Updated on April 16, 2025

Integrating Commvault with DSPM

Integrating Commvault with DSPM

Overview

DSPM is a Data Security Posture Management from the Netskope One platform that automates security and governance for data, whether on-premises or in the cloud, with end-to-end protection. It delivers real-time visibility, control, and remediation for structured (like SQL databases), semi-structured (such as JSON logs), and unstructured data (including emails and documents) across databases, data lakes, and warehouses. Powered by Data Access Governance (DAG) and Data Detection and Response (DDR), the platform enforces compliance and ensures continuous audit readiness.

Follow these steps to integrate Commvault with Netskope DSPM (also known as Netskope One DSPM) and use DSPM insights to find security gaps in your data protection program and ensure the safeguarding of your most sensitive assets.

Integration Benefits

Netskope DSPM continuously discovers and classifies data, enforcing policies in real time across cloud, on-premises, and hybrid environments. It monitors data usage and user behavior to detect threats and automate compliance and security policy enforcement. When integrated with Commvault, it uses DSPM alerts to trigger secure backup and recovery, ensuring sensitive data stays protected and recoverable at all times.

Commvault strengthens Netskope DSPM by delivering secure, encrypted backup and recovery to protect against data loss and threats like ransomware. It ensures quick recovery and maintains data integrity and availability.

Both platforms support complex data environments across various cloud and on-premises infrastructures. By combining DSPM’s real-time monitoring and alerts with Commvault’s secure backup and recovery, organizations can automate response and recovery workflows, reduce downtime, and better protect against data loss and cyber threats.

This combined solution gives organizations better visibility and control over their data, ensuring strong governance and protection at every stage. It simplifies compliance, improves data management, and enables quick recovery from incidents. Together, Netskope DSPM and Commvault offer a unified, efficient way to manage, secure, and optimize data while boosting overall performance.

  • There are many key benefits:

    • Enhanced data discovery: Automatically detect sensitive and critical data across cloud, on-prem, and hybrid environments for better visibility and control.

    • Resilient data security posture: Identify and fix vulnerabilities in cloud workloads to strengthen protection and speed up recovery.

    • Comprehensive security coverage: Gain unified protection and visibility across both sensitive data and applications.

    • Improved risk management: Prioritize efforts based on the most critical data and app-level vulnerabilities.

    • Efficient incident response: Respond to breaches faster and more effectively, reducing impact and recovery time.

  • Beyond these benefits, the integration also drives meaningful outcomes that enhance long-term security and operational performance:

    • Enhanced data discovery: Automatically detect sensitive and critical data across cloud, on-prem, and hybrid environments for better visibility and control.

    • Enhanced data security and compliance: Strengthen defenses and simplify compliance with regulations like GDPR and CCPA.

    • Optimized data protection strategies: Use Commvault’s scalable backup to support DSPM’s identification and protection of overlooked or unmanaged data.

    • Proactive risk and configuration analysis: Detect misconfigurations and security gaps early, with built-in tools to fix issues quickly.

    • Streamlined operational efficiency: Reduce manual work and risk exposure, accelerating your security program’s impact.

    • Proactive security: Real-time monitoring and alerts help prevent incidents before they occur, ensuring continuous protection.

    • Supported Services

  • The Netskope DSPM and Commvault integration works with these services:

    AWS ServicesRDS
    Aurora
    Database EnginesMariaDB
    MySQL
    Oracle
    PostgreSQL
    SQL Server


    • Setting Up Netskope DSPM

  • If you don’t have access to our DSPM, email support@netskope.com with:

    • Your request for a new Netskope DSPM-hosted application.

    • The full name and email of the person who should be the application administrator.

  • You’ll receive the following from your assigned support representative:

    • Instructions to access your new Netskope DSPM application.

    • A link to our private knowledge base.

    • Generating Commvault Access Token

  • To generate a Commvault Access Token, follow these steps:

  • In Netskope DSPM:

    1. Go to Administration > Integrations.

    2. Click Commvault Console link.

  • In the Commvault Console:

    1. Go to Manage > Security > Users > User name

    2. Select Access Tokens > Click Add Token

    3. Enter a name, expiry date, and scope > Click Submit.

    4. Copy the token value

  • Complete the Connection:

    1. Return to Netskope DSPM.

    2. Paste the token into the Commvault Access Token field.

    3. In Commvault Tenant URL, enter the URL before /commandcenter
      (e.g., if your tenant is https://example.commvault.com/commandcenter, enter https://example.commvault.com).

    4. Click Connect.

    • Note
    To disconnect later, edit the connection at the Integrations page and click Disconnect.


    Configuring Netskope DSPM

  • After getting access to our DSPM, complete these two steps to start the integration:

    1. Onboard your infrastructure connections

    2. Connect your data stores

  • You’ll find links to the setup guides below, or you can contact support@netskope.com for assistance.

    • Onboard Infrastructure Connections

  • Unlike Commvault, which uses AWS KMS keys, Netskope One DSPM connects to AWS through IAM roles. This gives the necessary permissions to analyze your data stores and classify data accurately. You can set up these roles using CloudFormation or Terraform.

  • Each AWS account added as a Commvault Database Instance must also be added as a matching Infrastructure Connection in our DSPM. Follow the steps in the articles below (be sure to log in to our knowledge base using the link provided by the Netskope DSPM support team):

  • Once connected, Netskope DSPM automatically discovers your AWS data stores and imports any associated AWS tags.

    • Connect Data Stores

  • To monitor a data store in Commvault, you also need to connect it as a matching Data Store in Netskope DSPM. Use the following articles for step-by-step instructions (be sure to log in to our knowledge base using the link provided by the Netskope DSPM support team):

  • Once connected, Netskope One DSPM analyzes and classifies the data fields using multiple signals. It also applies Data Tags to describe the content. For example, if it detects healthcare data, it may tag the store with “HIPAA” and “PHI.”

  • You can find more details in the Classification Management article.

    • Using the Commvault Workflow

    When you activate the Commvault integration, a new system-controlled workflow called Send to Commvault becomes available. Here’s how it looks:

    When you assign this workflow to a policy, each alert generated by that policy is also sent to the Commvault Command Center as an anomaly alert. These alerts appear under Monitoring > Threat Indicators, where users can decide to recover affected data stores from specific backups based on the alert context. You’ll see something like this:

    If you don’t see anomaly alerts for your Netskope DSPM alerts, verify that the data store is supported and enrolled in Commvault backup protection:

  • To check this in the Commvault Console:

    1. Go to Protect > Databases > Select the matching instance

    2. Go to Instances tab > Select Instance groups

    3. Review the Backup content. If the data store is missing:

      1. Click the + button and add the data store

      2. Run a full backup job to completion

    • Recommended Policies

    The Send to Commvault workflow works with any policy (built-in or custom), except for the Data Store Discovered policy, as Commvault already handles that.

    To get started, check the sections below for recommended policies that can provide Commvault with unique security insights from Netskope DSPM:

  • In this scenario, our DSPM will notify Commvault if specific users perform an unexpected delete operation on a sensitive data store. In response, users can take actions such as:

    • Locate copies of data

    • Trigger backup removal

    • Revoke access (specific users or all)

    • Apply masking

  • This setup can be easily modified to check for employee tags vs. specific users, sensitivity levels vs. compliance tags, and more.

    • In this case, our DSPM will notify Commvault if it detects misconfiguration risks for a data store, such as encryption issues or public inaccessibility.

  • In this case, our DSPM will notify Commvault if an unusually large number of rows are selected, indicating potential data exfiltration. In response, users can:

    • Locate copies of data

    • Trigger backup removal

    • Revoke access (specific users or all)

    • Apply masking

    • Troubleshooting

    If your latest tag assignments don’t appear in Commvault, please send an email to support@netskope.com to open a ticket.

    Share this Doc

    Integrating Commvault with DSPM

    Or copy link

    In this topic ...