Security Overview

Table of Contents

Data protection is our highest priority. Security is built into every step of our data management services from an end user's computer all the way to backup storage. Use our security features and administrative tools to enhance your own data security plan to ensure that your data is kept private and safe from unauthorized users.

If you feel you have discovered a security vulnerability, go to Report Security Vulnerabilities to report it.

CommServe Security

All configuration data, job records, and access control to Commvault managed data is contained within the CommServe database. Regardless of what other security barriers you put in place, if the CommServe database is compromised, your data is vulnerable. Your primary means to protect the CommServe database are the physical, application, and network security measures you take. For more information, see the Locking Down the CommServe white paper.

User Security

Logon Attempts

Administrators can limit the number of times a user can attempt to logon. After the limit is reached, the user account is locked for the time period defined by the administrator. For more information, see Limiting User Logon Attempts.

Two-Factor Authentication

When Two-Factor Authentication is activated, users must enter a 6-digit PIN (Personal Identification Number) along with their passwords to access the CommCell environment. For more information, see Two-Factor Authentication - Overview.

Role-Based Security

A role is a collection of permissions administrators assign to users and entities to create a three-way security association. Roles can be assigned to any external or CommCell-based user or user group. For more information, see Security Association Overview.

Integration with Microsoft Active Directory and IBM Domino Directory Services

Administrators can manage a single set of users through integration with external directory services. SnapProtect roles and entities can be assigned directly to an Active Directory external group or user. For more information, see Domains Overview.

Integration with Social Media Provider

End users who log on to the Web Console can be authenticated by a social media provider, for example, a user can log on by using credentials from a Google account. For more information, see External Authentication for the Web Console Using Social Sign In.

SAML Support

Security Assertion Markup Language (SAML) is an XML-based open standard that allows authentication by an Identity Provider (IdP) for Web Console users. SAML can be used to create a single identity for each user for a single sign-on log on for all applications. A SAML User Registration Workflow is available to create user names in the CommServe database. For more information, see External Authentication with SAML Integration (SSO) - Web Console.


Assigning client owners simplifies laptop security. Administrators can set security for all client owners at once by assigning client owner permissions at the CommCell level. Administrators also have the flexibility to set client owner security at the client computer group and client levels. For more information, see Owner Security Overview.


The Privacy feature prevents users and administrators who are not client owners from seeing the data on the client. For more information, see Privacy for Owners.

Network Security

Network Password

The CommCell network password is an internal security measure used to ensure that communications occur only between CommCell computers. By default, the software assigns each computer in the CommCell environment a different password. For more information, see Network Password.

Encrypted Challenge and Reply

All CommCell communication between the CommServe and client use encrypted challenge-and-reply to validate the hosts involved.

Firewall Support

CommCell components separated by a firewall can be configured to use authorized ports and connection routes (inbound, outbound, two-way) through the firewall to communicate and perform data management operations. For more information, see Firewall Overview.

Third Party Port Mapping

In addition to the firewall routes configured in your CommCell environment, you can also establish connectivity between CommCell computers on third-party ports using existing firewall tunnels. These ports are used by third-party applications and are not configured with the SnapProtect firewall access feature. For more information, see Third-Party Port Mappings.

Data Security

Media Password

The media password prevents unauthorized access of data from removable media when using external recovery tools to restore data. This ensures that only the originating, licensed CommCell environment can recover data. For more information, see Configuring Data Encryption on a Client.

Erase Data

The Erase Data feature allows you to permanently erase any data that has been backed up. Erasure may be necessary to meet compliance requirements or to remove an unauthorized or inadvertent copy of the data. You can erase folders, files, mailboxes, folders in a mailbox, messages within a folder, and attachments. For more information, see Erase Backup/Archived Data.

Endpoint Data Security

Client Certificates

Client certificates are used to authenticate connections between client computers and the CommServe host. The authentication process reveals and confirms the identity of the client attempting to establish connections with the CommServe host during installation. For more information, see Network: Client Certificates.

Data Loss Prevention

DLP locks files on a laptop and requires a passkey to open the locked files. If the laptop is lost or stolen, this prevents unauthorized access to the data. For more information, see Data Loss Prevention Overview.

Secure Erase

Protect sensitive data on laptops by specifying certain files to be erased if the laptop is offline without connectivity with the CommServe host for a specified number of days or if a computer marked as lost or stolen is turned on and connects with the CommServe host. For more information, see Data Loss Prevention - Secure Erase.

Data Encryption


The SnapProtect software supports both online (client to media) and offline (media to media) data encryption. For online data encryption that transits over a network, the location where the encryption takes place is configurable. For more information, see Software Encryption Overview.


NetApp supports tape devices with built-in encryption. The tape device must provide the necessary controls to get the encryption capabilities and to set the encryption properties on the drive. For more information, see Hardware Encryption Overview.

Key Management

NetApp provides encryption key management services for its software encryption ciphers and for supported encryption-enabled hardware devices. You can provide additional protection for SnapProtect encryption keys with the use of SafeNet before storing the keys in the CommServe database.


Audit Trail

Administrators can track the operations of users who have access to the CommCell environment. This capability is useful when you want to determine the source of a detrimental operation performed in the CommCell environment. For more information, see Audit Trail.

Log Monitoring

The Log Monitoring tool monitors system events, user operations, logs, and analytic information for trend analysis and automated, centralized reporting as may be required for compliance. Auditors and administrators can customize what, where, and how often information is collected and can monitor the results from a single point of view, which makes it easier to spot patterns that require attention. For more information, see Log Monitoring.