We help IT Professionals succeed at work.

CommVault vs. Zert0 ?  Best air-gapped cloud backups?

High Priority
Last Modified: 2019-08-20
We currently use Veeam and Veeam Copy Jobs to an Exagrid de-duplicating appliance.  Exagrid automatically sync's our data center backups to our remote office.  To supplement that, and to protect against a ransomware attack, we want cloud air-gapped backups.  We presently use Veeam copy jobs to iLand for that purpose but it's not going well.

We are about to demo CommVault but I figured before doing so, maybe I should take a step back and ask for thoughts on:

CommVault vs. Zert0

The ONLY thing I like about Veeam copy jobs to a cloud provider is the provider's "insider protection" which basically is a cloud based "recycle bin" which even a malicious admin can't touch.

We don't enjoy the overly complex nature of hundreds of  Veeam backup jobs and copy jobs.  It's a nightmare to monitor and maintain.

CommVault sounds much simpler.

I don't know anything about Zert0 other than it offers granular restores to the minute which could be super handy during a ransomware attack (assuming they don't successfully attack our backups).

I suppose the air-gapped-ness depends on the destination provider for both CommVault and Zert0.

Do these solutions typically rely on things like Amazon's Object Lock / Compliance Mode / WORM (write-once-read-many)?

A big requirement is MFA in order to delete backup containers; my nightmare scenario is my laptop getting hijacked and/or my admin credentials getting compromised and ransomware hacker attacking my cloud backups too !!!

Any thoughts would be valued and much appreciated.

Watch Question

Dr. KlahnPrincipal Software Engineer

There is no such animal as an "air-gapped cloud backup."

"Air-gapped" means that there is no way to get to that computer or data without physically crossing an air gap and plugging into it.

Cloud storage means that it is available from the internet.  As such, it is not air-gapped and can never be completely secure.

The only completely secure backup is one you maintain yourself, disconnect at the end of use, and then store in a secure depository.  Anything else involves "How much risk am I willing to accept that this backup will be compromised?"  I consider cloud storage insecure for any purpose -- if it's not under your control it's not secure -- but you pay your money and you take your choice.  YMMV.
Philip ElderTechnical Architect - HA/Compute/Storage

One option would be to set up a StarWind Virtual Tape Library (VTL) and configure it to sync backups with BackBlaze B2. There is a 30 day hold on anything that hits BBB2 so is as close to a cloud-gap as one can get.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Expert of the Year 2017

I would recommend, you trial them both and come to your own conclusion!

But we prefer and use Zert0!
Senior Technical Consultant
Commvault does a good job of protecting the local Disk targets used for backups with lock down to just the CV services but when an attack targets the underlying Array you can still fall foul (not so much ransomware or virus but a fully co-ordinated attack and very specific targets)

Commvault info around options to improve security are helpful http://documentation.commvault.com/commvault/v11/article?p=112042.htm


Thanks everyone!