← All posts
May 11, 2026 · 5 min read

File Transfer Server Compliance Liability

Your file transfer server is a compliance liability. Here's what a basic audit turns up on most "it works fine" setups:

Credentials

  • FTP passwords stored in plaintext config files
  • Service accounts shared across the entire ops team (nobody knows who set them up)
  • No rotation schedule — some credentials predate half the engineering team
  • SSH keys checked into private repos without passphrase protection

Audit trails

  • Default syslog only (no transfer logging)
  • Logs rotated before compliance team can review them
  • No way to prove who transferred what, when, to where
  • Successful and failed transfers mixed into the same log stream with no filtering

Encryption

  • FTP still in use on port 21 (unencrypted by default)
  • SFTP available but not enforced
  • No TLS certificate verification on partner connections
  • Some partners still using FTPS with self-signed certs that expired in 2023

Access control

  • Shared credentials mean no individual accountability
  • No MFA on file transfer services
  • Service accounts with overly broad filesystem permissions
  • Former employees' access revoked months late (or not at all)

Infrastructure

  • No health monitoring — transfers fail silently
  • No alerting on failed transfers or expired credentials
  • Backup of transfer logs? Never considered
  • Server OS unpatched because "it's an internal system"

We see this on every infrastructure audit. The problem isn't that teams don't care about compliance. It's that file transfer is treated as plumbing — it works, so nobody thinks about it until an auditor does.

POPIA requires you to know where personal data goes and who accessed it. SOC 2 requires access controls and audit trails. GDPR requires data processing records. Your FTP server is failing all of these.

The fix isn't complicated. Encrypted transfers only (kill FTP). Individual service accounts. Centralised logging with retention policies. Automated credential rotation. A monitoring dashboard that alerts on failures instead of waiting for a quarterly review.

That's what mftctl does in about five minutes of setup. But even if you don't use our tool, the checklist above is a starting point. Run it on your transfer infrastructure this week. You'll find something.

Get started with MFTPlus

Install mftctl →