Thanks. I’d like to know how much its used and what it is used for. For example, FTP used to be used for transfer files with Cisco devices, and for upload files to a website. Is it still the same nowadays but with SFTP, or ….?

The answer I need is a difficult one I think as to get to the bottom of it I would need to survey a representative sample of small, medium and large businesses, enterprises, private and government, to best determine it. But if an individual worked in the area and had been at various organisations over a number of years, they may know the answer. 

Well, I've had worked decades in IT, across multiple organizations, and in my experience i don't recall anyone normally tracking usage of particular specific data transfer protocols.  Those dealing with maintaining customized QoS of firewalls might have some information, but especially for a protocol like SFTP, there may not be much detail usage information.  Anyone that has such information about detailed usage of SFTP I would suspect would be rare and unlikely to be representative of the industry as a whole.

A possible issue for even obtaining usage data on SFTP might be, can it even be distinguished from SSH console traffic or SCP?

"Difficult" might be an understatement.

Thanks. Not looking for tracking. More like, "oh yeah we use or used SFTP for ....", Or "we used FTP for .... and even though SFTP was available, there were more suitable means via HTTPS, cloud based services, and VPN". So, we don't use it anymore. 

From what I am hearing through my enquiries today, it seems to have niche type uses, not mainstream. Good where automation via scripting is needed, or very large file transfers outside of an organisations wider network. So, I'm thinking in comparison to say HTTPS, VPN, and cloud-based services that provide file transfer, SFTP use would be significantly less. What do you think?

I would suspect, but don't actually know that something like SFTP would be, as you say, niche usage.

Even going external, bulk data transfers, are possibly already encrypted by some feature of the application that uses the data or via an encrypted tunnel.

Automation of some kind, I agree would be a possible best usage case but as you also noted there are other options.  Plus inertia retards upgrades for existing working solutions.  For example, network device access via SSH vs. telnet, in my experience, was a slow adoption.  The reasoning for the last was it was believed being able to somehow log on to the device was more of a concern than transit traffic being viewed by a man in the middle.  (Oh, for those wondering wouldn't telnet expose logon credentials, it does, but passwords were keyed to hardware key each user had and were changed every few seconds.)

thanks. I know what SFTP does. What I don't know is how many of the millions of organisations in the world are using it, and what they are using if for, specifically. 

Most organizations today use SFTP as standard file transfer protocol, FTP is considered highly insecure as you can see information over FTP with a simple packet capture.

Doesn't help much, though thanks. I know what SFTP is. But where, when, how, is it being used specifically. What are the use cases. file transfer from cisco devices for example. Who or what has the need to have the control that SFTP provides for file transfer?

Network operators with a CSO/CISO will most likely have a policy requiring login creds to be sent as cyphertext. That policy would rule out using FTP (cleartext creds) or TFTP (no creds) to pull new NOS images into routers/switches. These operators would use scp/sftp instead when they want to upgrade the NOS.

Well lets say you don't use SFTP you want to use HTTPS, HTTPS is built for web based file sharing like transfer information between web servers and clients (usually web browsers).  File-sharing services (e.g., Dropbox, Google Drive) use HTTPS to ensure files are securely uploaded/downloaded between users and the web server. Also since this is over web a public CA trust is mandatory to maintain. 

Coming back to SFTP,  also most likely SFTP server is owned so Public CA trust is not needed, you can use internal PKI or just username/password for trust, you may also need to have permission to Supports file operations like reading, writing, and modifying files on the remote system, which may be well suited for things like backup, over riding backup, changing backup access permissions etc, which may not be available over other protocols.

Although this is a moving target, as a lot of vendor (specially cloud managed network providers) have started allowing web based upgrades, backups etc over HTTPS and modification over simple API calls, its more convenient. It may be well received by lot of customers, may not be by  Federal customers.

---

@tabrownz wrote:
 and what they are using if for, specifically.

---

In a nutshell:  Transfer files, from Points A to Points B (or vice versa), securely.

I'm about to mount my soapbox and touch upon the "need" for something like SFTP for network device backups, targeting a couple of points made by @MHM Cisco World , but I'm not targeting MHM.

"Each day or one week, the network engineer need to keep backup of network device config . . "

Yup, not bad practice, although I like systems that pick up device config changes shortly after they've been made.

". . . these Config include sensitive info."

True, but just how sensitive?

"Like password public IP . . ."

Hopefully config passwords are not in clear text or an easily breakable encryption format.

How secret is a "public" IP?

Regarding man-in-the-middle, if we're discussing internal networks, are your employees vetted?  Is access to network infrastructure devices behind locked doors/cabinets (i.e. can someone easily get in the middle of the network device and the config backup host)?

Again, how sensitive is the config?  Huge difference, I believe, in seeing a device config and being able to access the device.

Don't misunderstand, I'm not against security, just in my experience, many security folk focus on security to protect against all possible threats regardless of cost to do so.  For example, from a security standpoint, leaving under a dollar's worth of change in my unlocked desk drawer allows it to be easily stolen.  That's true.  But, conversely we probably don't need a ten ton safe, with time locks, and multiple person keys, to protect under a dollar of loose change.

In my experience, often is seems it's one extreme or the other, i.e. no one considers security threats at all or we need Fort Knox level of security for everything.

In the case MHM mentions, if I'm an attacker, and I really want to see multiple device configs, do I work at multiple man-in-the-middle attacks or do I work on breaching the security of the host containing all the backup config copies?

Again, I'm not arguing there's anything wrong in using SFTP for device config backups, and all else being equal, it's probably good to use host-to-host encryption, but it really needs to analyzed in the larger picture.

One issue that can be overlooked when using encryption, if data volume is a concern, generally it cannot be well compressed, unless compression is done before encryption (of course, a device config doesn't usually have the "volume" this would be an issue), but if a company is using SFTP willy-nilly, host to host, because it's more secure than FTP (true), it can preclude a network edge device doing both effective compression (e.g. WAFS, WAAS) with optional encryption.

Jim ( @Ramblin Tech ) mentions "Network operators with a CSO/CISO will most likely have a policy requiring login creds to be sent as cyphertext.", which is probably true in the larger network operators.  Possibly not as true in smaller network operators.

Anyway, my soapbox point is, consider the big picture, benefits vs. costs, operational impacts, security failure impact.

Also realize, perfection is often a worthwhile goal, but often not obtainable, at least at an acceptable cost, so some risk is often acceptable.