Encryption is everywhere:  On your storage, on your network, over the Internet, and in the cloud. Encryption is about protecting your data from those who might otherwise use it to cause harm. It protects you from those who bypass security to access data within your organization, illegal access from outside, and provides protection for compliance. Your live data is the lifeblood of your organization and your backups protect your live data by letting you restore misplaced, damaged, stolen, or incorrectly edited data with versions that keep the business running.

Instead of asking why you should encrypt your backups, you might be better off trying to justify the reverse. Ask yourself, “Why shouldn’t I encrypt my backups?” It’s harder to come up with a justifiable reason. And if you leave it at that, then you're encrypting. And that’s the right decision.

Two basic backup encryption technologies help protect your backups: Source-side data encryption and server-side encryption. Source-side data encryption uses customer-controlled keys to encrypt your data before it leaves your server or network. In Unified Backup Solution, that means protecting your data with 256-bit AES encryption. The Advanced Encryption Standard is used worldwide and back in 2003 the U.S. Government announced it was secure enough to protect classified data. It’s a symmetric algorithm, meaning the same key is used to encrypt and decrypt your data.

What happens if you lose your encryption key? In that case, you're out of luck. Without it, you're not going to be able to decrypt your backups. Not in your lifetime anyway. Which brings up the one administrative item you do need to do. And that tracks your encryption key usage. You'll need to keep these keys in a secure location (which may be a password safe or an encrypted document with limited access).

What are these encryption keys and what do they look like? They are like passwords with combinations of letters, numbers, and symbols. They could be as simple (and insecure) as using the letter “a”, something complex and impossible to remember like “Da^\^K1'8Uay7pFIq:1S” or a memorable passphrase like “when.1.wasYoung-I-likedToGoOnROLLERcoasters”. There's no shortage of articles on the internet about password / key length and complexity. The important thing to remember is, the longer the key, the harder it is to crack the encryption with a brute force attack.

With your backups encrypted, only those with both access to the backup files and the encryption keys can decrypt your data.

How Does Server-Side Encryption Work?

Server-side encryption (SSE) is about protecting your data at rest at the storage level. It's a feature we offer by default and we can't turn it off, we call it Encryption at Rest. Google enables the feature by default but with Amazon and Microsoft, it can be enabled with a single click. All implementations use AES with 256-bit keys. And it’s free.

Server-Side Encryption automatically encrypts data when it arrives, stores the data on disk, and automatically decrypts the data when it leaves - using encryption keys managed by our storage controllers not accessible to anyone.

The data on the disk is encrypted. Think of this as transparent data encryption with no passwords to remember. The best example of its value is this: You put an important business document in cloud storage, but you do not perform any source-side encryption. Maybe you need to access the file as-is from external sources or maybe you simply forgot to enable source-side data encryption. In either case, server-side encryption automatically encrypts the file and stores it on disk – transparently to you. If someone should break into the cloud storage facility and steal a hard drive, the data is safe – even without you applying your own encryption. Anyone with raw data access will not have access to the service controlled encryption keys and will not be able to do anything with the raw data on disk. Your data is safe.

But if you're encrypting your backup data first, is there a need to also use server-side encryption? The short answer is, yes. It’s an added layer of protection, it’s free, and it’s transparent. So why not? It’s better to have two layers of encryption than one – especially if one comes with no administrative overhead or cost.

How we keep your data secure?

As we mentioned before, Cloud4You keeps your data always encrypted at rest but what happens where we are receiving or sending your data from/to your computer?

UBS provides an option to have all your files encrypted in your computer using an encryption key managed by you. This is done in real-time during the backup process and before the files being transmitted to us this ensures that in the very unlikely event of someone being able to intercept the communication, the information will be useless.

All communications between your computer and our servers is secured via 256bit SSL, TLS 1.2 is used to make sure the connection is always secure and several checks are carried before, during and after the backup/restore jobs to make sure UBS is "talking" with the correct server and not someone else pretending to be Cloud4You.