FTP Alternatives??????

dabob · Mar 2, 2015

Due to our credit card companies rules we are shutting down our ftp server . . what is out there that allows free or inexpensive file transfer of files 100+ gigs?????

wonderings · Mar 2, 2015

Your credit card company does not allow you to have an ftp? You would probably need to look at some of the different cloud storage options out there, such as drop box or google.

jminrod · Mar 2, 2015

I just did a webex with a salesman from sharefile.com. It was everything I was looking for except we are in a longer contract with our current ftp provider. Not free but they had the security we needed and the user friendliness

dabob · Mar 2, 2015

wonderings said:
Your credit card company does not allow you to have an ftp? You would probably need to look at some of the different cloud storage options out there, such as drop box or google.

It's not that they wouldn't "let us" but then we would have had to deal with SSL certificates etc just the SSL cert is 70 bucks a month and we figured it would be cheaper and easier just to kill "port 21" access . . . . like the old saying . .. "“In the confrontation between the stream and the rock, the stream always wins; not through strength, but through perseverance.” my version is to find the easy way around the rock . . .

mattbeals · Mar 2, 2015

dabob said:
It's not that they wouldn't "let us" but then we would have had to deal with SSL certificates etc just the SSL cert is 70 bucks a month and we figured it would be cheaper and easier just to kill "port 21" access . . . . like the old saying . .. "“In the confrontation between the stream and the rock, the stream always wins; not through strength, but through perseverance.” my version is to find the easy way around the rock . . .

Thawte SSL certificates are not very expensive and can be put into your FTP server fairly easily (depending on how you are setup). If you run your own FTP server like Filezilla FTP Server (free and reliable) you can for the use of FTPS (FTP over SSL/TLS) with authentication happening over SSL as well. It will satisfy PCI compliance standards.

Both the companies below are trusted SSL providers. Verisign/Symantec are just as good, but more expensive.
https://www.thawte.com/ssl/index.html
https://ssl.comodo.com/

If you have the FTP server in a DMZ that should also take care of PCI compliance, if I correctly recall my process two years ago.

ajr · Mar 3, 2015

Look at Rumpus it has SSL built in I think. Maxum Development

mwc · Mar 3, 2015

+1 on rumpus. It does support SSL. You would have to purchase an SSL certificate as mentioned above, or you can generate a self-signed certificate (this is secure, just doesn't give outside connections the 'trust' that a certificate authority issued one does). Rumpus makes the process 'easy'.

michaelejahn · Mar 3, 2015

dabob said:
It's not that they wouldn't "let us" but then we would have had to deal with SSL certificates etc just the SSL cert is 70 bucks a month and we figured it would be cheaper and easier just to kill "port 21" access . . . .

1. I think you need to need to find another source for an SSL cert - NO WAY it is 70 a month - i have seen 70 a year perhaps, but you can get one for 30 a year ( so, that would be like $2.50 cents a month - if you can't afford that, you need to re-think your business plan )

We suggest ( to our PressWise customers )

http://www.rapidssl.com/buy-ssl/wildcard-ssl-certificate/index.html

2. I would never ever do business / buy printing / submit my credit card to a company that DID NOT have an SSL certificate. I am not saying that because I work for a developer, or I somehow benefit or am commissioned, paid or helped in some way.

from:

https://www.sslshopper.com/why-ssl-the-purpose-of-using-ssl-certificates.html

The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves.

hope that helps.

mattbeals · Mar 3, 2015

I don't think their site is processing credit cards. I Think they are going through a PCI compliance audit and as part of that, an unsecure FTP connection is a big red flag. Securing that FTP connection or closing it off and using a replacement seems to be the question at hand.

FTP/S (FTP over SSL or TLS) can be done inexpensively, but well, with a modest amount of effort. Probably less than the time you've spend finding an alternate solution.

As an aside, if you are sending or receiving sensitive data across the public internet, then the data should first be encrypted on the sender side, then transmitted as encrypted (over a secure or insecure connection), then decrypted once it is in a known clean environment. Even then, data at rest if it is sensitive should still be encrypted. No sensitive data should ever be send without first being encrypted, even if using SSL.

A pain? Not really. Less painful than an insurance claim or a lawsuit for disclosing private or otherwise sensitive information. Tools like PGP (or the opensource GPG version) are easy, secure and reliable. Even the NSA uses it.

dabob · Mar 3, 2015

mattbeals said:
I don't think their site is processing credit cards. I Think they are going through a PCI compliance audit and as part of that, an unsecure FTP connection is a big red flag. Securing that FTP connection or closing it off and using a replacement seems to be the question at hand.

FTP/S (FTP over SSL or TLS) can be done inexpensively, but well, with a modest amount of effort. Probably less than the time you've spend finding an alternate solution.

As an aside, if you are sending or receiving sensitive data across the public internet, then the data should first be encrypted on the sender side, then transmitted as encrypted (over a secure or insecure connection), then decrypted once it is in a known clean environment. Even then, data at rest if it is sensitive should still be encrypted. No sensitive data should ever be send without first being encrypted, even if using SSL.

A pain? Not really. Less painful than an insurance claim or a lawsuit for disclosing private or otherwise sensitive information. Tools like PGP (or the opensource GPG version) are easy, secure and reliable. Even the NSA uses it.

Matt . . . you hit the nail right on the head . . . we don't do any "confidential/sensitive" type of work so that is not a concern it is a PCI issue so will keep looking for the right solution . . .

Guys thanks for all the suggestions - keep them coming I'll let you all know what we end up with

jskibbie · Mar 4, 2015

You should also look at MassTransit: Managed File Transfer - Secure Enterprise Solutions - Acronis

FTP Alternatives??????

dabob

Well-known member

wonderings

Well-known member

jminrod

Well-known member

dabob

Well-known member

mattbeals

Well-known member

ajr

Well-known member

mwc

Well-known member

michaelejahn

Well-known member

mattbeals

Well-known member

dabob

Well-known member

jskibbie

New member

Similar threads

PressWise