FTP sites seem like they’ve been around for ever. The file transfer protocol was invented in 1971 as part of the original ARPANET. It was and remains a very simple way to move files from place to place. Unfortunately the protocol itself was not designed to be secure so secure FTP was developed. This uses SSL (secure sockets layer) or TLS (transport layer security) to encrypt the information so you can security transfer documents and login credentials.
A lot of companies use FTP sites as repositories to download or upload software, documents, videos and a lot of other materials. They are easy to set up and can run on any operating system. Most companies at least use basic login credentials to provide some level of security to a site. Of course many use these sites as public repositories to download brochures and other marketing collateral.
The other day I was doing some research on the web and I came across a brochure for a large company’s partner program. There was a lot of detail on branding, co-marketing opportunities, logo guidelines and other information on the program. On the bottom of every page it said “Internal Use Only”. I was surprised and I have to admit I felt like a kid in the candy store. I found something confidential sitting on an open FTP site.
Being curious I poked around and found all kinds of things on this website. I found software, manuals, brochures, whitepapers, etc. Many of these documents and software was very old, but there were plenty of items with dates from 2011 and 2012. Most of the current documents looked like brochures and other information that would be public anyway, but I found more items that said “Confidential” and “Internal Use Only”.
If these were really confidential documents, this is the last place they should be stored. If this was just an old repository used as an archive, it may not be a big deal. If you have FTP sites like this, you should take a look at them. If anything is sensitive or confidential, get them off there immediately. An open site like this could lead to a potential data breach if company or customer confidential data is released.
A better approach is to use a secure file transfer service or a secure extranet portal that encrypts the stored documents and requires secure authentication to access them. You could also encrypt anything confidential with a persistent security policy that lets you control who access them and what they can do with them. This way if something accidentally got onto an open FTP site, you wouldn’t expose any confidential information.
Either way, only use FTP when you know it’s secure or the information is for public consumption. Otherwise you might have a big loophole in your security and confidential information could get out on the internet.
Photo credit adactio