There are three different security mechanism that can be used with respect to PubNub:
- Connection level Encryption - TLS (formerly, SSL)
- Message level Encryption - AES 256
- Channel Access Controls - PubNub Access Manager
None of these are dependent on each other but at the very least, every application should implement 1 and 3 in your applications.
TLS Connection Encryption
TLS (Transmission Level Security) is enabled by default and there is typically no good reason to disable it for any production application. Many may remember SSL (Secure Sockets Layer) which is the predecessor to TLS.
AES Message Encryption
AES-256 message level encryption is typically only required where the data is highly sensitive where there may be some compliance requirements like HIPAA to encrypt messages. It does require a bit more work to ensure this implemented properly.
Access Manager - Channel Permissions
PubNub Access Manager secures the PubNub Key from being abused by hackers and accidental cross-talk amongst devices/users in the application or intentional, malicious users being nosy.
Access Manager allows you to create and enforce secure access to channels and channel groups throughout the PubNub Platform. As soon as Access Manager is enabled, no PubNub APIs can be executed without first explicitly providing an authorization key (auth key) at time of PubNub object initialization.
Access Manager does not enable TLS or AES message encryption. All three of these security measures are completely independent of each other and each plays an important role in the overall security of an application. And furthermore, TLS and AES are not required to use Access Manager, but we recommend at least using TLS and Access Manager together in all of your apps.