June 12, 2026

SFTP to cloud migration: the checklist auditors actually ask for

Legacy SFTP appliances survive because auditors keep asking the same four questions. Migration projects fail when teams move files but cannot answer them on day one of production.

1. Identity and access

Who can connect, with what credential, and how is access revoked when someone leaves? Entra ID SSO plus enforced TOTP MFA beats shared service accounts on a jump box.

2. Encryption in transit and at rest

TLS 1.2 minimum on the wire, AES-256 at rest, key rotation documented. Auditors want algorithm names, not "industry standard."

3. Retention and deletion

Per-folder retention, legal hold, and provable deletion. SFTP shares without lifecycle policy fail GDPR and internal records management reviews.

4. Evidence export

Per-transfer log with user ID, IP, timestamp, and outcome. Exportable audit packet for ISO 27001 A.8.10 and A.8.12, DORA, or vendor-risk questionnaires.

Use our MFT audit checklist to score your current stack before you scope a migration.