COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Hyperscale XTM – Deployment

course
Module – Immutability and Security
Sept 2023

commvault.com | 888.746.3849
© 2023 Commvault. See here for information about our trademarks and patents.
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Notices and Disclaimers

Commvault, Commvault and logo, the "C hexagon” logo, Commvault Systems, Metallic, Metallic and logo,
the “Wave” logo, Commvault HyperScale X, HyperScale X, Recovery Reserve, and ThreatWise are
trademarks or registered trademarks of Commvault Systems, Inc. (“Commvault) The unauthorized use of
any Commvault trademark is strictly prohibited.

Other company and product names mentioned herein may be trademarks of their respective owners.
References to any third-party products, services, or websites should not be considered an endorsement
by Commvault. Some examples are for illustration only and are fictitious.

All right, title, and interest, including all intellectual property rights in and to this document and to any
related subject matter (collectively “Ownership Rights”) are owned and expressly reserved by Commvault.
No Ownership Rights are granted to you.

This document is intended for distribution to and personal reference use solely by Commvault customers;
all use of Commvault Solutions, including this document, is governed by Commvault’s Master Terms &
Conditions (currently available at https://www.commvault.com/legal/master-terms-and-conditions) which
are incorporated herein in their entirety.

This document is provided “as is.” Information in this document, including any specifications, URLs, or
other references, is subject to change without notice.
See www.commvault.com/IP for more information about our trademarks, patents, and other IP rights.

Confidentiality

This document contains information that is confidential and proprietary to Commvault. Without limiting
rights under copyright or otherwise, this information is provided with the express understanding that it will
be held in strict confidence and that no part of this document will be disclosed, used, reproduced, stored,
or transmitted, in whole or in part, for any purpose other than as expressly approved or provided by
Commvault in writing.

©1999-2023 Commvault

2
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Table of Contents
HyperScale XTM ................................................................................................................................................... 4

Learning Objectives .......................................................................................................................................... 5

HyperScale XTM Immutable Architecture ................................................................................................. 6

Immutable vault powered by HyperScale XTM ........................................................................................ 7

Quiz ......................................................................................................................................................................... 8

HyperScale XTM as Immutable Storage ...................................................................................................... 9

Wrap Up............................................................................................................................................................... 10

3
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

HyperScale XTM

HyperScale XTM
Deployment Course

Module: Immutability and Security

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Hello, and welcome to the Commvault HyperScale XTM Immutability and Security module.

4
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Learning Objectives

Learning Objectives

• Understand where • Learn where HyperScale

HyperScale X fits XTM fits in securing data
within immutable • Learn how HyperScale XTM
After completing this architecture design can secure data
module, you will: • Understand the
features that make up
the HyperScale X
security stack
• Understand
configuration
considerations

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

In this module, we’re going to show the scope of HyperScale X’s immutable architecture illustrating its role in
designing secure environments. We’ll also cover each of the features that make HyperScale X TM an
immutable vault for data. We’ll then wrap up with just a few considerations regarding the technology. This
module’s intended to provide a macro view of where HyperScale XTM fits while learning how it fits with its
array of security forward features.

5
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

HyperScale XTM Immutable Architecture

HyperScale X Immutable Architecture

On-premises Multi-cloud Hybrid-cloud

• Global Data Manager Prod • Immutable retention with full Air Gap network control
DR CommServe®
• Plans/Pools/SLA Outcomes CommServe®
(DRCS)
• Comprehensive RBAC control & audit
CONTROL • Secure control, access, validation (CS) • Security Assessment governance
PLANE • Cyber Recovery Readiness • Lifecycle - deduplication, encryption, verification
Highly available management with
• Multi-Cloud failover & failback • Granular policy control (client-level)

SaaS Apps Database VMs Containers

WORKLOADS

Cloud Vault Copy Vault

Commvault HyperScale XTM Appliance Commvault HyperScale XTM Appliance

TLS 1.3 (REST)

• Immutable File System • Immutable File System

• SE Linux Hardened • SE Linux Hardened
DATA • Retention Lock
AirGap
• Retention Lock
PLANE • Erasure Coded • Erasure Coded
Replication Inc Forever with: 1. In-Bound Blocked
• 5PB Scalable Dedupe • 5PB Scalable Dedupe
Immutable ✓ Deduplication 2. Vault initiates data Immutable
✓ Encryption pull from Site A
Appliance Appliance

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

• In today’s world, security is one of the top priorities for our customers. Organizations need to ensure
their critical business data is protected from ransomware, data breaches and rogue users, that can
create significant disruption to their business operations. - Commvault provides a layered approach
to security, using various controls within our software, file system, and operating system to prevent
malicious or unintended modification of protected data. Our multi-layered approach to immutability
has also been extended in the form of Immutable Storage for HyperScale X TM

• Immutability provides a first level of defense against common cyber-attacks such as ransomware or
malicious users by preventing anyone from modifying or encrypting protected data. This provides
protection at the storage IO level, ensuring that the security controls cannot be circumvented by
simply accessing protected data from the Operating System itself. By combining this feature with
our existing capabilities, such as triple-A controls, infrastructure hardening and air-gapping, we’re
able to further enhance our immutable architecture, ensuring that critical business data remains
available when it’s needed most.

• This feature is available using either our HyperScale XTM Appliances or Reference Architecture
models.

• Now let’s dive a little deeper into how this feature works….

6
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Immutable vault powered by HyperScale XTM

Immutable vault powered by HyperScale X

Immutable Storage + Secure Shell

Software Secure Shell OS Level File System
(Root disabled + restricted (Ransomware
(Firewall) Lock (Immutability at the file
(Compliance or Retention
Vault Lock) shell) Protection) storage layer)

Attempt: Attacker with Attempt: Unauthorized Attempt: Authorized

Attacker with Attempt: Malicious
compromised user attempts to modify compromised network
user tries to encrypt, users or malware try to
credentials attempts to the system to access,
move, orattempts to or
delete files encrypt, move, or
delete backup job, circumvent security launch
reformatremote
a disk destroy backup data
policy, or library controls commands

Commvault Action: Immutable file

Action: Denied by Action: Attacker OS blocks
Action: Native OS
HyperScale XTM WORM (write once, unable to obtain local firewalland/or
users blocks all system prevents backup
Appliance read many) administrative outgoing and attacks
ransomware incoming data from being
configuration via privileges connections
through that controls
access are not destroyed/encrypted
Command CenterTM essential for system
functions

Sof t w are Secure Shel l OS Lock s Fil e Syst em

• Immutable File System

• SE Linux hardened Digitally Signed, Archive Files
• Erasure Coding Host and Target
under append-only writes (data
• Global Dedupe Deduplication
containers), & WORM
• Root lockdown

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

• As mentioned, you have multiple layers of security options available across the software, OS, and
file system to help protect the environment.

• Command CenterTM offers a means on configuring all or specific plans that are associated to a
storage pool. This feature is known as Compliance or Retention lock. Like the concepts of WORM,
write once read many, based storage, this prevents the accidental deletion of backup data from an
authorized user, including someone like a Commvault backup administrator.

• HyperScale XTM Secure Shell is a deeper approach to locking down any environment. Locking
access to the root account for all console or SSH sessions provides an additional layer of defense
from common cyber attacks such as compromised passwords and accounts by removing all local
administrative access. Commvault does this by disabling the root account and then creating a new
non-administrative user that is confined to a restricted shell with access to a small subset of read
only commands and maintenance tasks. This function is intended to be used in conjunction with
Commvault’s ransomware protection and file system immutability to provide an even further secure
stack.

• SELinux enhances immutability by providing access policies that restrict file modifications or disk-
level activity, such as reformatting drives. This OS-level of protection blocks users and/or
ransomware attacks from bypassing the other security layers through access controls that
determine what can be done and by whom. Additionally on the operating system layer, HyperScale
X can take advantage of using Red Hat Linux’s native firewall service to prevent any incoming or
outgoing connections that aren’t essential, from being allowed.

• Commvault’s integrated scale-out file system provides additional immutability at the storage layer to
ensure that data in backup repositories can’t be modified or encrypted at the file system level. This
capability is enabled by default.

• For all HyperScale XTM clusters that are deployed with installation media from Commvault Platform
Release 2023E and on, Secure Shell and Ransomware Lock are enabled by default. For those that
may require to use older media for deploying their HyperScale X clusters, we’ll discuss how to
enable these features later in our post deployment module.

7
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Quiz

Quiz

No. There are various

means to further secure the
HyperScale solution,
whether that is through
Are these the only ways secure network design, air
you can add security gapping, and more.
layers to a HyperScale
solution?

© Commvault 2023
Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

• Pop quiz – Are these the only ways you can add security layers to a HyperScale solution?

• No. There are various means to further secure the HyperScale solution, whether that is through
secure network design, air gapping, RBAC and more.

8
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

HyperScale XTM as Immutable Storage

HyperScale X as Immutable Storage

Caveats to be aware of when enabling the feature

Immutability protection applies to

data drives alone, following
• drives are excluded
• HyperScale XTM • While all environments deploying File system immutability extends
• Metadata drive hosting DDB,
with 2023E HyperScale XTM media, to changes to storage after initial
deployments not will have Ransomware Protection deployment Index
supported and Secure Shell enabled by
• Adding additional storage, single
• Drives are recoverable
default even if they are lost or
• Appliances with node or multiple nodes corrupted; protection
through backup of DDB
integrated CommServe® • HyperScale XTM servers that are • Adding a new drive replacing a
and index
server installed on it hosting CommServe® servers will not failed drive • Metadata drive hosting
have these features turned on CVFS metadata
automatically
• Drives are recoverable
even if they are lost or
corrupted; protection
through RF3 replication

Copyright © 2022 Commvault | All Rights Reserved

Notes:

There are a few caveats to be aware of when using these features.

• Commvault’s Ransomware Protection or Secure Shell cannot be enabled on HyperScale X

appliances that are hosting a CommServe server on them.

• Similarly, while all environments deploying with 2023E HyperScale X media, will have Ransomware
Protection and Secure Shell enabled by default, HyperScale X servers that are hosting CommServe
servers will not have these features turned on automatically given the inability to support the
configuration.

• When adding new nodes to the cluster, all nodes that are added to existing clusters with 2023E
media and later, will have ransomware protection, secure shell, and file system immutability enabled
by default. If you’re using media earlier than 2023E though, only file system immutability extends
automatically to all added nodes while ransomware and secure shell, will need to be enabled on all
nodes added to an existing cluster, manually.

• File system immutability is only applied to the data drives within each node and does not extend to
either the Commvault File System or Commvault Backup and Recovery metadata drives.
Deduplication databases, index caches, and CVFS metadata, all have separate means on being
recovered that circumvents the necessity of offering file system immutability on that particular data.

• Continuously enhancing security features is a top priority for not only the HyperScale X platform, but
also for Commvault. Be sure to follow Commvault’s future release update notifications on our
documentation site for our latest information.

9
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Wrap Up

Wrap Up

1 2 3
Importance of immutability Where it fits? HyperScale XTM Security
and security

© Commvault 2023
Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

In this module we’ve described the importance of immutability and security within the modern data center.
We’ve also discussed where HyperScale XTM can fit in the large picture of data protection. We wrapped up
by showing how HyperScale XTM offers its security to all of our customers.

10
COMMVAULT PROPRIETARY/CONFIDENTIAL – FOR COMMVAULT PARTNERS UNDER NDA USE – NOT TO BE FURTHER DISTRIBUTED

Thank You

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

commvault.com | 888.746.3849
© 2023 Commvault. See here for information about our trademarks and patents.