SFTP over Internet strong enough for SOX?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

My company offers IPSec VPN and direct connection (ISDN) methods for
partners to securely transfer files between us. All require transfers
to use SSH/SFTP as this is what our file server supports. Some new
partners want to use only SFTP over the Internet without the VPN
overhead or cost of a direct connection.

I guess as long as an Internet facing SFTP server is security hardened
and has appropriate perimeter security, and the security of the
transfer matches that offered by the VPN tunnel (encryption algorithm,
key size, shared secret, etc.) then it should be OK.

Can anyone comment on how suitable SFTP is for transferring files that
might contain data where controls must comply with DPA or SOX

Site Timeline