There are three different security mechanisms that can be used with respect to PubNub:
- Connection level Encryption - TLS (formerly, SSL)
- Message level Encryption - AES 256
- Channel Access Controls - PubNub Access Manager
None of these are dependent on each other but as a minimum, every application should implement mechanisms 1 and 3.
TLS Connection Encryption
TLS (Transmission Level Security) is enabled by default and there is typically no good reason to disable it for any production application. Many may remember SSL (Secure Sockets Layer) which is the predecessor to TLS.
AES Message Encryption
AES-256 message level encryption is typically only required where the data is highly sensitive where there may be some compliance requirements like HIPAA to encrypt messages. It does require a bit more work to ensure this implemented properly.
Access Manager - Channel Permissions
PubNub Access Manager secures the PubNub Key from being abused by hackers and accidental cross-talk amongst devices/users in the application or intentional, malicious users being nosy.
Access Manager allows you to create and enforce secure access to channels and channel groups throughout the PubNub Platform. As soon as Access Manager is enabled, no PubNub APIs can be executed without first explicitly providing an authorization key (auth key) at time of PubNub object initialization.
Access Manager does not enable TLS or AES message encryption. All three of these security measures are completely independent of each other and each plays an important role in the overall security of an application. And furthermore, TLS and AES aren't required to use Access Manager, but we recommend at least using TLS and Access Manager together in all your apps.