COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

CVTSP24 – Commvault® Unified

Platform Architecture
Module - 02
August, 2023

commvault.com | 888.746.3849
© 2023 Commvault. See here for information about our trademarks and patents.
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Notices and Disclaimers

Commvault, Commvault and logo, the "C hexagon” logo, Commvault Systems, Metallic, Metallic and logo,
the “Wave” logo, Commvault HyperScale X, HyperScale X, Recovery Reserve, and ThreatWise are
trademarks or registered trademarks of Commvault Systems, Inc. (“Commvault) The unauthorized use of
any Commvault trademark is strictly prohibited.

Other company and product names mentioned herein may be trademarks of their respective owners.
References to any third-party products, services, or websites should not be considered an endorsement
by Commvault. Some examples are for illustration only and are fictitious.

All right, title, and interest, including all intellectual property rights in and to this document and to any
related subject matter (collectively “Ownership Rights”) are owned and expressly reserved by Commvault.
No Ownership Rights are granted to you.

This document is intended for distribution to and personal reference use solely by Commvault customers;
all use of Commvault Solutions, including this document, is governed by Commvault’s Master Terms &
Conditions (currently available at https://www.commvault.com/legal/master-terms-and-conditions) which
are incorporated herein in their entirety.

This document is provided “as is.” Information in this document, including any specifications, URLs, or
other references, is subject to change without notice.
See www.commvault.com/IP for more information about our trademarks, patents, and other IP rights.

Confidentiality

This document contains information that is confidential and proprietary to Commvault. Without limiting
rights under copyright or otherwise, this information is provided with the express understanding that it will
be held in strict confidence and that no part of this document will be disclosed, used, reproduced, stored,
or transmitted, in whole or in part, for any purpose other than as expressly approved or provided by
Commvault in writing.

©1999-2023 Commvault

2
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Table of Contents
Commvault® Unified Platform Architecture ............................................................................................ 4

Learning Objectives .......................................................................................................................................... 5

Commvault® Architecture .............................................................................................................................. 6

Core Architectural Components ................................................................................................................. 7

Broad deployment options for On-Premises & Cloud ......................................................................... 9

Dual Site with Offsite Vault Architecture ............................................................................................... 10

Metallic Recovery Reserve .............................................................................................................................11

Core Logical Components .............................................................................................................................12

Security ................................................................................................................................................................13

Data in the Crosshairs.................................................................................................................................... 14

Proactive, Multi-layered Security ............................................................................................................. 15

Early Warning .................................................................................................................................................... 18

Core Functionality .......................................................................................................................................... 20

Data Flow & Components ..............................................................................................................................21

Commvault® Indexing .................................................................................................................................... 22

Commvault® Deduplication ........................................................................................................................ 24

Commvault® Deduplication ........................................................................................................................ 25

Commvault® Encryption .............................................................................................................................. 26

User Interfaces ................................................................................................................................................. 27

One Experience for Your Entire Data Management Strategy ......................................................... 28

Commvault Command CenterTM ............................................................................................................... 29

Commvault Cloud CommandTM ................................................................................................................. 30

Automation .........................................................................................................................................................31

Commvault Automation................................................................................................................................32

3
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Commvault® Unified Platform Architecture

Commvault®
Unified Platform
Architecture
Commvault Technical Sales Professional
Module - 2

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Welcome to the second module of the Commvault® Technical Sales Professional course.

Focusing on the Core Commvault® Architecture and functionalities.

4
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Learning Objectives

Learning Objectives

1 2

After completing this

module, you will: Gain an understanding Be able to convey technical
of how Commvault® requirements, architecture
Architecture and core and core components
functionality address required for Commvault ®
customers’ challenges. Data Protection.

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

After completing this module, you will gain an understanding of Commvault® Architecture and core
functionality that helps address customers’ challenges.

This will enable you to convey the technical requirements, architecture and core components required for
Commvault® Data Protection.

5
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Commvault® Architecture

Commvault®
Architecture

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

In this first section we will look at core Commvault® Architecture components.

6
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Core Architectural Components

Core Architectural Components

Webserver CommServe ®
Control • REST API interface • Configuration database
Plane • Used by Commvault • Event Orchestration
Command Center and • Job management
End User Web Console • Security & Authentication

MediaAgent
HyperScale X • Data Movement
• Deduplication
• Compute
• Indexing
• Built-in
Data • Storage Communication
Resiliency
Plane • Optimized
Scalability Storage Targets
• Distributed • On-Premise
Storage Target • Cloud-Based
• Tape
• HyperScale X

Data Protection and Recovery Agents

Client • Application Discovery
• Granular protection and recovery

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Let’s take a quick look at some of the core infrastructure components involved in a Commvault ® solution
architecture.

Although the multi-tier data management architecture depicted here may not appear to be unique, you will
shortly discover some key differences that set Commvault® apart.

All components within a Commvault® software environment, so everything that appears on-screen here, are
grouped logically by what is termed “a CommCell®”.

We start with the Control plane; this is the Command-and-Control layer.

The main component of this layer is the Commserve®. Every Commvault environment has a CommServe as
its foundation.

The Commserve® hosts the central configuration database and is responsible for event orchestration, job
management, security, and authentication.

The Commserve® can run on either Windows or Linux Operating systems with Disaster recovery capabilities
that will be discussed in more detail providing High Availability

Also in the Control plane is the Webserver, often co-located on the Commserve®, This is the API interface for
controlling the environment and is used by the Command Center™ and End User Web Console interfaces.

we have the Data plane, responsible for access and storage of Data.

this layer we have MediaAgents. The MediaAgent is the data transmission manager in the CommCell
environment. It provides high-performance data movement and manages the storage targets. The
CommServe server coordinates MediaAgent tasks. For scalability, there can be more than one MediaAgent in
a CommCell environment.

Also in the data plane are the storage targets.

Storage targets are where data is stored when it is protected.

7
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Disk, tape, and cloud storage can all be configured as a storage target. Commvault indexing and data
packaging technologies are tightly integrated with these storage targets to provide a global, virtualized storage
repository.

These components can also be converged using Commvault HyperScale™ X, to simplify deployment,
redundancy, and scalability with built-in Ransomware Protection.

The Commvault data management platform uses software agents to facilitate the protection and recovery of
data on production systems. Commvault software supports most types of operating systems, file systems,
applications, databases, hypervisors, and cloud providers in the market, as well as many popular SaaS
providers.

Commvault software packages directly interact with the file system or application requiring protection and
provide the common functionality of Commvault services and utilities. This protection is facilitated by
Intelligent Data Agent (Ida) which is installed on the client.

The Commvault software packages include the provision of application-aware and application-consistent
protection capabilities to ensure that data is protected in a consistent state and is recoverable in a valid and
usable format upon restoration.

8
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Broad deployment options for On-Premises & Cloud

Broad deployment options for On-Premise & Cloud

Scale-up option Scale-out option
Management Bring your own Storage
Public Cloud
HyperScale X Appliance and Reference Architecture

Media Servers HyperScale X Nodes are converged Compute & Storage

clusters serving Media Server / Access Node roles.

All-in-One Media
Server & Storage
Command Center NAS SAN Object Cluster
GUI
Cloud Backup & DR | Cloud
✓ Linear scaling by incremental nodes to Cloud | MRR Air-Gap

Commserve Mgmt. ✓ Immutable embedded HSX SDS clustered file store

Server ✓ Bare metal servers / certified Validated Arch BOMs
✓ Erasure Coding 4:2 Cloud-oriented resiliency
Metallic
✓ Automatic data containers rebalance / re-distribute
Recovery Reserve
Physical or Virtual across nodes
Cloud Vault

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

We have talked about the simplicity, breadth of coverage and flexibility offered by Commvault®.

But let’s now dive into this a little deeper.

We’ll start with simplified, unified management. With a single user Interface and consistent, intuitive controls
across all workloads and locations, whether you have data on-prem, in-cloud or a mixture of both, whether
you use Software, Appliances or SaaS, the same interface is used across everything.

Next is flexibility around storage.

Flexibility to choose whatever storage works best for your environment, connect to NAS, SAN or Object
storage, connected to Media Agents that can be scaled up or out as the environment grows.

Or as we’ve briefly mentioned, customers can use Hyperscale™ Appliances or Reference architecture to
converge both compute and storage to deliver an All-in-one media server and storage cluster.

Providing incremental linear scaling of storage resources and offering immutable, resilient, and highly
performant storage.

Commvault can obviously protect workloads both on-premises and in the cloud and offer data portability and
migration between, but also allow the use of public cloud for infrastructure and storage., whether that be cloud
storage, power-managed media agents and access nodes or the use of Metallic Recovery Reserve for air-
gapped backup protection.

We should also be aware of the capabilities Metallic has to offer Commvault customers, not only for data
storage, but also the data protection offerings and features provided, work side-by-side with Commvault
software, allowing customers to also take advance of SaaS delivered flexibility for remote locations, all
centrally managed from the same user interface.

9
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Dual Site with Offsite Vault Architecture

Dual Site with Offsite Vault Architecture

Production
SaaS Devices Database VMs Containers
DR / Vault
Standby CS Live Mount, Test, App
Control Plane Scan, Restore 6
(CS LiveSync HA / Standby Test)

Polices, RBAC,
1 MFA, Multi-Auth,
Restore
SAML

✓ Backup activity
✓ Root size change
✓ Backup runtime App Validation App Validation
✓ Events and behaviors resources
VM VM VM VM VM
1. Ordered Mount VM VM 5
Gold Copy 2. Connect
✓ File Activity Changes VM VM VM VM VM
3. Usability Test VM VM
Anomaly Detection, ✓ Suspicious Files
4. Confirm

443 IN-bound only

443 OUT-bound only

+ API Orchestration

Everything Blocked
2 Sanitize, Content ✓ Corrupted Files ESXi Host ESXi Host
Analysis ✓ Honey Files
AIRGAP
Datastore
Live Mount | Scan | Test

✓ Malware scanning
✓ Encrypted Files

• Dynamic (non-persistent)
Data Pipes HyperScale SAN NAS
HyperScale SAN NAS
• Route Initiation Outbound
Immutable Backup Immutable Backup
3 Compliance Lock
Only
Compliance Lock 4
Object Cloud
Object Cloud

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Let’s take a quick high-level look at how Commvault’s architecture may be positioned to Secure, Defend and
Recover a customer’s data.

Starting with the main Production environment, containing the customers main production data and
workloads. This production environment hosts the Commserve and provides command and control of the
Commcell environment and authentication features such as RBAC and MFA.

Additional layers of security are provided, environments and data are monitored for suspicious activity,
offering additional protection against cyber-attack.

We’ve already mentioned the flexibility of storage targets. Immutability and Compliance lock controls are
provided across all of these, providing additional layers of protection.

Data can be further protected, by using a DR or Vault location.

This Vault location is air-gapped from the production environment, with firewall rules ensuring Outbound
connections only, with dynamic data pipelines created as needed.

The vault location will contain similar, immutable, compliance locked storage to the Production environment,
and resources to allow the recovery and validation of application workloads.

App validation can be used to test that workloads and data can be restored safely and correctly.

And restored or recovered into the DR environment.

10
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Metallic Recovery Reserve

Metallic Recovery Reserve

SaaS Devices Database VMs Containers
Production
Meets FedRAMP High
421 required controls
Meets Gov't IL4+

Polices, RBAC,
1 MFA, Multi-Auth,
SAML Cloud
4 Airgap Air-Gap offsite
✓ Backup activity Copy in MRR(Azure)
✓ Root size change
✓ Backup runtime
✓ Events and behaviors Metallic Recovery
REST TLS 1.3 /
SSL Session (write / Reserve
✓ File Activity Changes
Anomaly Detection, ✓ Suspicious Files
Read) o Managed air-gap storage

443 IN-bound only

2 Sanitize, Content ✓ Corrupted Files AirGap
copy service
Analysis ✓ Honey Files
o Global dedupe/encrypted
cloud pool (1xBET)
✓ Malware scanning
✓ Encrypted Files
o Embedded secure service
credentials from CCID
HyperScale SAN NAS Barrier to ransomware o Customer-owned encryption
and malicious intrusion keys
Immutable Backup
3 Compliance Lock o No egress or read fees
Object Cloud o No server instances required
(storage)

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Metallic Recovery Reserve™ cloud storage can also be used to offer air-gapped protection of production data.

Connections over SSL with TLS 1.3 provide a barrier to ransomware and malicious intrusion.

While Metallic recovery reserve provides a Managed air-gap storage copy service in a Global
dedupe/encrypted cloud pool with Customer-owned encryption keys, no egress or read fees and no server
instances are required for storage.

11
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Core Logical Components

Core Logical Components

Plans are containers that Secondary copies
A BackupSet is a master define data path,
contain one or more sets of
container which manages retention and what
rules. These rules are
all data the agent is subclients will be
known as copies.
responsible to protect. managed in the copy

Clients use agents to Plan Secondary

protect the production BackupSet Copies
data by installing the
agent directly on the
client or using a proxy Subclients
client to protect the
data.

Subclients define data that

will be protected and how it Plans define where the data
will be protected. Each will be written, how long it will
Multiple copies can be
subclient container manages be retained for and the
created within a plan,
specific content within a frequency of backup
each with its own rules.
backup set. operations.

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Commvault logically manages data by segregating production data, moving the data, and managing protected
data using policies.

Clients use agents to protect the production data by installing the agent directly on the client or using a proxy
client to protect the data. When an agent is deployed to a client; the client appears in the CommCell Browser
under the Clients entity. Physical clients can have agents installed directly on them.

Virtual clients can have agents installed directly on them or protected by the Virtual Server Agent (VSA) which
would be installed on a physical or virtual proxy server. Network Attached Storage (NAS) devices, which
cannot have software installed directly on them, are managed and protected by installing NAS agents on
proxy servers.

A backup set is a master container which manages all data the agent is responsible to protect.

Subclients define data that will be protected and how it will be protected. Each subclient container manages
specific content within a backup set. Each backup set can have one or more subclients. Data is grouped into a
data set (a backup set, a replication set, or an archive set). These data sets represent all data the

Agent is designed to protect. Within the data set, one or more subclients can be used to map to specific data.
The flexibility of subclients is that data can be grouped into logical containers which can then be managed
independently in the Commvault protected environment.

Plans are containers that contain one or more sets of rules. These rules are known as copies.

Plans define where the data will be written, how long it will be retained for and the frequency of backup
operations.

Secondary copies define data path, retention and what subclients will be managed in the copy.

Multiple copies can be created within a storage policy or plan, each with its own rules.

12
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Security

Security

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

In this next section we will look at one of the key pillars of Commvault’s solutions - Security.

13
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Data in the Crosshairs

Data in the Organizations are challenged to keep pace

Crosshairs
Sophisticated attacks
threaten business
Increasing severity.
continuity and data 66% of businesses have experienced a cyberattack in the past 12
months1

Zero-day vulnerabilities
Shrinking skills.
Nation-state attacks 78% of organizations report lack of cloud security resources and
expertise2
Supply chain breaches

Internal bad actors & more data to protect.

Ransomware-as-a-Service 82% of businesses have adopted a hybrid-cloud strategy3

1. https://www.embroker.com/blog/cyber-attack-statistics/
2. State of the Cloud Report 2023, Flexera, 2023
3. Hybrid Cloud Strategy for Mid-Sized Organizations - ATC (4atc.com)

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Safeguarding data from today’s cyber threats is challenging organizations of every size.

For one, attacks look different today. Cybercrime is no longer just a lone-wolf practice but an organized form
of digital crime. Its everything from hyper-focused nation-state attacks, broad sweeping supply chain
breaches, and even rogue admins or bad actors within your own walls. And the barriers to entry themselves
are getting lower as the rise of hacking groups and ransomware-as-a-service toolkits become mainstream.

Second, are constrained resources. From IT to security, it takes new and unique skills to protect businesses
from emerging threats. Razor thin budgets and the well-publicized skills gap is leaving many IT and security
teams hamstrung with depleted and dwindling resources.

And lastly, there’s the data itself. As hybrid and multi-cloud adoption accelerates, business data is increasingly
spread across every application, device, on-prem, and cloud environment – and it all needs protecting. This
data sprawl introduces risk, blind spots, and creates more ground to cover. It’s hard enough to manage a
growing and evolving data estate, let alone safeguard from threat actors looking to harm it.

14
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Proactive, Multi-layered Security

15
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

16
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Notes:

Commvault’s software is secure by design. Offering industry leading, proactive, multi-layered security, with
built-in controls and advanced functionality to ensure that customers data and environments are secured.

These controls are shared across the entire Commvault estate, so whether the environment uses Software,
SaaS, or Appliances, or regardless of what workloads are being protected the same security controls are
available for everything.

Threat wise™, allows customers to Defend their data, minimize threats, and kick-start cyber response with
patented early warning technology. Using life-like decoys to Mask data, slow attacks, and divert bad actors
from real resources and data.

Risk Analysis Enables organizations to identify, analyze, manage, and secure sensitive data across the
multiple silos via live or backup data, with a simple, easy to use GUI.

Identify and Classify Sensitive data across On-Prem or Cloud, monitor data for any changes in Sensitivity or
its access, and Remediate Actions in Bulk.

The SecurityIQ dashboard provides advanced tools and insights to our customers to enhance their backup
security posture across SaaS apps, endpoints, and hybrid cloud workloads.

Commvault Auto Recovery delivers complete cyber recovery & business continuity, so customers can remain
resilient and secure after a cyber incident.

Commvault Threat Scan allows customers to analyze backup content for malware & threats so customers can
provide clean recoveries quickly.

And of course, key to security and recovery from incidents, is a Fast, flexible, and reliable Backup and
Recovery solution.

17
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Early Warning

• Security Posture Dashboard • Immutable Storage

• Lifecycle - deduplication, encryption, verification • Air Gap network topology controls

Proactive, Multi-layered Security • Multi-Authorization Approvals

Zero-Trust
• Comprehensive SAML | MFA | RBAC control & audit

Early WARNING SEIM | SOAR | XDR Clean Recovery & Investigation

+ and more…
ThreatWise Cyber Malware ThreatScan
Deception ✓ Signature Malware scan
Product ion Workloads 5
✓ Entropy analysis
✓ Mimic real assets
✓ Trick bad actors ✓ Quarantine Malware
Clean
✓ Expose threats early Deploy Fake Recovery
FS
✓ Contain attacks before Production Assets
impact based on Crown Tagged Crown
Jewel Tags Jewels
Risk Analysis
✓ Identify Data Owners | Access |
1 MFA | MPA | SAML | PAM | RBAC Permissions
4
✓ Export corrupted content for IRT analysis,
Anomaly Detection purge corrupted files from all backup
copies.
Pre backup Detection During Backup Post Backup Analysis Investigate
Threat Lures that mimic and ✓ Inspection of compromised content area
behave-like legitimate assets ✓ Live File Activity Changes ✓ File Activity Changes ✓ Compare Corrupt file
for PII or other critical GDPR contents for
✓ Windows C-D-M-R 5min (Linux – C-M-D-R) versions from the latest
✓ Honey Files (Today) ✓ MIME Type Mismatch – backup
leakage or exposure risks.
(Win Only) ✓ Quarantine backup
Versions
Flag any Anomalies in Dashboard
Alert SEIM
2 3 4
Flag Dashboard

Airgap

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Let’s take a look at how these different security components work together to provide Industry-leading security
controls to a Commvault environment.

Starting in the middle with the customers production workloads.

To be able to access the Commvault environment, a number of security controls are in place to provide
secure authentication and access controls.

Multi-Factor Authentication and Multi-Person Approvals, SAML and PAM authentication combined with
granular role-based access controls ensure that data access and controls are assigned to the right users.

Threat wise allows customers to deploy fake production assets based on Tagged “crown jewels”. These are
used to mimic real assets and trick bad actors. Helping expose threats early and helping contain attacks
before they spread.

Anomaly detection can be used to identify files that are encrypted, corrupted, or modified in an unusual way.

Pre backup detection allows customers to detect changes in live files. Any detected anomalies can be tracked
in Command center using the anomaly dashboard.

Anomaly detection can run During backup, while the data is being written to Secure Immutable storage, with
flexibility across Hyperscale, SAN, NAS, object, tape and cloud storage.

This can be air-gapped to a cyber vault or clean room, which could be physical hyperscale appliances,
Metallic Recovery Reserve™ or cloud and object time locked storage.

Post-backup analysis can be performed on backup data from within backup storage which can be investigated
using Risk Analysis and Threat Scan products that will be covered in more detail, before ensuring clean
recovery of data back to production.

SIEM and SOAR integration can be used to integrate with 3rd party security management platforms allowing
command and control to be maintained from Security teams tools.

18
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

On top of this comes the zero-trust framework, with additional layers of security added through security
posture reports where customers can check how secure their Commvault environment is and standard
lifecycle features such as Deduplication, Encryption and verification.

19
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Core Functionality

Core Functionality

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

In this section we will look at core Commvault capabilities and features.

20
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Data Flow & Components

Data Flow &

Components

With Commvault®
software, organizations
can leverage shared
infrastructure, consolidate
and centralize the
management of these
functions.

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Before we look a little deeper into some of the core underlying processes, let’s start with a brief overview of
the Data flow in a Commvault environment. Commvault allows customers to leverage shared infrastructure,
consolidate and centralize the management of these functions, and apply common processes across their
environments, global deduplication allows customers to maximize their storage and backup efficiency.

The User accesses the environment from the Command center user interface.

The Commserve management server or Commserve, which can be Physical or Virtual running Windows or
Linux, co-ordinates all activity in the environment.

Clients are a logical grouping of software agents, or agentless pseudo-devices that facilitate the protection
and movement associated with the client and the workloads protected.

Source-side deduplication, that we will discuss in more detail shortly, allows duplicate data to be removed at
the source, minimizing the data transmitted and stored on target storage.

Scalable, distributed MediaAgents provide deduplication, indexing, data movement and storage access.

And these MediaAgents will use target side deduplication to remove duplicate data prior to writing to the
storage library, where, as discussed, we offer total flexibility of target storage, -On-premise NAS, SAN, Object
or Tape - or to multiple cloud storage vendors including Metallic Recovery reserve™ storage.

21
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Commvault® Indexing

Commvault® Scheduling Reporting

Storage Polices Security Role Based Privileges
Indexing CommServe®
Database
Activity Metadata
Media Management
Encryption Key Management

Stores the data’s metadata information (characteristics) used

by find, browse, restore and other operations to improve
Index Cache performance
Commvault® softwares
distributed indexing
provides resiliency and DDB maintains signature records for
Deduplication deduplicated data blocks
maximizes infrastructure
efficiency in environments. Database
Maintained / Protected just as the data itself is backed up to a
storage target, the index is protected there also.

Inherent resiliency, Efficient Disaster Accelerated time to

flexible recovery Recovery recovery
Distributed indexing allows Provides portability and Commvault® distributed indexing
flexibility of MediaAgents and simplified disaster recovery of capabilities result in a highly
source copy for restores. the CommServe database accelerated time to data
recovery.

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Commvault® software’s distributed indexing provides resiliency and maximizes infrastructure efficiency in
environments.

The CommServe® houses the CommServe database, a relational database built on SQL that contains much
of the critical metadata for a CommCell® environment.

Information such as scheduling, storage policies, activity, media management, reporting, security and
encryption is housed in the CommServe database. It is important to note that the database only houses this
lightweight metadata, which allows Commvault to maintain a small database footprint.

Media Agents are where the index cache, and in many cases deduplication databases are stored.

The index cache contains detailed job and object index information and characteristics, for example exactly
where each piece of data is being stored on a storage target device.

The deduplication database maintains signature records for deduplicated data blocks, which are generated
using a hash algorithm.

The Index Cache is maintained locally by the Media Agents themselves and automatically protected like the
data itself to a storage target.

As mentioned, the fact that the index information is also written to each Storage target contributes to the
resiliency and flexibility of a Commvault® software environment. In the case of a failure, a different
MediaAgent responsible for a secondary copy of the data will also contain all the indexing information required
to perform a recovery.

In addition, a different MediaAgent to the one that was used to perform the backup can be used to recover the
data. In fact, a MediaAgent does not necessarily have to exist prior to data being written to a storage target.
This can be extremely useful when using a cloud storage target, a cloud MediaAgent can be created or
powered-on only when the restore operation is desired.

Distributing the index across multiple layers also minimizes the footprint of capacity consumed by the indexes.

Even in very large environments, the centralized CommServe® database maintains a minimal footprint. This
allows for portability and simplified disaster recovery of the CommServe database.

22
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

In a disaster recovery scenario, the capabilities provided by Commvault® software’s distributed indexing
capabilities result in a highly accelerated time to data recovery. Many alternative solutions in the market have
monolithic databases that can grow very large and become unmanageable.

Imagine a customer hit by a ransomware attack, the advantage of the smaller CommServe® database
becomes apparent. Given its smaller footprint it can be protected at regular intervals through various methods,
minimizing data loss, and the time to restore it is minimal. Once the CommServe is back online, the media
agents will initiate the restoration of data and servers. When directly compared to competitive solutions,
customers see that the recovery of their environment is initiated well before many competitive solutions have
even finished restoring the database.

23
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Commvault® Deduplication

Commvault® 1
Data read from source into
2
Signature generated on

Deduplication memory buffer deduplication block

Same DLL Memory Buffer

files on
multiple 100101011 Protected Storage
Data deduplication is the servers
X Data Block
process of removing
duplicate copies of
datasets to optimize
3

100101011
storage resources and Signature compared
enhance their Same file in deduplication B Unique blocks written to
modified database
A storage
performance. By by Duplicate
multiple blocks
eliminating redundant users discarded Deduplication Database
information, the system
frees storage space and
reduces the size of
datasets. Lower Costs Longer Data Retention Better performance
Smaller data traffic between
Smaller storage capacity Retain datasets for extended
cloud locations reduces incurred
translates into lower expenses periods and meeting more
costs and frees network
that ripple through the entire IT stringent retention requirements.
bandwidth for more users and
operation. faster delivery of services.

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

In any modern data center, duplicate data exists on storage-based media, networks, and servers.

Some examples include identical DLL files existing on different servers, or multiple users working on the same
document each user modifies different blocks in the file while other blocks remain unchanged. Traditionally
this redundant data is stored on disk or tape, which requires a significant amount of space to protect.

With Commvault deduplication storage techniques, a single copy of redundant data (and any subsequent
references to the same data) is stored only once; reducing the amount of space needed to save data and
protecting against data loss.

The following process provides a high-level overview of the deduplication process during a data protection
job.

Production data is read from the source location and written into a memory buffer. This memory buffer is filled
based on the defined block size. Note that the block size is referred to as a data block with a default of 128KB.

A signature is then generated on the data block. The signature uniquely represents the bit makeup of the
block.

The signature is compared in the DDB to determine if the data block already exists.

If it does exist, the data block in the memory buffer is discarded and pointers to the existing block in storage
are referenced instead. If client-side deduplication is used, this data is discarded before the data is transmitted
over the network, saving bandwidth and time.

If it does not exist, the data block is written to protected storage.

The reduced storage capacity required with Commvault deduplication translates into lower expenses that
ripple through the entire IT operation.

More available capacity allows customers to retain datasets for extended periods and allow them to meet
more stringent retention requirements.

And the reduced amount of data being transferred between locations when source side deduplication is used,
provides faster backups and reduced incurred cloud transmission costs.

24
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Commvault® Deduplication

Commvault® Replication of deduplicated

data
Deduplication DASH Copy enables transmission of
data in deduplicated reduced form
between Media Agents.
A C
B B D
C D
E
BCD
Reduction in bandwidth consumption
Data deduplication is the facilitates disaster recovery Only New Blocks
Initial Transferred
Operation
Hash References Recorded in DDB
process of removing
duplicate copies of
datasets to optimize
storage resources and
enhance their Global deduplication
performance. By using storage pools
eliminating redundant Storage pools allow copies
information, the system from multiple storage targets
frees storage space and to be combined into a common
reduces the size of reference database to drive
datasets. higher data reduction through
global deduplication

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

DASH copy is a technology that enables the transmission of data in its deduplicated, reduced form factor
between media agents.

This includes the capability to recover data and maintain different retention periods, both independently from
the primary copy.

This reduction in bandwidth consumption facilitates disaster recovery, and also eliminates the need for vendor
specific appliances or array replication for disaster recovery purposes.

Commvault® software also provides a global deduplication capability, wherein copies of data from multiple
storage targets may be combined and referenced through a centralized deduplication database, this is
achieved by creating what are known as storage pools.

This allows customers to collapse wider groups of common data into a global pool to maximize the level of
efficiency with deduplication. Increased deduplication efficiency is achieved by way of having a larger
common pool of blocks to reference against. It also provides customers a great deal of flexibility and allows
them to design scenarios to maximize the utilization of storage targets.

A global deduplication storage pool, can span secondary sets of DASH copies in a single datacenter
repository as depicted in this diagram.

25
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Commvault® Encryption

Commvault®
Encryption Hardware Encryption
Offline Encryption
Software Encryption

Inline encryption
enabled
Encrypted in
Transit
Commvault® softwares
distributed indexing
provides resiliency and
maximizes infrastructure
efficiency in
environments. • FIPs certified encryption • Supported with Encryption Algorithms Supported
Commvault
• Part of Commvault Cipher Key Length
deduplication
Complete Data 3-DES 192
Protection • Support for 3rd-party
AES (Rijndael) 128 or 256
key management
• Fully customizable to Blowfish 128 or 256
solutions
meet specific security GOST 256
policies
Serpent 128 or 256
TwoFish 128 or 256

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Encrypting data is an essential part of a data protection strategy, especially if data is being placed on
removable media or stored in the cloud. If data is stolen or becomes accessible to unauthorized users, then
sensitive information may be compromised and cause a significant security risk for an organization.

Commvault software encryption provides end-to-end security, where data can be selectively encrypted “inline”
during data protection operations. Software encryption can be initiated on the server being protected, or on
the MediaAgent, and remain encrypted when written to the storage target.

Offline or ‘copy-based’ encryption uses Commvault software encryption to secure data during auxiliary copy
jobs. Customers can preserve the primary copy encryption or choose to re-encrypt the data with a different
encryption cipher, if they wish.

Hardware encryption allows you to encrypt data on tape drives that have built-in encryption capabilities.

Commvault® software is secure by design, providing FIPS certified data encryption functionality that is built-in
to the Commvault data platform {CLICK2} as part of Commvault Complete Data Protection.

Commvault software encryption lets customers choose where and when the encryption is implemented,
enabling them to meet their own specific security policies.

Commvault encryption can even be used together with Commvault deduplication.

Commvault software supports a wide variety of encryption algorithms based on the required security and
performance, as depicted in this table.

Finally, you can protect Commvault software encryption keys using supported third party solutions from
SafeNet and Vormetric as well as AWS and Azure Key management servers to name a few.

26
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

User Interfaces

User Interfaces

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

This section will look at the user interfaces used with Commvault.

27
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

One Experience for Your Entire Data Management Strategy

One Experience for

Your Entire Data
Management Strategy

• Unified data protection dashboard

• Enhanced operational efficiency

and agility

• Single view of on-prem, hybrid,

and cloud resources

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Commvault’s solutions and capabilities are optimised for performance and usability through our unified
platform.

Regardless of what workload you are protecting, whether it be on-premises or in the cloud.

Whether you are protecting an environment through Software, using HyperscaleX Appliances or a SaaS
delivered, hybrid cloud-based solution, the interfaces, controls, and functionality are the same.

With controls and configuration elements optimised for simplicity, usability, and efficiency.

28
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Commvault Command CenterTM

Notes:

The Commvault Command Center™ is a powerful web-based user interface, which spans the entire
Commvault product portfolio.

It is an easy-to-use, highly customizable web-based user interface for managing your data protection and
disaster recovery initiatives. With default configuration values and streamlined

procedures, it saves time on routine data protection and recovery tasks. Use it for configuring backups and
restores, defining data protection policies, scheduling tasks, monitoring operations, creating reports, and
much more!

The Intuitive, web-based user interface Consolidates critical information and functionality, simplifies
administration of your overall data protection strategy.

The HTML-5 interface Utilizes AI and Machine Learning to create a refined user experience focused on
business and operational outcomes.

Role-based access controls enable self-service for permissioned users, and of course, Commvault and
Command Center supports multi-tenancy.

29
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Commvault Cloud CommandTM

Notes:

Cloud Command enhances Commvault Command Center’s existing capabilities, allowing customers to easily
track and analyse key data trends to be prepared for future risks, and to spot vulnerabilities quickly across all
delivery options using comprehensive security metrics.

Eliminating time-consuming manual processes and multiple dashboard reviews with our unified data platform,
Commvault Cloud command is here to save time, enhance security, and always stay informed from anywhere.

Cloud Command provides a guided method to quickly categorize and identify issues affecting the software to
mitigate risks and gives you a high-level overview of three key areas - our data protection, our platform, and
the security posture.

30
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Automation

Automation

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Finally, we will look at one of the key benefits of Commvault’s solutions – Automation.

31
COMMVAULT PROPRIETARY AND CONFIDENTIAL INFORMATION - INTERNAL AND PARTNER UNDER NDA USE ONLY- DO NOT DISTRIBUTE

Commvault Automation

Commvault® Automated Recovery at scale

• Application recovery groups for
Automation instant recovery (Hot) or on-demand
recovery (Warm)
• Automate boot order sequencing for
granular control within a Recovery
group
Simplify data protection by • Override host/network/IP address
leveraging AI to automate definitions dynamically
processes.
• Customize and enhance
orchestration capabilities by
integrating with custom tools
• APIs simplify connecting to your
existing infrastructure and
automating operations

One-click recovery Orchestrated Data Integrity Validation

orchestration application recovery Strengthen data security with
Fully orchestrated test failover validation signatures and automated
for validated restores. storage validation.
Ensure data and application
recoverability.

© Commvault 2023

Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute.

Notes:

Commvault software can be enhanced even further via Automation controls, with AI and machine learning
built-in to the software to optimize the automation of certain tasks.

Commvault provides a fully functional set of API commands that can be used to automate regular tasks,
whether that be large scale, bulk onboarding of new clients or automation of data protection or recovery tasks.

These APIs simplify connecting to your existing infrastructure and automating operations allowing customers
to customize and enhance orchestration capabilities by integrating with custom tools.

Many commvault features have automation built-in to streamline the processes being used.

Disaster recovery functionality can be enhanced by using automation. With the ability to perform one-click
recovery automation tasks providing Fully orchestrated test failover for validated restores ensuring data and
application recoverability.

Automated data integrity validation can be used to strengthen data security with signatures and automated
storage validation.

32
COMMVAULT PROPRIETARY/CONFIDENTIAL – FOR COMMVAULT PARTNERS UNDER NDA USE – NOT TO BE FURTHER DISTRIBUTED

Thank You

© Commvault 2023
Commvault Proprietary and Confidential Information Internal and Partner Under NDA Use Only - Do Not Distribute

commvault.com | 888.746.3849
© 2023 Commvault. See here for information about our trademarks and patents.