Securing SFTP Server

1. Disable FTP: If you are using your own server, disabling FTP is a good way to lock down a potential attack vector. Likewise, if you work with a third-party vendor, you can ask if they have disabled FTP and, if not, what security protocols they have in place to protect it. FTP is insecure so it should be disabled and replace with SFTP
2. Use the strongest encryption: AES-256 is currently the strongest standard encryption around, and SHA-2 hashing currently represents the strongest hash encryption to authenticate data. It’s straightforward to get an SFTP server that includes both
3. Use file and folder security for external access: Have proper practices in place to monitor and protect data when third parties need to see it during or before an SFTP transfer. This includes proper user access and identity management features
4. Use folder security for internal access: Access controls can be a pain to set up because somebody has to do it manually on individual folders. Business users typically don’t have the skills or permission to do this, so organizations often resort to these users writing help desk tickets for IT to undertake access management tasks. The Kiteworks Platform has a solution that provides web-based (or even mobile) self-service for business users to set and automate these security settings
5. Include documentation and auditing: Most frameworks require some capacity to document things like compliance and file access. Utilising a method to monitor file access as well as document things like user consent and other requests is a critical part of HIPAA, GDPR, PCI DSS compliance
6. Use IP blacklisting and whitelisting: It may be necessary to simply block access to your servers through blacklists to protect data, particularly if there is no reason to accept traffic from, say, foreign countries or specific regions
7. Provide logging integration with your SIEM: SecOps Team has round the clock monitoring of the system and can detect and mitigate attacks
8. Require certificate-based or public key based authentication for users: This way, you can ensure that anyone accessing your system at least has a security certificate or public key to verify who they are. This prevents possibility of hack attempts from unknown/anonymous sources
9. Server Hardening: Periodic vulnerability assessment & penetration testing provides list of security issues with the server which should be patched as part of hardening activity
10. Protect the SFTP server behind your corporate firewall: and only expose a proxy tier through your firewall as a DMZ against unauthorised access

Additional Configurations: Deploy Data Leak Prevention (DLP) solution, Anti-Malware Suite, Endpoint Detection & Response (EDR) solution, Automated patch management solution, Access Management solution, Backup & Recovery mechanism, Proxied Networking and much more.