Skip to main content
commvault.com commvault.com
Solved

Commvault Multi-level Cyber Security

R
Forum|alt.badge.img+1

Hello Team,

I would like to know all the cyber security features of Commvault backup solution for a tender I’m working on. 

Please do not just share the online links but I need an expert who has designed / implemented all the security features to give me a short summary on how to achieve following: 

  1. In-line Malware Scan → How to achieve this while taking the backup from source? 
     
  2. In our case we are using two tier of storage Short-term for daily & weekly backup (Commvault HSX Nodes) & Long-Term for monthy and yearly (Object based storage or Tape) → What are the different and most effective way to achieve air-gap for both the storage tier. 
     
  3. Immutability is required for both short-term and long-term (planning to go with Commvault software immutability, since the hardware immutability increases the storage size too much) → What is the best practices to achieve immutability for two tier of storage.
     
  4. HSX nodes - How to completely protect the HSX nodes? Cause if anyone gain access to these nodes, they can list the file system and can delete the data. → I understand the root access is not given to use and Commvault support can do it ondemand basis, however what are the different ways to completely secure & lockdown the HSX nodes?
     
  5. What are the best practices to protect the Media Agent, CommServe & ThreatScan appliances? → MFA, etc etc. 
     
  6. Apart from the Commvault Solution security → Can suggest other ways to protect the whole solution like at the network switch or at the storage end what all needs to be done to lockdown and secure the whole backup solution? 

Any other things that I would have missed, please feel free to include if it is required for security measures. Thank you in advance!

Best answer by sbhatia

Great set of questions.  I’ll give you a quick overview here, but just a heads-up: some of this really depends on how your environment is set up, so it’s a good idea to reach out to your Commvault Account Team or Professional Services to help with the design.

Commvault has a feature called Threat Scan that checks for malware in backup data. It doesn’t scan the data at the source but does the check after the backup completes. It’s useful to make sure you’re not keeping infected data. You’ll need to deploy a Threat Scan server and keep its definitions up to date.

For short-term storage on HSX nodes, you can create a logical air-gap using network isolation, immutability, and strict access controls. For long-term storage like tape, physical air-gap is easy since the tapes can be taken offline. For object storage, you can enable WORM settings and restrict access at the storage level.

Right choice towards software immutability. Just make sure compliance lock is enabled and retention policies are set properly on both short and long-term tiers. It works well if planned correctly.

HSX nodes are already hardened and don’t allow root access by default. Still, it's best practice to limit access, lock down the network paths, and use storage-level immutability to prevent any accidental or malicious deletion.

For Media Agents, CommServe, and Threat Scan appliances, you should enable MFA, apply patches regularly, follow role-based access controls, and enable logging and monitoring to keep things secure.

Lastly, outside of Commvault itself, you can secure the whole solution with network segmentation, locking down ports on switches, and restricting who has access to storage systems. These steps help complete the security picture.

View original
Did this answer your question?

4 replies

Jon Vengust
Vaulter
Forum|alt.badge.img+7
  • Jon VengustVaulter
  • Vaulter
  • 48 replies
  • April 17, 2025

Hi RaviKumarS,

 

Hope you’re doing well.

 

In regards to your queries, its best to speak with our Account/Sales team regarding these matters to put you in touch with the right resources. Especially if this is for an upcoming tender...

R
Forum|alt.badge.img+1
  • RaviKumarS
  • Author
  • 2 replies
  • April 17, 2025

@Jon Vengust thank you for your response. I am already in touch with local CV team and their support is great. 

I wanted to get more ideas from other partners/ customers too who have implemented /designed different solutions to meeting the security requirements mentioned. 

sbhatia
Vaulter
Forum|alt.badge.img+6
  • sbhatiaVaulter
  • Vaulter
  • 48 replies
  • Answer
  • April 22, 2025

Great set of questions.  I’ll give you a quick overview here, but just a heads-up: some of this really depends on how your environment is set up, so it’s a good idea to reach out to your Commvault Account Team or Professional Services to help with the design.

Commvault has a feature called Threat Scan that checks for malware in backup data. It doesn’t scan the data at the source but does the check after the backup completes. It’s useful to make sure you’re not keeping infected data. You’ll need to deploy a Threat Scan server and keep its definitions up to date.

For short-term storage on HSX nodes, you can create a logical air-gap using network isolation, immutability, and strict access controls. For long-term storage like tape, physical air-gap is easy since the tapes can be taken offline. For object storage, you can enable WORM settings and restrict access at the storage level.

Right choice towards software immutability. Just make sure compliance lock is enabled and retention policies are set properly on both short and long-term tiers. It works well if planned correctly.

HSX nodes are already hardened and don’t allow root access by default. Still, it's best practice to limit access, lock down the network paths, and use storage-level immutability to prevent any accidental or malicious deletion.

For Media Agents, CommServe, and Threat Scan appliances, you should enable MFA, apply patches regularly, follow role-based access controls, and enable logging and monitoring to keep things secure.

Lastly, outside of Commvault itself, you can secure the whole solution with network segmentation, locking down ports on switches, and restricting who has access to storage systems. These steps help complete the security picture.

R
1 person likes this
  • R
    RaviKumarS
R
Forum|alt.badge.img+1
  • RaviKumarS
  • Author
  • 2 replies
  • April 24, 2025

Thank you so much ​@sbhatia, this is very insightful. Appreciate your response!

Reply


Most helpful members this week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings