Commvault · Infrastructure · YoctoIT tech page

Air Gap Protect

The immutable, isolated copy as a service: cloud storage managed by Commvault, retention lock and total separation from your domain — the turnkey vault.

FOCUS · OFF-SITE WITHOUT A PROJECTNo buckets to configure, no keys to guard: the air gap gets activated, not built
YoctoIT material for clients and partners · Commvault and the other products mentioned are trademarks of Commvault Systems, Inc.
01 · What it is

Air Gap Protect, made clear.

The isolated copy is the piece that saves you when everything else is compromised — but building it well takes a project. Air Gap Protect offers it as a service: object storage operated by Commvault (on Azure/OCI), immutable with retention lock, outside your tenant and your credentials. You enable it from the console, pay as you consume, sleep better.

0 setup
no buckets, IAM or lifecycle to design: it's a service
Off domain
separate credentials and tenant: your breached AD is irrelevant
Lock
immutability with retention: nobody deletes, not even us
Air Gap Protect
OFFICIAL BRANDING COMMVAULT
COMMVAULT CLOUD CONSOLE · AIR GAP PROTECT · SOURCE: COMMVAULT
COMMVAULT CLOUD CONSOLE · AIR GAP PROTECT · SOURCE: COMMVAULT
02 · How to use it well

The things that make the difference.

The vault as a service

Production backupsfrom your data plane
Encrypted copy
Dedup transfer
Retention lock
air between you and the copy: logical and administrative
Air Gap ProtectCommvault-managed storage (Azure/OCI)
On-demand recoveryread only when needed
The last copy, truly out of reach

Administrative separation

Tenant, keys and billing outside your perimeter: the insider can't reach it.

Consumption, not CAPEX

You pay per protected TB: the vault grows and shrinks with the data.

Efficient transfers

Dedup and incrementals: the off-site doesn't saturate the WAN.

Simple compliance

Certifiable immutability for NIS2/DORA: the evidence is in the service.

03 · In depth

Real air: what Air Gap Protect actually isolates

Isolation is threefold: network (data travels encrypted to the service's endpoints, not to storage in your tenant), credentials (access goes through the platform with MFA, not via your cloud keys that an attacker could steal) and administrative (retention lock: not even a support ticket deletes before expiry); recovery is a normal restore from the console — the air is crossed only in read mode and only authenticated.

  • Managed storage — Commvault operates the storage: you consume the service
  • End-to-end encryption — in flight and at rest, managed keys
  • Retention lock — the untouchable timer: the anti-insider guarantee
  • Multi-region — the copy where compliance and latency need it
  • No keys of yours — no cloud credentials to guard and rotate
  • Linear costs — per TB: predictable, no hidden egress surprises
04 · Numbers and lifecycle

The numbers that matter.

3
isolation levels: network, credentials, admin
0
infrastructure to build and maintain
min
activation from the console
NIS2
the isolated-copy requirement: covered
The 3-2-1-1-0 demands an isolated copy: this one activates in an afternoon — and stands an audit.
05 · Use cases

Where it really pays off.

Anti-ransomware

The copy the attack can't reach.

SMB & mid-market

The air gap without the enterprise project.

Compliance

Demonstrable immutability, right away.

What would building your own air gap cost? Let's compare it with the service.