One of the most important choices to make when selecting a cloud provider is whether your vendor will encrypt your data before they send it to the cloud, or if they will upload your data raw, and have it encrypted there. Uploading raw data is often seen as faster and more convenient with at-rest encryption. Taken as a whole, at-rest encryption comes with many disadvantages, that for most companies, should disqualify it as a viable solution. But when it comes to security, all the advantages and disadvantages need to be thought through carefully to ensure that your cloud encryption is effective. With this in mind, let’s explore three reasons why you should always choose a vendor that encrypts data before it’s sent to the cloud.
1. Enhance data security
Encrypting your data before sending it to the cloud provides an essential and fundamental layer of security. This is particularly important for the companies mentioned above who store sensitive and proprietary data, such as business documents, financial information, or personal files.
Your cloud vendor will likely have some kind of security measures to protect your data, but unless they encrypt it before it ever enters the cloud, there’s no guarantee that your information will remain secure in the event of an endpoint breach. Uploading your data raw will leave you vulnerable.
The bottom line? Don’t sacrifice genuine security in the name of convenience: your cloud encryption solution shouldn’t upload your data raw.
The Hidden Costs of Client-Side Encryption at Enterprise Scale
While encrypting data before sending it to the cloud provides superior security, enterprises need to understand the operational trade-offs. Client-side encryption can reduce upload speeds by 15-30% due to the computational overhead of encrypting large datasets. For a company backing up 100TB of data, this means backup windows that used to take 10 hours might now take 13 hours.
Storage costs present another consideration. Encrypted data doesn’t deduplicate effectively, potentially increasing storage requirements by 40-60%. If your organization currently stores 50TB after deduplication, you might need 80TB once everything is encrypted client-side. At enterprise scale, this translates to thousands of dollars in additional monthly storage fees.
The infrastructure requirements shouldn’t be overlooked either. Proper key management at enterprise scale requires Hardware Security Modules (HSMs) and dedicated key management systems, which can cost $100,000 or more annually. Despite these costs, for organizations handling financial records, healthcare data, or intellectual property, the security benefits far outweigh the operational overhead. The key is understanding when these trade-offs make sense for your specific data categories.
2. Maximize efficiency
Encrypting your data before uploading it to the cloud can also lead to more efficient data transfers. After your data is encrypted, your vendor will then send only the smallest amount needed to the cloud, consuming less bandwidth.
For companies who are paying for data usage or consumption, encrypting your data can result in cost savings over time. By encrypting (and therefore compressing) your data before you send it to the cloud, you can stay within your plan’s limits and/or avoid unexpected charges.
3. Reduce human error
As we said above, human error is the main cause of cloud data breaches — this means any solution your company chooses should have protocols to minimize that error. In general, manual data protection policies are known to be flimsy — a recent study from TAG Cyber summed it up: “Administrative control using manual procedures is inferior to technical controls based on automation.”
Encrypting your data before sending it to the cloud provides protection from this inferiority — particularly when transmitting data over home or public networks. At your office, your admin and IT teams have complete control over your network. But once hybrid and work arrangements are in play, all bets are off. This lack of network control drastically multiplies the risks associated with human error.
By encrypting your data before you send it to the cloud, you ensure that it is secure no matter what network your employees are using.
Securing the Distributed Workforce: Encryption for Remote Access
The shift to hybrid work has fundamentally changed the encryption equation. Your employees are no longer backing up data from your secured corporate network. They’re using home routers that haven’t been updated since 2019, as well as coffee shop WiFi and airport lounges. Without proper encryption, data transmitted over these unsecured networks becomes vulnerable to man-in-the-middle attacks and packet sniffing.
This is where encrypting before transmission becomes non-negotiable. VPN encryption protects the tunnel between your employee’s device and your corporate network, but it doesn’t protect the data itself during cloud backup. If an employee’s home network is compromised, unencrypted backup data could be intercepted before it even reaches the VPN tunnel.
Geographic distribution adds another layer of complexity. Your London-based employees might be subject to GDPR requirements that differ from your Singapore team’s data residency rules. Client-side encryption with centralized key management ensures consistent protection regardless of where your employees work, while maintaining compliance with regional regulations. For truly distributed teams, this approach eliminates the guesswork about whether data is adequately protected at each location.
“Lock your suitcase” through the process of data encryption
As businesses continue to lean heavier on cloud providers to manage their data, they need to develop a greater understanding of how their vendors are protecting that data. This comprises basic concepts, but also finer points, too. Encrypting your data before sending it to the cloud vs. after is just one important example of choices and questions that fully informed companies will have to be ready to make when evaluating vendors.
Through an ongoing process of education — combined with expertise from CISOs or other IT specialists, your company can begin to clearly differentiate between comprehensive backup solutions like CrashPlan that encrypt your data before uploading it to the cloud, and other, less satisfactory options.
Building Your Encryption Decision Matrix
Not all data requires the same level of encryption. Organizations handling healthcare data must comply with HIPAA’s encryption requirements, while financial services face PCI-DSS mandates. But regulatory compliance is just the starting point for your encryption strategy.
Start by classifying your data into tiers. Public marketing materials might only need cloud-provider encryption. Internal communications could require encryption in transit. However, source code, customer databases, and financial records require client-side encryption with keys that you control. This tiered approach strikes a balance between security and operational efficiency.
When evaluating cloud backup vendors, ask specific questions about their encryption architecture. Who generates the encryption keys? Where are they stored? Can the vendor access your unencrypted data? If the answer to that last question is yes, you’re trusting not just the vendor’s security, but also every employee who might have administrative access. For many enterprises, that’s an unacceptable risk for their most sensitive data categories. The right encryption strategy isn’t about applying maximum security to everything; it’s about matching protection levels to data sensitivity and compliance requirements.
Choose CrashPlan for Endpoint Backup Solutions that Prioritize Security & Efficiency
Looking for a truly comprehensive endpoint backup solution? CrashPlan can help.
With CrashPlan, you’ll have peace of mind knowing that your data is completely safe from bad actors and user error, with truly unlimited storage for all of your devices.
Learn more about our pricing plans today. If you’re ready to get started with endpoint backup and recovery, sign up for our free trial.
About the Author
© 2025 CrashPlan® All rights reserved.
Privacy | Legal | Cookie Notice | Free Trial