Data protection is our highest priority. Security is built into every step of our data management services from an end user's computer all the way to backup storage. Use our security features and administrative tools to enhance your own data security plan to ensure that your data is kept private and safe from unauthorized users.
If you feel you have discovered a security vulnerability, go to Report Security Vulnerabilities to report it.
CommCell Security
All configuration data, job records, and access control to Commvault managed data is contained within the CommServe database. Regardless of what other security barriers you put in place, if the CommServe database is compromised, your data is vulnerable. Your primary means to protect the CommServe database are the physical, application, and network security measures you take.
For information on securing your CommCell environment, see Securing the CommServe Computer.
User Security
Logon Attempts
Administrators can limit the number of times a user can attempt to logon. After the limit is reached, the user account is locked for the time period defined by the administrator. For more information, see Limiting User Logon Attempts.
Two-Factor Authentication
When two-factor authentication is activated, users must enter a 6-digit PIN (personal identification number) along with their passwords to access the CommCell environment. For more information, see Two-Factor Authentication for Your CommCell Environment.
Role-Based Security
A role is a collection of permissions administrators assign to users and entities to create a three-way security association. Roles can be assigned to any external or CommCell-based user or user group. For more information, see Security Association Overview.
Integration with External Domains
Administrators can manage a single set of users through integration with external directory services like Active Directory and Oracle Directory. Commvault roles and entities can be assigned directly to an external group or user. For more information, see Domains Overview.
SAML Support
Security Assertion Markup Language (SAML) is an XML-based open standard that allows authentication by an Identity Provider (IdP) for Web Console users. SAML can be used to create a single identity for each user for a single sign-on log on for all applications. A SAML User Registration Workflow is available to create user names in the CommServe database. For more information, see External Authentication with SAML Integration (SSO) - Web Console.
Owners
Assigning client owners simplifies laptop security. Administrators can set security for all client owners at once by assigning client owner permissions at the CommCell level. Administrators also have the flexibility to set client owner security at the client computer group and client levels. For more information, see Owner Security Overview.
Privacy
The Privacy feature prevents users and administrators who are not client owners from seeing the data on the client. For more information, see Privacy for Owners.
Credential Manager
With Credential Manager, you can store credentials for different types of accounts to use for various CommCell configurations. Administrators can give users permissions to use the credentials to configure resources from the CommCell Console without distributing the user name or password to access the resource. For more information, see Store Account Information with Credential Manager.
Network Security
Encrypted Challenge and Reply
All CommCell communication between the CommServe and client use encrypted challenge-and-reply to validate the hosts involved.
Firewall Support
CommCell components separated by a firewall can be configured to use authorized ports and connection routes (inbound, outbound, two-way) through the firewall to communicate and perform data management operations. For more information, see Firewall Overview.
Network Zoning
Network zoning adds security checks for connections that are attempted via network gateways. Commvault embeds cryptographically protected IDs (called ZoneID numbers) into the certificates of each computer in the CommCell Console. When a computer attempts to connect to a peer, the peer looks at the computer's ZoneID and decides whether to accept the connection.
Port-Forwarding Gateway
In addition to the firewall routes configured in your CommCell environment, you can also establish connectivity between CommCell computers on port-forwarding gateways. For more information, see Port-Forwarding Gateways.
Data Security
Media Password
The media password prevents unauthorized access of data from removable media when using external recovery tools to restore data. This ensures that only the originating, licensed CommCell environment can recover data. For more information on setting media password, see Changing the Media Password.
Delete Backup and Archived Data
Data that has been backed up or archived can be permanently deleted so that it is no longer available for browsing and recovery. Data that has been deleted cannot be restored.
For more information, see Delete Backup and Archive Data.
Endpoint Data Security
Client Certificates
Client certificates are used to authenticate connections between client computers and the CommServe host. The authentication process reveals and confirms the identity of the client attempting to establish connections with the CommServe host during installation. For more information, see Network: Client Certificates.
Data Loss Prevention
DLP locks files on a laptop and requires a passkey to open the locked files. If the laptop is lost or stolen, this prevents unauthorized access to the data. For more information, see Data Loss Prevention Overview.
Secure Erase
Protect sensitive data on laptops by specifying certain files to be erased if the laptop is offline without connectivity with the CommServe host for a specified number of days or if a computer marked as lost or stolen is turned on and connects with the CommServe host. For more information, see Data Loss Prevention - Secure Erase.
Data Encryption
Software
The Commvault software supports both online (client to media) and offline (media to media) data encryption. For online data encryption that transits over a network, the location where the encryption takes place is configurable. For more information, see Software Encryption Overview.
Hardware
Commvault supports tape devices with built-in encryption. The tape device must provide the necessary controls to get the encryption capabilities and to set the encryption properties on the drive. For more information, see Hardware Encryption Overview.
Key Management
Commvault provides encryption key management services for its software encryption ciphers and for supported encryption-enabled hardware devices. You can provide additional protection for Commvault encryption keys with the use of SafeNet before storing the keys in the CommServe database.
Monitoring
Audit Trail
Administrators can track the operations of users who have access to the CommCell environment. This capability is useful when you want to determine the source of a detrimental operation performed in the CommCell environment. For more information, see Audit Trail.
Log Monitoring
The Log Monitoring tool monitors system events, user operations, logs, and analytic information for trend analysis and automated, centralized reporting as may be required for compliance. Auditors and administrators can customize what, where, and how often information is collected and can monitor the results from a single point of view, which makes it easier to spot patterns that require attention. For more information, see Log Monitoring.