Hi @Abdellatif AITELBACHA , thanks for the post!
Have you looked at this white paper?
https://www.commvault.com/resources/greater-ransomware-protection-with-data-isolation-and-air-gap-technologies
We covered this and a few other items in our Ransomware blog:
There is always tape. Its a Sheltered Harbor solution that can be plugged into the HSX.
Ejecting tapes is guaranteed air gap. Store them in the same location no need send them offsite.
If you can virtually partition your tape library you can store them in the same library. Moving tapes from one virtual partition to another is done remotely by library software not by the backup software. It is completely out of band and even on a different or isolated IP network.
Thanks Guys for your inputs
Tape is not an option as HSX was proposed and sold as the replication target on the air-gapped environment.
I was under the impression that Commvault will manage the VM Proxy power state using some workflows. But by reading the links provided, this should ne managed from the hypervisor.
In short, correct me if I am wrong, we use a combination of VM power management (from hypervisor), blackout window and network topology (from Commvault) to “open and close the gate” between the source HSX cluster/CS and the air-gapped HSX cluster.
Then we assign proper schedules to Aux Copies so that they are allowed to run only outside the blackout window. The proxy VM being powered off during the blackout window , communication cannot be established with the appliances. It can also be enforced by FW or network routing.
Am I correct ?
Regards
Abdellatif
@Abdellatif AITELBACHA , you have it. The hypervisor keeps the vm proxy offline via power management as an extra security measure. This limits exposure to malicious sources.