In an ideal world, encryption is a topic that would never have to come up in a file transfer discussion.
You’d wake up in the morning, transfer essential files unencrypted over FTP, kick back your feet over the desk and drink a latte as you wait for the lunch break.
At least that was how it used to be in the early days of the internet.
If you do this today, your firm won’t make it to lunch before something malevolent happens to your systems—it could be a spoofing attack, DDOs or malware implant.
That’s why encryption is essential over file transfer. But that’s not the only reason. Encryption is necessary for your data security because it’s:
- Mandated by HIPAA, GDPR and other regulators
- Essential to regulating the scope of security attacks (preventing them from becoming data breaches)
- A necessary aspect of your customer trust
- A requirement in a majority of your future (and present) service level agreements
Encrypting your data as it moves over the cloud between endpoints is called secure file encryption.
This article will try to explain one concept in three levels of difficulty. In doing so, it will tell you everything you need to know about the options you have as far as file transfer encryption is concerned.
Encryption Might Be a Bit Complicated (But it’s for Your Own Good)
Understanding everything there is about your encryption options can be a bit daunting. There are encryption algorithms, encryption layers and file transfer protocols that leverage both encryption layers and algorithms.
Then there are people that use these terms interchangeably.
However, that’s not the most complicated part yet. Once you get to the intricacies of cryptography, you may get the impression that you’re now reading encrypted text (it happens).
Fortunately, this piece avoids unnecessary complexities and presents encryption in the most layman terms possible (if such a thing exists). One concept, in three layers of difficulty.
The First Layer: File Encryption Algorithms
At the core of your firm’s encryption are encryption algorithms. These are the predetermined encryption instructions, formulas and techniques your computer uses to turn plain text into indecipherable text, commonly known as cipher.
The three most commonly used encryption algorithms are:
1. DES (Data Encryption Standard)
DES is a deprecated encryption algorithm that uses an algorithm to turn your plain text into a cipher.
IBM developed this algorithm in the 70s. However, it had exhausted most of its usefulness by the ’90s leading to the NIST calling for its replacement.
At the time, DES was facing challenges due to its increased susceptibility to brute force attacks as computational power increased.
The DES is a symmetric block cipher which are encryption algorithms that break up your plain text into blocks of data, in this case, 64 bits each.
2. AES (Advanced Encryption Standard)
With the DES algorithm becoming obsolete fast, the US government, military and all of us needed a replacement that is unbreakable by brute force.
Reader, meet AES algorithm.
AES algorithm, meet reader.
The National Security Agency (NSA) would hold a competition and a symmetric encryption algorithm created by (and named after) a scientist named Rijndael would stand out.
Now known as AES, this algorithm, much like its DES predecessor, is block-based, only that it divides your plain text into blocks of 128 bits each.
This algorithm, which is the most used, comes in three flavors: AES 128, 192, and 256, all of which are virtually unbreakable, and some of the most secure encryption algorithms known to man. We could go on about this algorithm, but we’ll stop there for the sake of your time.
The Rivest- Shah-Addleman (RSA) algorithm was developed by three scientists, Ron Rivest, Adi Shamir, and Leonard Addleman of the Massachusetts Institute of Technology (MIT), in the late 70s.
The AES and DES algorithms you’ve seen above both leverage symmetric cryptography, where the keys you use to encrypt and decrypt data are the same.
This is what sets the RSA algorithm apart from the two.
This algorithm uses asymmetric cryptography. In asymmetric cryptography, different keys are used for the encryption and decryption processes.
The public key cryptography of the RSA algorithm uses modular exponentiation and discrete logarithm problems, which are…umm…stories for another day.
The Second Layer: File Encryption Layers
File encryption layers are protocols that leverage one (or many) of the above encryption algorithms to encrypt data at rest and in transit.
They’re called layers because you can “layer” one above the other to complement its security features or to provide additional security.
For example, you could use TLS to encrypt files you’re transferring over the cloud. However, nothing’s stopping you from desiring additional security.
Hence, you may decide to layer PGP encryption to the files you’re transferring on a TLS channel for additional security.
Okay, let’s cut to the chase. Some of the most popular encryption layers are:
1. PGP Encryption
Pretty Good Privacy (PGP) is a popular layer of encryption for your file-level data security needs. And that name is no misnomer; over the years, PGP has proven to be pretty good at securing encrypted file transfer.
This layer has a long history of utility for sending encrypted emails, sensitive data and protecting files at rest.
PGP has been used in the following applications since its inception:
- Encrypting and decrypting emails
- Authenticating and verifying digital signatures
- Encrypting files at rest
PGP is an asymmetric encryption protocol that leverages public key cryptography to mitigate file sharing security risks for your data in transit.
In plain English, this means two cryptographic keys (one private and one public) to encrypt your data in transit or at rest.
The first key is a public key that you can share with anyone (hence the name public). This key is used to encrypt files into cipher.
The other key is a private key whose access is restricted to only those who can decrypt data. By doing so, PGP can allow two users who have never met to transfer files across endpoints without necessarily exchanging cryptographic keys.
Some of the benefits of PHP as an encryption protocol are:
- Unbreakable by brute force
- Open PGP (the original protocol) is practically free
Secure Multipurpose Internet Mail Extension (S/MIME) is a popular encryption layer you can leverage to secure and authenticate your data in transit (especially your emails).
With the rise of phishing attacks, the once-beloved email is gradually turning into a curse after being a blessing for many years. The statistics don’t give that much hope either.
According to a Verizon report, 25% of all cyberattacks now involve phishing.
The S/MIME protocol, an extension of the MIME protocol, works to ensure that your company’s email services aren’t compromised at transit or rest.
S/MIME encryption protocol plays three main roles:
- Encrypting the data, you’re transferring over the cloud in your emails
- Prove that the data you receive or transferred wasn’t altered in any way
- Ensure that only authorized personnel have access to the data in transit
The S/MIME transfer protocol leverages end-to-end encryption meaning that access to your data is completely restricted during transit, and only the sender or recipient can access said data.
- Non-repudiation of origin
- Message integrity
- Message privacy
This layer can achieve this by leveraging public-key cryptography.
If you’re the sender, you’ll use a public key (shared with other senders) to encrypt the email.
The recipient, on the other hand, will use a private key (only they have) to access the emails.
For authentication purposes, S/MIME uses digital certificates to authenticate and authorize access to the data at endpoints.
3. SSL Encryption
Secure Socket Layer (SSL) is an encryption standard that protects the data you transfer between a server and the cloud.
This encryption standard provides privacy, authentication, and integrity to client-server communications by leveraging encryption, digital certification, and virtual handshakes.
SSL is the predecessor and much older version of the TLS encryption protocol. However, it still enjoys massive use in data transfers over the cloud. SSL achieves:
SSL uses public-key cryptography to encrypt your data in transit, making it completely undecipherable by external users.
SSL encryption leverages a protocol called a handshake to authenticate and validate the identity of two users at each endpoint.
- Data Integrity
And how would you know if the data you’re sharing over the cloud has been tampered with? SSL encryption uses digital signatures (yes, you heard that right) to verify that the data hasn’t been tampered with before reaching its destination.
4. TLS Encryption
Transport Layer Security (TLS) is a popular encryption layer with broad applications in secure data transfer over the cloud.
The list of risks you, your employees, and clients face while transferring data over the internet is endless and increases with each passing day.
At any one time, the data you transfer over the cloud is at risk of:
- Third-party monitoring or eves dropping
- Tampering of your data
- Misidentification of senders or recipients
Transport Layer Security is an encryption protocol that evolved from the Secure Socket Layer (SSL) in the late 90s.
It uses a combination of both symmetric and asymmetric cryptography, encryption and SSL-based processes such as the called TLS Handshake to address each of these issues.
You can (and probably do) leverage TLS encryption in your organization for email, file transfers, video and audio conferencing and VoIP.
5. SSH Encryption
SSH stands for secure shell, and you might often find yourself confusing it with the secure socket layer (SSL) you’ve seen above.
Secure shell is slightly different from SSL in that it’s not primarily for file transfer. Alternatively, you use SSH to create an encrypted tunnel for you to log in to another computer and offer commands.
Through this channel, and after you’ve completed authentication and verification, you can then be able to give commands to another computer and access information. That’s all there is to SSH, any questions.
“Well, What Can I use SSH Encryption for?”
Wrong question. The proper way to word this is:
“What can’t I use SSH encryption for?”
With access to another computer through an SSH tunnel, the possibilities are virtually endless. You can use SSH for:
- Secure remote communication
- Offering remote commands
- Avoid file transfer inefficiencies through automated file transfers
- Manipulating files
- Reading files
Since everybody can’t go around accessing your files, SSH uses public-key cryptography to ensure that only valid people can access your files.
The Third Layer: File Transfer Encryption Protocols
If encryption algorithms are the ground beef patty, and encryption layers the wheat roll buns, then file transfer protocols are the entire thing—the big juicy burger with sauce, toppings and all.
A file transfer protocol brings encryption algorithms, a set of protocols and a few additional features together to provide a secure encrypted file transfer protocol.
Fortunately, file transfer protocols are nothing new. In fact, you interact with some daily; take HTTPS, for example.
The most popular file transfer protocols that offer encryption are:
1. FTPS Protocol (FTS or SSL)
FTPS protocol is an implementation of SSL encryption over the old File Transfer Protocol (FTP). The File Transfer Protocol (FTP) is marred by several vulnerabilities; that’s why you’ll never see FTP and security in the same sentence.
For starters, it doesn’t protect your files, provide encryption, authenticate or check if your data has been tampered with during transfer.
You wouldn’t believe it, but File Transfer Protocol will send your intellectual property or regulated customer information in plain text over the internet.
Nothing will bring GDPR of HIPAA regulators on your doorsteps faster than transferring regulated data over the net unencrypted.
It was clear that File Transfer Protocol needed a reboot, which led to the development of the FTPS protocol.
The FTPS protocol uses the Secure Socket Layer you’ve seen above to encrypt data in either (or both) of its command channel and data channel.
It also uses a combination of user ID passwords, digital certificates or both to authenticate the recipient of the data at the endpoints.
2. AS2, AS3 and AS4 Encryption
Applicability Statement 2 (AS2) and its variations and improvements AS3 and AS4 are file transfer protocols popularly used for encrypted file transfer across endpoints.
AS2, AS3 and AS4 protocols use a combination of encryption algorithms, digital certificates and hashing algorithms to transfer your files securely across the web.
You’re probably wondering what sets them apart. In layman terms, AS2, AS3 and AS4 are different versions of the same thing.
AS2 is an upgrade from the 90s based AS1 protocol. This protocol has primarily been used for secure data transfer through digital certification and encryption standards since the ’90s, with improvements now and then.
In most ASX discussions, you’ll struggle to find mentions of AS3. This is because AS3 is a protocol used for the transit of data across endpoints using File Transfer Protocol (FTP).
AS3 isn’t necessarily an improvement from AS2 but a necessary option for FTP-based organizations.
Later versions of AS3 now support SMIME based security features such as end-to-end encryption, non-repudiation and authentication.
Applicability Statement 4 (AS4) is a subset of file transfer protocols business-to-business (B2B) companies use to share documentation between web services.
The advantages of AS2, AS3 and AS4 encryption lies in its core features, which are:
- Security: AS2 leverages a MIME protocol to wrap the data you’re sending in a secure and encrypted envelope for transit.
- Integrity: Your identity as the sender and the integrity of the data you’re transferring is assured by digital certificates.
- Non-Repudiation: This is a term that means that the receiver of the data can send back a digitally signed message embedded with a Message Integrity Check (MIC) calculator over the payload.
3. SFTP Protocol
SFTP is a file transfer protocol that uses SSH encryption to protect data over the same FTP port (port 22).
In SFTP, all of your files will be encrypted before being sent over the cloud hence protecting data in transit.
Since both SFTP and FTPS are based on the same FTP protocol, you’re probably wondering what sets them apart. There are a few differences once you look closely enough:
- SFTP only uses one port number to transfer data, while FTPS uses multiple port numbers
- SFTP authenticates both authentication information and the data you’re transferring
- SFTP uses Secure Shell (SSH), whereas FTPS uses Secure Socket Layer (SSL)
Though SFTP and FTPS add an additional layer to the same security system, they’re miles apart from each other (especially security-wise).
Where do we even start? Well, authentication encryption seems like a good place. FTPS authenticates your data then clocks out, sending authentication info over the cloud unencrypted.
SFTP, on the other hand, encrypts your authentication information, protecting your identity and those of your senders.
Speaking of authentication, SFTP puts two types of authentication protocols at your disposal. You can:
- Leverage passwords and digital IDs
- Use SSH keys which is just a type of public-key cryptography
We could go on about SFTP forever, but since you don’t have all day, let’s proceed with HTTPS and call it a day.
4. HTTPS Protocol
Now to something we’re all familiar with, HTTPS. HTTPS is an implementation of TLS encryption over the HTTP protocol.
The HTTPS protocol is used to encrypt the data sent between your websites and the browsers your clients and employees use to access them.
What Doesn’t Count As Encryption
In data security, it might look like a duck, talk like one and walk like a duck—and end up being a rooster. You can never be sure.
File Transfer Protocol (FTP) is one such protocol. It looks secure sounds secure, but the devil in the details says that it’s nothing close to secure.
FTP falls short of any encryption capability, sending your passwords, intellectual information and regulated data over the cloud in plain text.
Similarly, encryption standards like SSL haven’t been updated since 1966, making them deprecate.
And then there’s HTTPS, which apart from being an encryption protocol isn’t as secure especially when used as an only factor.
That’s A Lot; Where Do You Even Start?
Short answer: Managed File Transfer (MFT).
Managed File Transfer (MFT) is your antidote to all this encryption indecision. A managed file transfer like MOVEit takes all these encryption standards, layers and algorithms and consolidates them into a solution that you can leverage for secure file transfer.
And it doesn’t stop there. We all know that encryption is no magic wand; hence, Managed File Transfer comes with additional security features such as:
- End-to-end encryption with the most effective encryption protocols
- Multi-Factor Authentication (MFA)
- Automated compliance capabilities
- Activity tracking and tamper-evident logging
- Centralized access controls
For more information, contact us today, and our teams will be more than willing to help.