#Data Encryption Methods

Data encryption can be divided into two scenarios: data transmission (data in transit) encryption and data storage (data at rest) encryption.

For data transmission encryption, Cloud Backup is deployed on the Microsoft Azure / Google Cloud Platform framework to make outbound Microsoft API calls and internal communications over HTTPS/TLS encrypted channels. Certificate-based authentication is used for internal communications.

For data storage encryption, Cloud Backup encrypts all the Microsoft 365 data obtained by calling Microsoft APIs with AES 256 using keys unique to each tenant (either default keys or BYOK). The encryption happens before the data is transmitted to storage.

When transmitting the encrypted data to storage, the data transmission encryption differs upon the target storage’s available protocols. For example, Microsoft Azure Blob Storage, Amazon S3, and SFTP have their own data transmission encryption algorithm or protocols applied; but for FTP, the data transfer protocol is not encrypted. Although the data being transferred is already encrypted with AES 256, as mentioned above, AvePoint recommends using storage types other than FTP that support encrypted protocols.