Networking

SCP vs. SFTP: Which Is Better for Secure File Sharing?

With remote file transfer more important than ever, decades-old secure file-sharing protocols are getting a second look.

Ernie Smith

Ernie Smith is a former contributor to BizTech, an old-school blogger who specializes in side projects, and a tech history nut who researches vintage operating systems for fun.

The more distributed nature of work means that more files are getting transferred than ever. While the cloud is a popular avenue for this, some organizations have additional security concerns, and with a 40 percent increase in ransomware attacks this year, businesses want to make sure their files are protected.

As a result, some organizations are turning to sharing files over two protocols whose roots date back many decades: secure copy protocol (SCP) and secure file transfer protocol (SFTP), which is also referred to as SSH file transfer protocol.

Both protocols were created by Finnish researcher Tatu Ylönen, who aimed to replace the aging protocols of the early internet with more secure variants of common networking tools like Telnet and FTP.

While working at the Helsinki University of Technology, Ylönen found inspiration after a security incident involving a password sniffer and exposed the problems with insecure protocols like Telnet and FTP.

The attack led Ylönen to create SSH, or Secure Shell, in 1995. While initially a proprietary freeware protocol for ensuring secure connections, it came to be developed as an open-source standard starting in the early 2000s. SCP and SFTP came along for the ride.

WATCH: Learn how to keep remote work environments secure, from the experts.

John Picinich is director of product management at Progress, a firm that develops file-transfer software including WS_FTP and the managed file-transfer tool MOVEit Transfer. (Both apps were previously made by Ipswitch, which Progress acquired in 2019.) Picinich says that when it comes down to distributing files remotely, businesses should ask themselves a few questions: Who will be using these systems? What will their workflow be? What controls can be put in place to control the data?

With those questions in mind, it’s worth taking a little time to understand what makes these protocols better at some things than others.

What Is SCP?

SCP has its roots in the Berkeley Software Distribution (BSD) variant of UNIX that was first produced in the late 1970s, according to the book ‌Open Sources: Voices from the Open Source Revolution.

SCP is a secure version of the RCP file-copying protocol that was first developed in 1982. One of a series of remote networking commands developed with the letter R in front, RCP was not designed to be as comprehensive as FTP protocol. It is instead intended primarily as a way to copy files, rather than as a full file-exchange protocol, which means it has low overhead but also a bare-bones feature set.

With the development of SSH, a version of RCP was developed that worked on top of the new protocol. That became SCP, and much like the UNIX command that inspired it, SCP has limited overhead.

“SCP being based on the concept of a copy command is just that: a copy between systems,” says Picinich. “SCP does not include functions such as directory listings, deletion of directories, deleting files, etc.”

What Is SFTP?

It can be tempting to think that, based on the description of SCP above, that SFTP is simply a secure version of FTP, a protocol that dates back to the earliest days of the internet. However, they’re different protocols with different roots, with SFTP’s story starting at the same time as SSH’s, in the late 1990s. At that time, graphical file-transfer clients had grown commonplace, meaning that there was a mainstream audience in need of stronger file-transfer capabilities and familiarity with what was already in use. The result is that while SFTP maintains some similarities to FTP, it generally transfers on the same transmission control protocol port as an SSH connection, usually port 22.

“This protocol assumes that it runs over a secure channel, that the server has already authenticated the user at the client end and that the identity of the client user is externally available to the server implementation,” Ylönen and co-developer Sami Lehtinen wrote in a draft document for the Internet Engineering Task Force in 2001.

SFTP has more overhead than something like SCP. However, Picinich says that this is made up for by its greater ease of use.

”Remote working users need easy-to-use platforms to allow them to complete their file-transfer tasks efficiently,” Picinich says. “Administrators require systems that can be configured and audited to meet security requirements and industry best practices. SFTP fits the bill in this case with straightforward authentication, traditional directory listings and easy-to-understand file upload and download.”

Which Secure File Transfer Protocol Is Faster?

The limitations of SCP as a full-fledged file-transfer protocol do have a plus side, according to Picinich: Its limited capabilities, which are focused on copying files, are generally much faster than SFTP for many tasks.

“SCP was created to replicate shell copy functions between systems, and if you have ever used the command CP to copy files locally, you can use SCP,” he says. “This provides system operators a simple and familiar way to transfer files between systems with faster transmission rates than SFTP due to less protocol overhead.”

However, SFTP’s overhead is more than made up for by its ease of use — and by offering fewer limitations than SCP has.

“While both SCP and SFTP will handle large file transfers, SFTP allows for resuming a file transmission,” he adds. “The feature set of SFTP aligns with workflows for both internal system transfers and external user access to files and folders. Additionally, there are several GUI client applications available for SFTP.”

However, if speed is a goal of file transfer, it may be worth considering ways to automate so that integrations are tighter, allowing data to flow more efficiently. Picinich points to the way that tools like MOVEit Transfer can use APIs to automate transfers, for example.

“While SCP and SFTP can fit the need in some scenarios, more and more commonly the need is for a purely programmatic interface to integrate with for file movement,” he says. “Products such as MOVEit Transfer provide secure REST APIs to allow for customized integration of file transfers.”

SCP vs. SFTP: Which Is More Secure?

While both SFTP and SCP were built to be secure, the question of which is more secure has evolved in recent years, generally in favor of SFTP, as SCP’s age has started to expose decades-old weaknesses in the older protocol. These weaknesses led OpenSSH to call SCP “outdated, inflexible and not readily fixed.”

Meanwhile, the widely used Fedora Linux distribution has recently discussed deprecating the SCP protocol in favor of SFTP, according to the Linux news site Phoronix.

One way to mitigate potential security concerns for organizations would be using a managed file-transfer system, such as Progress’ MOVEit Transfer, to help balance file-distribution needs with security considerations.

“A managed file transfer solution like MOVEit Transfer keeps system files, access controls and authentication outside of the scope of a user’s access,” Picinich says. “MOVEit Transfer additionally encrypts files at rest and ensure no access without authentication and authorization occurs. This, in turn, provides the required logging and visibility.”

At this time, SFTP and SCP are likely to remain secure and usable thanks to their basis in SSH, but they may not meet your needs forever — at least in their most basic forms. Ultimately, businesses moving lots of large files around should understand the strengths and weaknesses of these protocols and find ways to improve on them further.

fatido/Getty Images