Key Highlights
- S3 (Simple Storage Service) has evolved from an AWS-specific tool into the universal protocol for object storage across every major cloud platform—AWS, Azure, Google Cloud, and beyond.
- Most organizations assume cloud storage is inherently safe. It is not, and the gap between assumption and reality is where ransomware operators are doing serious damage.
- Commvault’s new Unified Data Vault delivers enterprise-grade protection for S3 data, immutability, encryption, air gapping, and centralized policy management, without requiring developers to change how they work.
- Agent-free architecture eliminates a major friction point between DevOps and security teams, making consistent protection achievable at scale.
- Compliance, data sovereignty, and multi-cloud complexity are compounding the S3 protection problem, and financial penalties for non-compliance are real.
- AI workloads, which rely almost exclusively on S3 for massive unstructured data sets, have dramatically raised the stakes for getting data protection right.
- Unified Data Vault is currently in early access with general availability expected in the coming months.
The Quiet Risk Living Inside Your Cloud Storage
S3, Amazon’s Simple Storage Service, was once just an AWS feature. Today, it is the de facto standard for object storage across the entire cloud ecosystem. Every major hyperscaler supports it. Every developer knows how to use it. And every AI workload depends on it to store training data, model weights, vector databases, and inference results at petabyte scale. S3 has become the storage layer of modern enterprise computing, and that is precisely why what happens to it matters enormously.
In a recent episode of our Security Square podcast series, I sat down with Michael Fasulo, Senior Director of Portfolio Marketing at Commvault, to talk about the very real and very underappreciated risks associated with S3 data, and what Commvault is doing about it with the launch of Unified Data Vault.
Watch the full episode here:
Cloud Storage Is Not the Same as Cloud Protection
One of the most persistent and dangerous myths in enterprise IT is that data stored in the cloud is automatically protected. It is not. As Fasulo explained, despite the hyperscalers’ best efforts to make S3 secure out of the box, organizations routinely leave critical protections untouched; no immutability, no air gapping, inconsistent encryption, and no centralized oversight of how data is stored across dozens or hundreds of buckets.
“Anyone can solve complexity with more complexity,” Fasulo told me. “The challenge is really solving complex problems very simply.” That philosophy is at the heart of how Commvault designed Unified Data Vault.
Ransomware operators have figured this out. The classic defense: “we’ll just restore from backup,” falls apart the moment those backups live in S3 buckets that aren’t immutable or air gapped. Threat actors have evolved from encrypting production data to targeting backup applications and repositories directly. If your company’s last line of defense isn’t truly protected, you may find yourself with a massive business resilience problem, expensive downtime, a significant business reputational impact, and easily a situation where paying the ransom is the only option.
The Compliance and Multi-Cloud Complexity Problem
Layered on top of the ransomware risk is a growing compliance and governance challenge. Highly regulated industries like healthcare and financial services face extensive auditing requirements. Multi-cloud environments, where different platforms operate differently and don’t always translate neatly to one another, create enormous standardization challenges. Add hybrid infrastructure and edge deployments into the mix, and you have a compliance complexity problem that is genuinely difficult to manage without the right tooling.
Data sovereignty adds yet another layer. Some organizations operate across jurisdictions with strict data boundary requirements, meaning that cloud targets may not be an option in every case, and on-premises or edge solutions must fill the gap. The financial penalties for failing to meet regulatory requirements are real, and as Fasulo noted, these are all very avoidable scenarios.
What Unified Data Vault Actually Does
Unified Data Vault addresses these problems by extending Commvault’s centralized, policy-driven management framework to S3 data, without requiring developers to change a thing about how they work. Developers simply point their applications to the Unified Data Vault S3 endpoint. Everything else: encryption, immutability, air gapping, retention policies, compliance controls, audit trails, is handled automatically through inherited policies.
This matters enormously for two reasons. First, it eliminates the friction between DevOps teams (who want to write to an S3 endpoint and move on) and security and compliance teams (who need granular controls, audit trails, and centralized visibility). Second, it does so without agents or plugins, which is a significant architectural distinction that removes a historically stubborn barrier to adoption.
For multi-cloud environments, this means consistent protection policies across AWS, Azure, Google Cloud, and any S3-compatible storage, all managed through a single interface. For AI workloads, it means that the massive, unstructured data sets that power modern AI applications are protected with the same rigor as any other enterprise data, with surgical recovery capabilities that allow organizations to restore specific data sets rather than dumping terabytes back into an environment.
The Bottom Line
Fragmented S3 buckets without proper controls represent one of the largest unmanaged risks in enterprise IT today, and that is not hyperbole. As AI workloads continue to expand and the volume of S3 data grows exponentially, the protection gap is only going to widen for organizations that aren’t paying attention.
Unified Data Vault is currently in early access, with general availability expected within the next few months. It’s worth a look.
This article was originally published on LinkedIn.
Read more of my coverage:
Beyond the Breach: Why 2026’s Security Battle Is About Business Resilience, Not Just Technology