IT Operations & Cybersecurity Encyclopedia
Secure FTP and SFTP security guide
File transfer systems often move invoices, reports, healthcare records, customer data, exports, backups, vendor files, and automation feeds. Plain FTP should be retired for sensitive data, while SFTP and managed file transfer platforms need disciplined authentication, key governance, folder restrictions, logging, partner review, and patch management.
Why it matters
Protect file transfer paths as business data pipelines
Legacy FTP sends credentials and data without modern protection and should not be used for confidential business data. SFTP, FTPS, and managed file transfer platforms can improve confidentiality and control, but only when accounts, keys, folders, logs, and partner access are governed.
A practical file-transfer security program should inventory transfer servers, protocols, users, partners, service accounts, source and destination folders, data types, authentication methods, firewall rules, logs, and retention requirements.
This guide helps IT managers and security teams improve FTP and SFTP security. It is for planning and education, not a replacement for professional cybersecurity audit, penetration testing, legal review, or vendor-specific hardening.
Practical rule: If a file transfer account can move sensitive data, it needs an owner, least privilege, monitored authentication, key rotation, and transfer logs.
Review scope
FTP and SFTP security domains
Protocol selection
Retire plain FTP for sensitive data and document where SFTP, FTPS, HTTPS upload portals, or managed file transfer should be used.
Account and key governance
Review service accounts, partner accounts, SSH keys, passwords, MFA, vaulting, rotation, source restrictions, and disabled accounts.
Folder restrictions
Use chroot, jail, least-privilege folders, upload and download separation, retention, quarantine, and malware scanning where practical.
Network exposure
Restrict source IPs, firewall rules, ports, VPN requirements, cloud security groups, and public internet exposure.
Logging and monitoring
Monitor authentication, file activity, failures, admin changes, partner usage, unusual volume, and SIEM alerts.
Partner and vendor review
Document partner owners, data types, agreements, schedules, retention, encryption expectations, and offboarding.
Review matrix
Secure FTP and SFTP control matrix
| Area | What to verify | Questions to answer | Evidence |
|---|---|---|---|
| Inventory | Servers, protocols, ports, folders, partners, owners, data types, schedules, and criticality. | What file transfer paths exist? | Server list, firewall rules, partner register, folder map, and schedule inventory. |
| Protocol | Plain FTP retirement, SFTP or FTPS configuration, TLS/SSH settings, host keys, certificates, and cipher policy. | Is data protected in transit? | Protocol scan, configuration export, certificate review, host key record, and exception list. |
| Access | Users, partners, service accounts, SSH keys, source IPs, passwords, MFA, and folder permissions. | Who can transfer files and from where? | Account export, key list, permission review, source-IP list, and access approval. |
| Data handling | Upload/download folders, quarantine, malware scanning, retention, cleanup, encryption at rest, and file naming. | How is transferred data controlled? | Folder ACLs, retention job, malware scan result, encryption setting, and cleanup record. |
| Monitoring | Authentication, uploads, downloads, deletes, failed logins, admin changes, unusual activity, and SIEM export. | Would suspicious transfer activity be noticed? | Log samples, SIEM rule, alert examples, report, and incident ticket. |
| Lifecycle | Partner onboarding, access review, key rotation, patching, vulnerability review, offboarding, and incident response. | Can access be safely maintained and removed? | Partner approval, rotation log, patch record, vulnerability scan, and offboarding ticket. |
Step-by-step review
Secure FTP and SFTP security runbook
Inventory transfer systems and partners
List servers, protocols, ports, partners, users, service accounts, data types, folders, schedules, owners, and business purpose.
Retire or isolate plain FTP
Identify any FTP use, replace it for sensitive data, or document temporary compensating controls and retirement date.
Harden authentication and keys
Review SSH keys, passwords, MFA where supported, source restrictions, service account ownership, key age, vaulting, and rotation.
Restrict folders and commands
Use least-privilege folder permissions, chroot or jail controls, separate upload and download folders, and limit delete or overwrite rights.
Validate network exposure
Review firewall rules, VPN requirements, allowlisted source IPs, cloud security groups, public exposure, and management access.
Enable logs and alerting
Collect authentication, transfer, delete, admin, failed login, and unusual volume logs with SIEM export or ticket routing.
Review partners and rotate access
Confirm partner owners, agreements, data handling, key rotation, access reviews, offboarding, and incident contacts.
Common risks
Common FTP and SFTP security risks
Plain FTP remains active
FTP can expose credentials and data and should not be used for sensitive business transfers.
SSH keys never rotate
Long-lived partner or automation keys can remain active after staff changes, vendor changes, or project completion.
Accounts can browse too much data
Transfer accounts should be restricted to the minimum required folder, command set, and source systems.
Public exposure is broad
File transfer services should be restricted by firewall, VPN, source IP, or managed access controls where possible.
Logs are not reviewed
Authentication failures, unusual volume, file deletes, and partner activity should be visible to IT or security teams.
Partner offboarding is missed
Vendor and partner accounts should be disabled when contracts, projects, or data flows end.
Related support
Where IT Perfection can help
IT Perfection can help inventory and secure file transfer systems, server access, firewall rules, partner connectivity, logging, and managed IT operations.
OC Security Audit can help review file transfer exposure, partner access, privileged accounts, cyber insurance readiness, and audit evidence.
Related professional support
Created by Ali Hassani, CISO
Professional secure file transfer and partner access support
Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.
This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.
File transfers need ownership and logs
A strong secure file transfer program governs protocols, accounts, keys, folders, partners, network exposure, logs, and incident response.
FAQ
Secure FTP and SFTP FAQ
Should plain FTP still be used?
Plain FTP should not be used for sensitive business data because it does not provide modern protection for credentials and transferred data.
Is SFTP the same as FTPS?
No. SFTP runs over SSH, while FTPS uses FTP with TLS. Both can be secure when configured and governed properly.
How often should SSH keys be rotated?
Use a defined schedule and rotate after staff changes, vendor changes, suspected compromise, source changes, or project completion.
What should be logged?
Log authentication, uploads, downloads, deletes, failed logins, admin changes, source IPs, unusual volume, and partner activity.