Commvault extends Cleanroom Recovery to bolster ransomware defense

Recovery from ransomware attacks needs to be tested and Commvault’s aiming its Cloud Cleanroom tech at those who are looking for on-demand checks.

The prevalence of business-crippling ransomware attacks means every company needs a disaster recovery strategy, not just those that can afford failover between physically separate datacenters. The most cost-effective way of doing this is to have a backup datacenter in the cloud which is fired up when needed, not one that’s operational all the time.

There is a restriction here in that the existing systems that need protection against disaster must be capable of being instantiated in the target cloud. This instantiation needs rehearsing so that it can be relied on. Commvault’s pitching its Cloud Cleanroom Recovery, an isolated cleanroom in the cloud, as allowing you to set up and test a ransomware recovery datacenter.

Brian Brockway.

Commvault CTO Brian Brockway said: “With disaster recovery, testing your recovery strategy once a year was fine. For example, with a natural disaster, you didn’t have to worry about bad actors infiltrating your systems. You just needed to be able to recover. Now, with AI-driven attacks, threat vectors change by the hour. The need to not only test your recovery frequently but know you have a clean place to recover in the cloud has never been more  important.”

Commvault’s existing Cleanroom Recovery facility relies on Microsoft’s Azure to provide recovery from immutable backups to a cleanroom in the cloud for faster recoveries and also incident response testing. 

It is being extended to support Commvault’s SaaS customers. When bad actors attack, Cleanroom Recovery orchestrates recovery into a clean, isolated location in Microsoft’s Azure cloud. Customers can do this on-demand and only pay for it when they use  it.

Cleanroom Recovery gives customers the ability to quickly, easily, and regularly test recovery plans across their IT infrastructure. It is integrated with Microsoft Defender to automate threat scanning to help ensure data is clean and is planned to include Microsoft Active Directory restoration capabilities later this year. Commvault says that being able to restore Active Directory and validate its consistency and operational integrity can help ensure proper authorizations for data access remain in place.

Later this year Cleanroom Recovery will include capabilities that enable customers to rebuild applications and services from a known clean state, as needed.

Other features:

  • AI-enabled Cleanpoint Validation automatically empowers customers to identify the last clean recovery point. 
  • Users can customize recovery sequences so data is recovered in a logical order. Users can convert VMs from any hypervisor to Azure VMs.
  • A forthcoming integration with Palo Alto Networks later this year will use Cortex XSOAR (Extended Security Orchestration Automation and Response) to add the latest threat intelligence data to incidents, streamlining the recovery of compromised assets into the cleanroom for forensic analysis and secure cyber recovery. 

Commvault states that its Cleanroom Recovery customers also benefit from the Commvault Cloud platform, powered by Metallic AI. This enables customers to secure and recover their data, across any workload, and from any location to any location. In the future, via Commvault’s recent Appranix acquisition, customers will be able to use Appranix’s cloud application rebuild capabilities.

Aung Oo, General Manager for Azure Storage, Microsoft, said: “Commvault Cloud Cleanroom Recovery augments air-gapped data protection built on Azure with fast and secure recovery. It enables customers to test their resilience plans, and when necessary,  recover to a trusted, clean, isolated location in Microsoft Azure. The clean and isolated copy also enables forensics for auditors and insurers and gives organizations a tremendous advantage in the fight against ransomware and other cyber threats.”

Pure Storage has a Cloud Block Store Azure offering. Mark Bridges, Senior Director, Strategic Alliances, Pure Storage, commented: “As cyberthreats grow in frequency and sophistication, global enterprises recognize the need to bolster their defenses with proactive security measures that  safeguard not just their data, but the entirety of their business operations.”

Hitachi Vantara has a Commvault partnership. Dan McConnell, SVP of Product Management for Digital Infrastructure, Hitachi Vantara, said: “Providing customers with the ability to test their  cyber recovery plans in advance, along with having a clean recovery point, fills a critical gap in the marketplace today.”  


HPE’s Zerto Cyber Resilience Vault also provides protection by allowing for clean copy recovery from an air-gapped setup if a replication target is also breached. AWS has a cleanroom facility but it is used for collaboration and not ransomware attack recovery.

Cohesity is aware of cleanroom concepts but has no specific clean room offering. From its glossary: “Before restoring, backups are typically decontaminated in cleanroom environments where malware, vulnerabilities and other threats are identified before the recovery of backup data. This ensures that threats can not immediately relaunch after restoration.”

Rubrik doesn’t have a cloud clean room as such but it has some equivalent facilities. For example, it has “Orchestrated Application Recovery [which] integrates with Ransomware Investigation to identify impacted applications and rapidly recover them in-place using the recommended points in time just before infection.” 

It also has a cyber-recovery facility with a “SaaS application that enables the deployment of isolated recovery environments for testing of recovery processes, and can help to parallelize the forensics process for faster recoveries in the event of a cyber attack. Integrates with Threat Monitoring & Hunting, Threat Containment, and Ransomware Monitoring & Investigation to pinpoint both safe and malicious recovery points for recovery, dependent on the scenario.”

Read more in a Rubrik best practices guide.


Unless otherwise noted, the latest features of Commvault Cleanroom Recovery are available now. Learn more about Cleanroom Recovery via a Commvault blog and website. There’s a solution brief here.