SFTP Security Standards and Encryption Practices
This document provides an overview of the security measures in place for our SFTP setup, addressing client concerns about encrypted files and outlining best practices for credential management.
SFTP Server and Security Standards
Our SFTP service is powered by AWS Transfer Family, a robust and modern platform designed to provide secure file transfers. Below, we outline how your files are protected during every stage of transfer and storage.
Encryption in Transit
All data transmitted through the SFTP server is encrypted using industry-standard Secure Shell (SSH) File Transfer Protocol, ensuring your files remain secure and protected against interception during transfer.
Encryption at Rest
Once files are received, they are securely stored in an AWS S3 bucket configured with AES-256 server-side encryption, providing an additional layer of protection even if storage access is compromised.
Access Control
- Limited Access to Storage: Only a small number of authorised employees have access to the S3 bucket. This access is strictly controlled, monitored, and audited.
- Authentication with Hardware Keys: Access to the SFTP server is secured through hardware keys or AWS Identity and Access Management (IAM) policies, offering industry-leading security.
- IP Whitelisting: The SFTP server has a fixed IP address, allowing your team to define egress rules and restrict file transmissions to our specific IP. Additionally, we can enable IP whitelisting to allow access only from your team’s fixed IPs.
Role-Based Access Control
Only designated personnel within our organisation have access to sensitive files. This ensures a granular and secure permission model, minimising the risk of unauthorised access.
File Processing and Automation
Our system is designed to seamlessly handle files uploaded via SFTP with minimal manual intervention:
- Private Network: All file processing occurs within our Virtual Private Cloud (VPC), ensuring files never traverse public networks.
- Serverless Architecture: Files are processed securely using AWS Lambda and other serverless technologies within our VPC. This architecture adds an additional layer of isolation and security.
Credential Management Best Practices
The strength of the overall security framework depends on proper credential management. We recommend the following:
- Use Hardware Security Devices: Devices like YubiKeys provide simple and effective two-factor authentication, ensuring only authorised personnel can access the SFTP server.
- Secure Credential Storage: Avoid sharing or storing passwords insecurely. Use password managers to ensure strong and unique credentials.
Why Encryption at the Source Is Not Necessary
Historically, encrypting files before transfer was essential due to limitations in older technologies. With modern solutions like AWS Transfer Family and S3, this requirement has been superseded by built-in encryption capabilities:
- Data is encrypted both in transit and at rest.
- Files are processed and stored in a secure infrastructure, eliminating traditional vulnerabilities.
- This approach reduces operational complexity while maintaining industry-leading security standards.
Certifications and Compliance
Our security practices are validated through multiple certifications, including:
- SOC 2
- PCI DSS
- ISO 27001
- ISO 9001
These certifications ensure compliance with rigorous security and data protection requirements.
Next Steps
We are confident that our SFTP setup ensures the secure handling of your files without the need for additional encryption at the source. To further enhance security, we encourage you to implement the credential management best practices outlined above.
If you have additional concerns or require further documentation, please feel free to contact us. We are happy to provide a walkthrough of the SFTP process or assist with your specific security needs.