Online Backup: SSL or AES encryption??

If you have been shopping around for an online data backup service, then you have probably noticed that many of the providers use two different terms when describing their encryption capabilities. Some say SSL, some say AES, and some say both. Which one is best? Here's the scoop:

SSL is an acronym for Secure Socket Layer. SSL is used to encrypt data during transmission. It scrambles data so that if someone taps the wire, they will only see scrambled data. Your browser knows how to decrypt the data from an SSL encrypted web page because when the request was made for the page, your browser and the web server exchanged a unique session key that is required to view the data. SSL is a well established and documented technology. In addition to browsers and web servers, many other data transmission systems implement SSL as well. This includes online data backup systems.

AES is an acronym for Advanced Encryption Standard. AES is a very secure encryption technology that has been through rigorous analysis and testing by the US Government as well as many universities and private organizations. AES is the encryption technology recommended for government top-secret documents. AES is used to encrypt any data for storage. Unlike SSL, AES is not a protocol that exchanges session id's and keys with a browser or any other system. When data is encrypted with AES, the same key that was used to encrypt the data is required to decrypt it. Whoever or whatever receives AES encrypted data, must have the encryption key to access the contents.

While SSL is good for encrypting data during transmission, AES is good for encrypting data for storage. Online backup is an interesting case for AES. Some of the secure online backup services encrypt the data with AES before it is transmitted to the off site Internet storage facility. This negates the need for SSL because the data is encrypted before it reaches the transport layer. Furthermore, the data will remain encrypted while at the offsite storage facility until a program beyond the transport layer uses the original encryption key to decrypt the data. In the case of a truly secure online backup service, the encryption key is never sent to the offsite storage facility, therefore, the data remains encrypted at all times and can only be decrypted by the owner who has the original encryption key. See this statement from one of the top-notch secure online backup services.

Just because an online backup service boast of SSL and AES doesn't necessarily mean they will keep your data secure. SSL by itself will prevent a wire-tapper from capturing your data as it flows through the internet, but it does nothing to protect your data from a number of other security problems. If a hacker gains access to the internal network of the online backup service provider, then your data may be exposed. But if your data is stored in encrypted form with strong encryption technology like AES, then a hacker would need your encryption key to get access to your data. But wait, there is another threat; what if a technician at the offsite data center uses your encryption key to access your private data. Don't rule it out, it is not unusual for businesses suffer losses due to inside jobs. If your data is strongly encrypted with AES, and your key is never known by the online backup service provider, then your data is safe from insiders as well as hackers. The last threat would be your own encryption key. As long as you use a reasonably good encryption key, your data will be safe, but if you use your name, telephone number, address, or any other personally identifiable information, then all bets are off.

So when you see an online backup service provider throwing around terms like SSL, encryption and AES; don't feel safe just yet, dig deeper and make sure they state how they use the technology to secure your data. And last but not least, use strong passwords and encryption keys.


Vikram Khopade said...

Nicely Explain the Basic Difference between SSL and AES....Thanks

iDeals vdr virtual data room said...

Also since you're probably going to be paying for a backup service for years, you should know from the start what you're getting into in terms of money. They're all subscription-based, and there are many ways the vendors slice and dice the fees to make them seem appealing. Some backup services list prices by the month, but those prices often only apply if you commit to a one- or two-year contract. Some prices only cover one PC, while others specify a number of machines you can use in one account.