New Layers of Data Defense: Multi-person Authorization & Compliance Lock

As evident with Commvault’s recent Secure by Design Pledge, we are committed to providing our customers with a secure platform to help manage risk and remain resilient in today’s digital landscape.

In the ever-evolving cybersecurity space, threats are becoming more sophisticated and widespread. Securing privileged access has emerged as a critical imperative for organizations. Privileged access refers to elevated permissions and rights granted to certain users or accounts within an IT environment, often with the ability to delete, edit, reconfigure, or destroy parts of infrastructure or data.

In a study of more than 750 enterprises, Oracle found that more than 37% of them had accounts in their organization that were over-privileged, causing significant risk. These identities have the potential to wield significant destructive power, especially when privileged accounts are compromised. According to the 2023 Verizon Data Breach Investigation Report, around 50% of all breaches involve compromised credentials, so the threat is imminent and has become especially prevalent in the era of social engineering and spear phishing.

What Is Multi-Person Authorization?

MPA is a Zero Trust security measure that enforces a tiered approval process for privileged actions. In following Zero Trust architecture principles, an MPA process assumes the user is not trusted, regardless of their associated capabilities. A quorum of authorized approvers must approve the request before allowing the action to be submitted.

What Is Compliance Lock?

Compliance Lock allows organizations to enforce software immutability by protecting data from deletion and retention changes. It keeps your organization “compliant” to whatever policies you put in place to protect the data. Once configured, Compliance Lock is enabled on Commvault storage, so all associated plans and data are locked in and protected in accordance with the customer’s retention policies.

Why Are MPA and Compliance Lock Important?

Privileged actions are sometimes required for us to do our jobs effectively, but there must be checks and balances in place. MPA restricts privileged actions for certain tasks “just-in-time” (only as needed for a specific task), while Compliance Lock helps organizations retain their data for the defined retention period. This reduces the risk of exposure to destructive actions by accident or by a malicious insider threat.

What Does Commvault’s MPA Solution Provide?

Commvault has offered MPA controls and Compliance Lock for several releases, managed as an opt-in security control within the Security IQ dashboard. Commvault’s MPA is available across the entire Commvault cloud estate (software and SaaS). We provide MPA for data deletion, and data recoveries within the Command Center, CommServe Console, and API and CLI interfaces. Compliance Lock is available as a software immutability option that is configurable on storage targets. This is often used alongside storage level immutability/WORM options. Both security features provide a multi-layered security approach.

When Will MPA and Compliance Lock Be Available?

Commvault will enable MPA for actions that may cause bulk data deletion and compliance lock for AGP storage by default starting with release CPR 2024E (11.36) and above. This is expected to go live for Tech Preview on June 15, 2024.

Once MPA is enabled, data deletion will no longer be processed immediately. Instead, it will send out an email request to all approvers to authorize the request. Approvers can approve or deny the request by clicking the appropriate link in the email or by submitting the response within the Approvals dashboard in Command Center. The deletion request will not be submitted for processing until enough approvals have been submitted.

Compliance Lock will only be enabled by default for AGP storage. Once enabled, all apps and servers associated to the Compliance Lock storage will be locked from deletion. Retention policies cannot be changed as well.

These new controls could have operational impact for users during certain administrative maintenance periods, but, as with many other security controls, the benefits to the safety of your data far outweigh the minimal operational impact that might occur.

For deeper information on the requirements and flow for Commvault’s MPA solution, see the Commvault documentation.

Continuing to Help Build Your Cyber Resilience

At Commvault, we continuously evaluate the threat landscape, so we can build solutions and provide smart defaults to secure your digital estate. We strive to be your trusted partner as you navigate this complicated world of cyberthreats. And as your partner, we will help you achieve true cyber resilience powered by the Commvault Cloud platform.