Millions of files with sensitive health, financial and legal information are sent every day around the world. Encryption keeps the information away from attackers and prevents identity theft, fraud and other crimes.
Encryption is a method of making information unreadable to anyone besides the intended recipient.1 It keeps an attacker from eavesdropping on the conversation because only the person with the key can decrypt the information and understand the message. The plain text is the original message, while the cipher text is the unreadable message.2
As a managed file transfer (MFT) company, we provide our customers with three layers of encryption for security: encrypted protocols, file-level encryption and storage encryption.
We recently phased out support of FTP (file transfer protocol) client and server endpoints in our platform because FTP does not encrypt files during transfer. Anyone who uses FTP is at a higher risk for a man-in-the-middle attack or other types of eavesdropping attacks. Unlike FTP, SFTP (FTP over SSH), FTPS (FTP over SSL) and HTTPS encrypt files during transfer.
With FTP transfers, the username, password and data are sent in plain text,3 leaving the server and the files vulnerable. Some FTP servers do not require a username or password, which is even less secure.
SFTP uses SSH, or Secure Shell, to encrypt the files and send them over a secure channel. To transfer files with SFTP, the user logs into a client to authenticate themselves.4
FTPS encrypts the username and password and sends files over an encrypted channel. Specifically, FTPS uses TLS,5 or Transport Layer Security, to secure the channel. TLS uses certificates to check that the user is connected to the right server.6
HTTPS and HTTP are both used to send data between web browsers and websites. Unlike HTTP, which sends information in plain text, HTTPS uses TLS to encrypt data.7
You can see an example of HTTPS in most website browsers if you click the padlock icon next to the URL bar. If you click “Certificate,” you can view details such as who it was issued to, who it was issued by, etc.
In addition to using secure protocols, we encourage our customers to use PGP, or file-level, encryption to protect the file itself. PGP stands for Pretty Good Privacy, and it was invented in 1991.8
PGP works by using two keys – one public and one private. The public key is shared with anyone and used to encrypt the message. The private key is never shared and decrypts the message.9
Here is an example:
- Bob wants to send a file with Alice, so he asks for her public key.
- He uses her public key to encrypt the file before it is transferred.
- He transfers the file with SFTP.
- Once she receives it, she uses her private key to decrypt the message.
By using an encrypted protocol and PGP encryption, Bob’s file transfer to Alice is protected from end-to-end.
File Storage Encryption
After files are transferred, some of our customers store them in the cloud for weeks, months or years to satisfy legal or business requirements. All data stored in Thru is encrypted by AES 256-bit encryption to protect our customers’ data.
Giving our customers multiple layers of encryption is not enough to protect their data and ensure business continuity. We take more measures to meet their file transfer security and compliance requirements.