Subscribe to the Non-Human & AI Identity Journal
Home Glossary Cyber Security File Transfer Protocol
Cyber Security

File Transfer Protocol

← Back to Glossary
By NHI Mgmt Group Updated July 12, 2026 Domain: Cyber Security

File Transfer Protocol is a legacy network protocol used to upload, download, and manage files between systems. In security terms, its main weakness is that classic implementations do not encrypt credentials or payloads, which makes intercepted traffic immediately useful to attackers.

Expanded Definition

File Transfer Protocol, commonly called FTP, is a legacy application-layer protocol designed for moving files between a client and a server. In security practice, the important distinction is not simply that FTP transfers files, but that classic FTP sends credentials and data in cleartext unless protected by an additional layer. That makes it fundamentally different from encrypted transfer mechanisms such as FTPS or SFTP, even though those alternatives are often grouped together in casual conversation.

For NHI Management Group, the term matters because many environments still use FTP for batch integrations, vendor exchanges, and scripted automation where long-lived accounts or embedded secrets are common. Guidance varies across organisations on whether FTP should ever remain in production, but there is broad consensus that unencrypted use creates avoidable exposure. The NIST Cybersecurity Framework 2.0 reinforces the need to protect data in transit and manage access in ways that reduce predictable compromise paths.

The most common misapplication is treating FTP as acceptable for sensitive transfers simply because it is still reachable on an internal network, which occurs when teams confuse network location with transport security.

Examples and Use Cases

Implementing FTP in a rigorously controlled environment often introduces operational friction, requiring organisations to weigh compatibility with legacy systems against the cost of credential exposure and compensating controls.

  • A finance team uses FTP to receive nightly reports from a third-party processor, but the account password is captured during network monitoring because the session is not encrypted.
  • A DevOps pipeline calls an FTP server to publish build artefacts, creating a dependency on a shared service account that is difficult to rotate safely.
  • A healthcare supplier maintains an old appliance that only supports FTP, forcing security teams to segment the host, restrict source IPs, and plan a replacement path.
  • An incident response team finds that malware used FTP as an exfiltration channel because the protocol was allowed outbound without strong inspection or policy controls.
  • An organisation migrates from FTP to a protected transfer method after reviewing guidance from the NIST Cybersecurity Framework 2.0 and identifying cleartext transport as an avoidable risk.

Why It Matters for Security Teams

FTP matters because it combines availability, automation, and legacy compatibility with a security model that was never designed for modern threat conditions. When security teams misunderstand the protocol, they often miss that the real risk is not just file content but also credential reuse, session replay, and unauthorised access to downstream systems that trust the transfer host. That becomes especially relevant where FTP is tied to non-human identities such as service accounts, scheduled jobs, or embedded tokens, because those credentials can persist long after the original business owner has changed.

Security teams should treat FTP as a governance issue as much as a transport issue. If the protocol remains in use, controls should focus on network segmentation, strict account scoping, logging, and a migration plan to encrypted alternatives. The strongest references here are not about FTP specifically but about the underlying security objectives: protecting data in transit, limiting access, and reducing implicit trust. Organisations typically encounter the true cost of FTP only after intercepted traffic, leaked credentials, or an audit finding exposes how many business processes depended on an insecure transfer path.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.DS-2FTP risk centers on protecting data in transit from cleartext exposure.
NIST SP 800-63AAL2Legacy FTP accounts frequently depend on weak authenticators that fall short of identity assurance.
NIST AI RMFWhen FTP supports AI pipelines, transfer integrity affects AI system risk management.
OWASP Non-Human Identity Top 10FTP service accounts and embedded secrets are common non-human identity exposure points.

Inventory FTP-linked machine credentials and rotate or replace them with managed identities.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org