When you need a secure way to transfer files, SFTP seems like the obvious solution: it's secure, widespread, and time-tested. And for the majority of people and organizations, it's the best option. But choosing the best type of SFTP server can be confusing, as you have to choose between self-hosting using a managed service and how they differ. 

When comparing the two, there are several differences to keep in mind. Some important factors to consider are budget, security, and infrastructure, as well as how much time you have to dedicate to maintenance and management. 

What's the real difference between self-hosted and managed SFTP servers?

Both self-hosted and managed SFTP services end up with you having a functional server in the end, so what's the real difference? 

Before cloud computing became widely adopted, self-hosting SFTP servers was really the only option. Organizations would have dedicated machines for transferring files using SFTP, and often use those machines for storage or link them with storage on the same network. Having the servers on-premise meant that the organization had full control over the devices, but also had to maintain them with updates, upgrade hardware, and keep the infrastructure secure and functional. 

Managed SFTP is any method where someone else manages the SFTP infrastructure on your behalf. Sometimes it's a company running the equivalent to self-hosted servers but for an external party, but more often these days it's handled through virtual machines. With global infrastructure companies like AWS and DigitalOcean that have multiple distributed data centers around the world, many organizations are offloading SFTP infrastructure onto these massive and powerful machines, essentially "renting" space and compute power from server farms instead of having to manage physical hardware. 

There are a couple of different types of managed SFTP that share similarities but have important distinctions. 

Types of managed SFTP

Managed SFTP usually takes one of two forms. With traditional managed services, someone else handles the hardware and infrastructure, but treats it like a self-hosted server. 

This is the type where you'll spin up VMs, then pay for and run some sort of SFTP software to simplify or expand SFTP functionality. While more convenient than worrying about hardware, it still involves maintaining the software yourself in most instances, so you'll have to update to new versions and add patches on your own, and still manage the VMs. 

The other type of managed SFTP is more like "infrastructure as a service". With this approach, you'll sign up for service for SFTP that also includes the infrastructure. This means that you don't worry about the infrastructure at all. Instead, the company that provides the software also handles all of the infrastructure, and you'll typically configure settings and tasks from a web interface. 

Comparing self-hosted and managed SFTP

Self-hosted and managed services each have their pros and cons. And while managed is more "modern", it's not always the best option in every scenario. The differences in maintenance, security, control, price, and scalability means there are advantages and disadvantages for both types. 

Maintenance

Managed SFTP has a clear advantage when it comes to maintenance. With traditional managed services, there isn't any hardware to maintain, while the modern approach with a zero infrastructure architecture means just that, that you don't have to worry about infrastructure at all. 

Self-hosted can require a lot of maintenance, especially when managing a network of servers. It also requires a baseline knowledge of SFTP and SSH. You need to understand SSH configuration, user management, key authentication, and security best practices to get started. Your server will need regular updates, security patches, and monitoring. You'll need to add any new users and system integrations. 

Physical space is another consideration. You need somewhere to host the machines, whether it's physical hardware in your office, a data center, or somewhere else. You'll also want something in place for backups and redundancy, especially when business-critical transfers are involved. All of these machines require space, as well as someone to maintain them. 

Security

Both self-hosted and managed SFTP have advantages when it comes to security. For self-hosted, most of the benefits are related to having full control. You can have an SFTP server with machines you have physical access to that can be completely isolated. When used for internal processes, they don't even have to be exposed to the public internet. Enterprises can run SFTP servers on their intranet with minimal risk that outside actors can gain access. 

But the reality is that the vast majority of SFTP transfers involve the internet in some way. There are a number of safeguards that can be put in place to protect the servers, but someone needs to have the technical knowledge and ability to put these safeguards in place. Some examples are changing the default SFTP port, running the server in the DMZ of a network, using network access control lists, enforcing strong passwords & management policies, restricting unencrypted FTP, and more. 

Traditional managed and self-hosted servers often share the same security drawbacks. One potential weak point is the SFTP software. New exploits are discovered frequently, and unless the software company quickly acts on these issues, machines running the software can be at risk. Once a solution is discovered, it's often up to the person managing the infrastructure or VMs to deploy security patches, and until those patches are installed, which can require server downtime, the server can be at risk.  

For Managed File Transfer platforms, this risk is even greater, with several high-profile breaches over the last few years resulting in billions of compromised files when bad actors gain access to this hub that all files pass through. Someone with the right level of access and knowledge needs to be able to react quickly in case an issue comes up. 

Modern managed services negate this problem with automatic updating and patching. Because of the way that the services are deployed, it's simple to switch tasks to another machine that has been updated and patched without requiring any downtime. This makes updates near instant, without someone from the organization having to initiate the process. Some platforms are even able to be compliant with strict standards like HIPAA and GDPR. 

However, the drawback is related to control. When an external company manages the infrastructure, there's always some risk that something can go wrong at the company, and if that infrastructure goes down for some reason, you have to rely on that company handling the issue on your behalf. While there's minimal risk of infrastructure going dark and you losing everything, the company could, in theory, block access to the servers, though not with business-ending consequences, and likely with some sort of recourse for getting the data back. 

Control

Control is the main selling point for self-hosted SFTP. You decide exactly how everything works. Security settings, user permissions, integration with other systems, it's all up to you. There isn't a company that dictates what functionality you do or don't get, and you're only limited by your own time and technical expertise. 

For companies with serious regulatory requirements, controlling every aspect of their file transfers gives them the peace of knowing no one else can ruin their setup. When you manage the whole stack, you know exactly how your security is implemented and its limitations. You can upgrade hardware, change software, and control devices at will. 

However, this control comes at the cost of time and maintenance. Someone knowledgeable needs to spend time to make sure the network is secure, functional, and up to date.

Managed SFTP takes care of the maintenance, but they have control of the servers. The modern approach is a bit of a double-edged sword here. With a solid company, you get simplicity and peace of mind while still having robust security and a lot of time savings. However, a disreputable company can have the opposite effect. If they change their model, offerings, or pricing structure, you're limited on how you can react. And while often modern managed SFTP also saves money, that can quickly change when a shady organization changes tactics, so it's important to work with an established company with a trusted reputation. 

Cost

Some companies think self-hosting on-prem servers saves money. Many more-established companies still have this on-premise infrastructure in play today, and getting rid of the infrastructure for a managed approach feels like a huge waste of money. And in some cases, this is absolutely the case.  

When starting from scratch, self-hosted SFTP servers are expensive to set up, run, and manage. You either have to purchase all the hardware for yourself or provision virtual machines, then make sure everything works and continues to function. And while it might seem less expensive than managed services because there's no monthly fee, there are other direct and indirect costs with self-hosted. 

If the infrastructure is already in place, the hardware and setup costs are greatly reduced. However, having infrastructure in-place can also have a sunk cost effect. Old, dated machines with low performance and minimal security aren't always worth investing resources into, and binding together weak components under the guise of "cost savings" can be more expensive than scrapping the infrastructure and starting fresh or moving to a managed solution. 

Part of this is the external related costs and issues. You're in charge of networking and keeping systems connected. There's electricity and possibly storage costs. Someone needs to take the time to fix components and install updates and patches. It could even be a full-time job, and someone spending time maintaining infrastructure comes at the opportunity cost of doing something more impactful for the business. 

With managed services, costs are usually simpler to predict, especially with the zero-infrastructure approach. When there are no long-term contracts like with a month-to-month model, you aren't locked into a specific vendor either. In many cases, you can decide what package is right, subscribe to the service, and have a good estimate of how much it will cost for the organization without having to worry about the unpredictable expenses that can happen with self-hosted. 

However, this is all contingent on the vendor. Most of the problems with costs related to managed SFTP services have to do with how providers operate. A lot of them take an old-school approach to business that lacks transparency and tries to lock you into contracts for short-term gains. And when they can adjust the pricing at any time, you could be met with a sudden 500% increase without any more features that are useful to your team. 

Scalability

Scaling is one of the areas where self-hosted infrastructure is weakest. In many cases, scaling to handle increases in transfer volume is a manual process involving changing machine configurations, adding new devices, and making sure they all work harmoniously. And if the volume grows too much, there's always the issue of physical space. You can only add so many devices into a limited space before having to expand or upgrade, assuming there's a cost-effective upgrade path available. 

For traditional managed services, scaling usually comes with adding more licenses. Typically, licenses are activated on a per-machine basis, so will involve running another machine as well. Then, in order for these machines to work together, scaling configurations will need to be set to manage the transfer increases. 

The simplest scaling comes from the zero-infrastructure model, which with some providers scales automatically to meet requirements. In these cases, machines are provisioned as needed to meet spikes without the user having to configure advanced settings. Since this method doesn't require adding more licenses or VMs, it is both near limitless in scalability and also simpler to manage.  

Where does Couchdrop fit in?

Couchdrop is a zero-infrastructure managed file transfer platform that functions as a managed service for SFTP and other kinds of file transfers, with a focus on being simple, transparent, and easy to do business with. The modern platform integrates with the tools you already use like hosted cloud storage and lets you securely transfer files between them, including the ability to automate file transfers without having to write code. 

With Couchdrop, you get the benefits of managed services like simplicity, reliability, and zero maintenance, without the main drawbacks thanks to our simple, transparent approach to file transfers.

This extends to trying the platform as well.  All you need to do to get started is to register for an account and you'll get 14 days to evaluate Couchdrop for free with no credit card or sales demo required. Sign up now to get started.