownership, key age, vaulting, and rotation.

4

Restrict folders and commands

Use least-privilege folder permissions, chroot or jail controls, separate upload and download folders, and limit delete or overwrite rights.

5

Validate network exposure

Review firewall rules, VPN requirements, allowlisted source IPs, cloud security groups, public exposure, and management access.

6

Enable logs and alerting

Collect authentication, transfer, delete, admin, failed login, and unusual volume logs with SIEM export or ticket routing.

7

Review partners and rotate access

Confirm partner owners, agreements, data handling, key rotation, access reviews, offboarding, and incident contacts.

Common risks

Common FTP and SFTP security risks

Plain FTP remains active

FTP can expose credentials and data and should not be used for sensitive business transfers.

SSH keys never rotate

Long-lived partner or automation keys can remain active after staff changes, vendor changes, or project completion.

Accounts can browse too much data

Transfer accounts should be restricted to the minimum required folder, command set, and source systems.

Public exposure is broad

File transfer services should be restricted by firewall, VPN, source IP, or managed access controls where possible.

Logs are not reviewed

Authentication failures, unusual volume, file deletes, and partner activity should be visible to IT or security teams.

Partner offboarding is missed

Vendor and partner accounts should be disabled when contracts, projects, or data flows end.

Related support

Where IT Perfection can help

IT Perfection can help inventory and secure file transfer systems, server access, firewall rules, partner connectivity, logging, and managed IT operations.

OC Security Audit can help review file transfer exposure, partner access, privileged accounts, cyber insurance readiness, and audit evidence.

Created by Ali Hassani, CISO

Professional secure file transfer and partner access support

Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.

This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.

File transfers need ownership and logs

A strong secure file transfer program governs protocols, accounts, keys, folders, partners, network exposure, logs, and incident response.

FAQ

Secure FTP and SFTP FAQ

Should plain FTP still be used?

Plain FTP should not be used for sensitive business data because it does not provide modern protection for credentials and transferred data.

Is SFTP the same as FTPS?

No. SFTP runs over SSH, while FTPS uses FTP with TLS. Both can be secure when configured and governed properly.

How often should SSH keys be rotated?

Use a defined schedule and rotate after staff changes, vendor changes, suspected compromise, source changes, or project completion.

What should be logged?

Log authentication, uploads, downloads, deletes, failed logins, admin changes, source IPs, unusual volume, and partner activity.