Commvault pitches Geo Shield for sovereign data protection

Commvault says sovereign data protection has three core elements: where data is stored, who controls access to it, and who holds the encryption keys. Its new Geo Shield offering is designed to address all three, as organizations face growing regulatory pressure to keep sensitive information under specific national or regional control.

Data has degrees of access privacy depending upon whether it is encrypted, who provides the data storage service, and where the storage system is located. A sovereign territory, either a country or a region like the European Union, can have data privacy regulations that apply to certain types of data, such as personally identifiable information, patient medical records, and financial system transaction details.

Commvault’s chief product officer, Rajiv Kottomtharayil, said: “Commvault Geo Shield is designed to help customers strengthen resilience, align with data compliance efforts, and maintain control over how and where their data is managed.”

The data can be stored in physically air-gapped form, such as offline tape cartridges, or virtual air-gapped form, like a separate cloud account. However, US-owned public clouds may be required to release customer data to US government agencies.

If absolute sovereign data protection is required in an EU country, that data should not be stored in a US-owned public cloud, unless that cloud can unequivocally assure EU customers that their data will never be exposed in that way. Public storage clouds locally owned within the EU generally do not have to comply with US government data access requests.

Encryption is good, so long as the encryption keys are private and unobtainable by prying eyes. Hardware security modules can enhance encryption.

It is important for a data protection and cyber resilience vendor to recognize these issues and support customers in meeting them, if it wants to do business in areas subject to sovereign data access controls.

Commvault’s Geo Shield is its way of doing this and has four levels of location and sovereign support:

• Cloud SaaS in a local hyperscaler region
• Cloud SaaS in a sovereign hyperscaler region, like AWS European Sovereign Cloud
• Partner-operated sovereign national/regional cloud services with Commvault software and virtual air gaps
• Private sovereign clouds within dedicated environments

Commvault says Geo Shield enables cyber resilience and sovereignty with deployments that maintain in-region control of data, operations, and encryption keys. Geo Shield supports customer-controlled encryption keys, with both Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) options. It integrates with customer or partner-managed hardware security modules (HSMs).

Geo Shield also operates within boundaries, including “no call home” requirements with operations run by screened local partners.

Availability of Geo Shield specific deployment models will be announced separately based on implementation timelines with partners in relevant regions. Get more information about Geo Shield here.

Cohesity has data sovereignty support infused throughout its data protection offerings, with a blog discussing this. Rubrik has a Security Cloud Sovereign offering, in an early access phase, through which it says customers can “achieve true data sovereignty, beyond data residency. Operate entirely within your designated boundaries – whether on-premises or sovereign cloud – ensuring all components remain under your chosen legal jurisdiction. Eliminate dependencies on foreign organizational structures with clear jurisdictional control.”

Veeam has available data sovereignty support capabilities with details here. Commvault describes Cohesity, Rubrik, and Veeam as “one-cloud ponies” in a cyber recovery checklist.

Bootnote

Commvault supports many federal, industry, and global regulatory requirements, including: FedRAMP High, FIPS 140-3, and GovRAMP, industry-specific mandates like SEC Rule 17a, HIPAA, and PCI DSS v4.0, as well as emerging frameworks such as DORA and NIS2. It also supports several global frameworks including IRAP PROTECTED status for the Australian Federal Government, and certified Cloud Service Provider (CSP) status with the Dubai Electronic Security Center (DESC).