Strengthen Ransomware Protection with Data Isolation and Air-gap Technologies

Protecting your data and ensuring your backups are secure and available for a quick recovery is everyone’s top priority. However, like safeguarding a fortress, you must remain vigilant and always have complementary built-in defense mechanisms in place. Commvault Complete™ Backup & Recovery software includes multiple security layers and key tools to protect and restore your data and applications. So how do you prepare? Start by making sure you’re recovery ready with two proven techniques for reducing your backup data’s attack surface.

Data isolation

Isolating backup data with Commvault is straightforward, enabling you to maintain secondary/tertiary copies of backup storage targets that are segmented and inaccessible from the connected corporate network. Data isolation is typically accomplished using virtual LAN (VLAN) switching, next-generation firewalls, and least-privilege/zero trust strategies for segmentation and data access.

Limiting access and isolating data through segmentation reduces the attack surface. It also contains cyberthreats by restricting lateral movement should ransomware or a malicious attacker infiltrate your organization. A portion of your corporate network may get infected, but the isolated data will not because it’s inaccessible. Commvault lets you secure, control, and audit physical access to isolated resources via strict organizational security policies. All inbound network communication is blocked, and only restricted outbound connections are allowed. When working with isolated environments, the Commvault solution can securely tunnel from the isolated storage targets to Commvault resources and source storage targets to facilitate data protection and replication tasks.

Air gap

Air gapping is another technique that complements data isolation and takes it a step further. Traditionally, air-gapped networks have zero connectivity to broader corporate networks. However, air gapping secondary backup targets on disk or in the cloud requires some measure of access, but communication is severed when it is not needed – re-establishing the air gap. Air gapping works like security in a medieval castle. The castle is surrounded by a moat with water, and the walls are impenetrable. The only access allowed to the castle is the drawbridge which is lowered as needed. When the isolated data does not need to be accessed, communication is severed by turning communication ports off, disabling VLAN switching, enabling next-gen firewall controls, or turning systems off. This process is fully orchestrated and automated using the built-in Commvault workflow engine.

Commvault provides the secure replication of backup data to an isolated environment with air-gap capabilities and coordinates the opening and closing of the connection. These tactics completely isolate and block the environment from all incoming connections. Outgoing connections are restricted, which greatly reduces the cyberthreat attack surface. Once data is fully replicated, the connection can be severed, and the secondary data becomes air-gapped until data needs to replicate again or be recovered.

Key advantages and value of Commvault data protection

Commvault data protection with data isolation and air gapping provides organizations with the following advantages against ransomware:

Outbound communication: All inbound access to the isolated data is blocked. Only restricted outbound connections are allowed from the isolated data to the source data for replication.

Hardware agnostic: When using Commvault for an air-gap solution, any supported storage vendor can be used, including the Commvault HyperScale™ Appliance. Commvault also supports write once, ready many (WORM) and immutable locks used with third-partystorage devices.

Air-gap ready: On-premises and hybrid configurations can be easily configured for creating functionally secure air gaps within your environment. In addition, Metallic® Recovery Reserve™ provides a turnkey cloud air-gap solution that can be up and running in minutes.

Data Integrity verification: Commvault validates data integrity during backup, when data is at rest, and during data copy operations.
• Verification operations run automatically, using the data signatures to validate the backup data at rest. When copying the data, the signatures are again used to validate the blocks of data during the copy operation.

Industry-leading security controls: Commvault’s AAA Security Framework (Authentication, Authorization, Accounting) provides a suite of security and access controls to harden the Commvault platform itself – reducing risks from malicious actors and inside threats via a least-privilege approach to authorization.

Advanced controls include:
• Strong multi-factor authentication and multi-person authentication controls, retention locks, and command authorization protect data from accidents as well as limit potentially destructive actions.
• Integration with privileged access management (PAM) and enhanced identify and access management (IAM) tools such as CyberArk, Yubikey, and biometrics for added user authentication and assurance (AAL3).
• End-to-end data encryption while allowing external key management platforms to manage and control keys, and certificate authentication – protecting against malicious data access.

Ransomware detection: Going beyond data validation, Commvault provides insights into suspicious and changed files with layered anomaly detection, honeypots, threat analysis, and file data analysis.
• Anomaly Detection looks for suspicious behavior and activity within the backup data. 
• File Data Analysis detects files encrypted/corrupted by malware. This feature detects encrypted/malicious files based on identifying file versions that have been unusually changed or corrupted, allowing customers to quickly curate (purge) the affected versions and recover the prior good versions of data automatically. 
• Threat Analysis detects malicious content. Perform a deep scan of the backup content leveraging available scanning/AV tools to identify malware.
• Honey Pots and Live File Activity Anomaly monitors to actively detect threats in the live environment. 
• Industry-unique early warning threat detection technology with Metallic® ThreatWise™.

Foundational hardening: The Commvault platform foundation is hardened using industry-leading CIS Level-1 benchmarks to reduce the attack surface.

Immutable backups with Commvault HyperScale™ X: Commvault’s hardware-agnostic approach offers ransomware-protection locks for just about any storage that prevents any unauthorized activity within the I/O stack that attempts to delete, change, or modify backup data and preserves the integrity of backups:
• Ensure a fully immutable storage target with HyperScale X leveraging scalable software-defined storage.
• Native OS and file system controls embedded within the HyperScale X platform protect data from unauthorized or random changes and modifications.

Rapid incident remediation and recovery:
•Curated data restores ensure that the last known good copy of the backup is automatically selected when restoring data.
• Malware files are surgically purged from the Commvault Index automatically, preserving immutability (backups not affected/changed), while eliminating the risk of reinfection.
• Powerful cross-platform and cross-cloud capabilities to restore data out-of-place quickly and easily if the original source systems are not available or trusted. Often the affected systems will be needed for forensic analysis and thus, you can’t overwrite the bad data.
• Instant recovery options to provide rapid access to critical data and systems.

How it works


On-premises air-gap solutions require a mix of network architecture and software configurations. From an architectural perspective, storage must first be isolated and segmented on the network – without allowing inbound connections to storage. Within the Commvault software layer, network topologies and workflows provide the basis for controlling data-pipe tunnels and orchestrating air-gap controls. In addition, the platform’s flexibility allows seamless integration with most topology or security profiles that organizations commonly deploy.

Direct connection for data isolation

Figure 1 below represents the overall high-level functionality of Commvault data isolation using direct connections. Site A represents the public portion of the production backup environment. Site B is a segmented portion of the environment, isolated logically and physically. Site B communicates through the firewall over a single outbound port. Everything else is blocked. The tunnel supports HTTPS encapsulation using the TLS 1.3 protocol. The tunnel will only connect once certificate authentication is successful. This protects against man-in-the-middle and spoofing attacks.

Data transfer is multi-streamed through the tunnel to ensure the fastest backup possible. Data residing on the storage target on Site B is protected from ransomware and accidental deletion via Commvault’s security controls, encryption, WORM, threat analysis, data analysis, and native ransomware locks for immutable storage. Data replication is deduplicated to further optimize bandwidth and storage considerations.

Once data transfer is complete, connectivity can be severed by turning off routing, enabling firewall rules, or shutting systems down. Severing the connection can be scheduled around VM power management or blackout windows.

Proxy/Network gateway connection

Proxy-based configuration (Figure 2) has the same ransomware and encryption benefits as a direct connection. However, proxy-based isolation differs in that both sites communicate using a proxy located between the isolated and public networks (possibly DMZ). All inbound connectivity is blocked between the sites providing isolation capabilities on both sites. Proxy-based configurations are prevalent, especially when data moves between remote geographic locations across the internet.

Using object storage and cloud

Object storage targets can be another strategic way of isolating backup data. Object storage targets typically have their own WORM and immutable locks built within the hardware platform. Commvault seamlessly integrates with those capabilities while managing retention, data encryption, and software application security controls.

Object storage targets use authenticated API calls over HTTPS for reading and writing data. This allows common protocols frequently used by ransomware to be turned off, reducing the attack surface. The REST API interface also provides more on-demand access compared to other protocols. Data backed up to the object storage device is not exposed when not in use. Only authenticated API calls can read and write to the storage target.

Object storage-based solutions are commonly leveraged for secondary and tertiary copies and can serve as an isolated secure target.

Using cloud storage: Metallic® Recovery Reserve™

Cloud storage targets (such as Azure and AWS) offer similar benefits similar to object storage solutions. The key difference is that cloud solutions are inherently isolated because they do not reside on premises with the rest of the organization’s environment. This makes cloud a very economical solution because not only is the copy offsite, resources are readily available, elastic, and multitiered.

Metallic® Recovery Reserve™ makes it easy to adopt secure and scalable cloud storage in just minutes, allowing you to meet the needs of your organization’s hybrid cloud strategy without requiring additional cloud expertise within your organization. With Metallic® Recovery Reserve™, you can seamlessly adopt air-gapped cloud storage and gain predictable costs and reduced overhead. It can also be the foundation for improving your ransomware recovery strategy by leveraging a fully integrated, secondary cloud storage target for Commvault® Backup & Recovery or Commvault HyperScale™ X.

Commvault Platform

Figure 3 – Commvault provides the broadest workload protection, from on-prem, to the cloud, multi-cloud, edge, SaaS, and native cloud integration. Using the immutability locks offered by cloud providers in tandem with role-based security can protect backup data while supplying a remote, isolated, offsite data copy.

Severing the connection and air gapping

Combining a properly isolated and segmented data center and Commvault’s security controls can substantially reduce risks. Air gapping is another control that further limits the ability to access backup data when not in use. The downside to air gapping is planning around recovery point objectives (RPOs, because when resources are turned off, data replication will not run. Depending on the environment, resources, and service level requirements, data replication is likely to queue when destination targets are offline. To help reduce this effect, Commvault incorporates multi-streaming within the one-way encrypted tunnel to maximize backup performance.

The simplest method of air gapping is to use VM power management, a capability within Commvault for automatically shutting down media agent virtual machines (data mover virtual machines) when not in use. The VM will then start up when needed. This method requires a hypervisor in the isolated environment and does not need additional scripts.

Another method of air gapping is to use blackout windows, scripts, and workflows. Blackout windows define the timeframes during which backups and administrative tasks are not allowed to run. During blackout windows, the isolated resources are set offline and made inaccessible using scripts or Commvault workflows. When blackout windows are not in effect, the resources are brought online again using scheduled scripts included on the air-gapped resource, such as the media agent. This method does not require a hypervisor for the VM power management air gap method, because any storage target or network device can be shut down to air gap the isolated site.

Here are some examples of using scripts to orchestrate air gapping:

  • Stop and start Commvault services on the isolated media agents/storage targets.
  • Disable/enable network interfaces on media agents around blackout windows.
  • Disable/enable VLAN routing policies around blackout windows.
  • Disable/enable firewall policies around windows using scripts.


Like a castle, your backup data requires multiple layers of protection to ward off internal and external threats. Using Commvault’s security controls and immutable locks (ransomware protection, WORM, and encryption), threat analysis, and data file analysis, in combination with proven data isolation and air-gapping techniques, provides a well-protected, multi-layered strategic solution. With Commvault, you are recovery ready!

The Multilayered Security Approach
to Ransomware Protection and Recovery

Commvault data protection delivers a layered approach for securing your data and applications.