This section contains topics about security features and administrative tools that can enhance your data security plan to ensure that your data is kept private and safe from unauthorized users. Specifically, these topics explain how to increase the security of the CommServe database, where all configuration data, job records, and access control reside (hardening the CommServe database).
All configuration data, job records, and access control to Commvault managed data is contained within the CommServe database. Regardless of the other security barriers in place, if the CommServe database is compromised, the data is vulnerable. The primary means to protect the CommServe database is – and will always be - the physical, application, and network security measures taken. However, there are additional security precautions listed in this section.
Some of the security precautions recommended involve configuration of the Microsoft SQL Server instance or the Windows Server host used by the CommServe component. Configuration steps listed here may vary depending on the versions of software being used. Consult the latest Microsoft documentation for version specific steps.
Caution
No application or user must use the sqladmin_cv and sqlexec_cv users to directly log in to the SQL Server database.
The software uses AES-256 to encrypt the passwords of the application user accounts, and then stores the key used for encryption in the CommServe database. Optionally, you can use a key management server including passphrase key management server to protect the encryption key. For instructions to configure a key management server, see Configuring a Key Management Server to Secure the Passwords of Application User Accounts.
Note
The software stores sensitive information including the passwords of various entities in a CommCell environment like CommServe database, client computer agents and mount path in the registry of the computers in the environment. The software uses a machine level encryption key to store this information securely. In case of Windows computers, the software uses Windows DPAPI (Data Protection API) to provide an additional level of security while Linux follows another secure approach as outlined by Common Criteria.