Organisations frequently consider the FTP protocol as an easy solution for data movement. Free and widely available, FTP has experienced increasing popularity over the years since its development in the early 1970s.
The academic and government communities gave birth to FTP in a spirit of openness and cooperation that reflected university cultures of the day. The standard enjoyed wide public distribution, which led to its proliferation within the software development community and explains its continuing broad base of support around the world today. FTP is still used extensively for file transfer on the Internet and many institutions of higher learning encourage student use of FTP clients for file transfer within the campus network. Proponents of FTP tout its speed and efficiency in moving large files as reasons for its persistent popularity.
As students who used FTP in the academic community moved into the business world, often joining information technology departments, the popularity of FTP naturally migrated with them into enterprises of all sizes. However, widespread implementation of FTP in the corporate community presented unanticipated challenges and risks that were of little consequence in the academic community.
Although FTP is a widely used data movement vehicle, its purportedly free operation actually comes at a high price that astute businesses may not want to pay. Consider the risks discussed here before making a decision on how FTP should be used in a corporate environment.
FTP provides a straightforward way to move files to and from remote platforms. However, in a business environment, unmanaged use of FTP presents a tremendous risk to the value of the network infrastructure.
Large networks are inherently unreliable because of the size and complexity of their makeup. The probability of failure with extended use is proportional to the amount of information transmitted. The distributed nature of the Internet tends to hide the overall impact and cost of failures.
The decentralised management, security and performance of the data movement operation mask the cost associated with interruptions, rework and security failures. These hidden costs can be exposed dramatically when network failures result in missed processing windows or service levels. Companies and organisations that require on time, predictable and secure data movement must select solutions that fit their performance, management and security requirements.
FTP provides no means to control critical data movement operations or balance the critical with lower priority work. For many business processes, this can negatively impact processing windows and service level agreements. It places all control with the client and, usually, first in wins. Furthermore, FTP provides no capability to create a policy for workload execution that can be enforced. Without a means to control priority and use based on business policies, critical data movement is threatened. FTP simply does not have the management infrastructure to respond to critical business priorities.
It lacks a mechanism to provide problem notification, which means that failed file transfers may go unnoticed indefinitely. It is very difficult, if not impossible, to determine previous FTP activity. Any required action must be performed manually by the client, which does not enable automated, real-time recovery.
Consequently, costs associated with the use of FTP must include the inherent delays in exception discovery.
The exposure created by open, uncontrolled use of FTP should be understood as an exposure within the security policies of an organisation. The FTP protocol was originally developed during a time of limited to non-existent security concerns regarding the movement of data across the Internet. Consequently, security safeguards were not included as a part of the FTP model.
In FTP sessions, the client must provide an ID and password when initiating a connection to the server, but this security information is transmitted in clear text. The ID and password must be valid on the server, which means that this private information must be distributed to all clients. If a client transmits to many servers, the client must have a valid ID and password for each. Security violations are not logged in FTP and there is no authentication of the client. Encryption, if used at all, must be an offline process.
As a result of the inability to enforce security policies with FTP use, many enterprises have chosen to ban it from production level use completely. The risk of security compromise is too great. Any outage that occurs with FTP operations must first be discovered and then manually handled, which generally means restarting the failed operation from the beginning. Costs associated with FTP recovery include:
* Retransmission - FTP retransmits (on average) half the overall data movement volume per failure;
* Delayed restart - During network resource failure, FTP use requires discovery of the failure which can delay restart and incur additional costs; and
* Duplicate transmission - Because of incorrect FTP option specifications, duplicate transmissions are a common occurrence. One study found that 10% of FTP transfers were retransmissions of files that resulted from an incorrect option selection (binary). In addition to the retransmission, there is cost in the delay of discovering that the file is unusable.
In addition to substantially limiting data recovery capability, the lack of automation in the FTP protocol prevents full utilisation of organisational business processes. Costs associated with the lack of FTP automation derive from operations that complete successfully, but result in unusable files. This is because there is no way to validate user selected (or defaulted) options and is exacerbated by lack of central control of scheduled activities, where clients can initiate FTP activity regardless of the schedule impact or importance.
Business needs require that a myriad of issues be considered with regard to data movement operations. The requirements for centralised management, notifications, security, data recovery and automation are equally important. The best solution for an enterprise should provide capabilities that meet all these needs.
The inherent security risks associated with the widespread use of free FTP may be reason enough to give some organisations pause as they consider this option to meet their data movement needs. Add to that the limitations associated with lack of automation and data recovery and FTP quickly loses its lustre for enterprise-level data movement. The final and most significant of the arguments against FTP directly relates to its early appeal - that of cost.
With FTP, the costs are hidden and ongoing, removing the primary justification to consider this option in today`s business environment. FTP may be free, but are you sure you can afford it?
Share
Editorial contacts