It is that time of year again. The center of the cloud computing universe has shifted to Las Vegas for AWS re:Invent 2025. With over 60,000 attendees swarming the Venetian, the energy is palpable, even from a distance. The keynotes are flashy, the product launches are relentless, and the “AI Gold Rush” narrative is being pushed harder than ever before.
But if you have been in this industry as long as I have—watching the pendulum swing from physical data centers to virtualization, then to cloud, and now to this hybrid, AI-driven reality—you learn to tune out the marketing noise. You stop looking at the shiny new features and start looking at the cracks in the foundation.
For years, I’ve architected systems designed to withstand failure. And as I watch the announcements roll out from re:Invent this week, one thing is abundantly clear: We are building AI skyscrapers on infrastructure foundations that are still trying to catch up.
We talk a lot about “Cloud First.” We talk a lot about “AI First.” But the conversation that should be dominating the expo hall this week is “Resilience First.” Why? Because the data landscape has fundamentally changed. We aren’t just protecting SQL databases and VMs anymore. We are protecting petabyte-scale data lakes, ephemeral containerized applications, and complex, open-table formats like Apache Iceberg that power the very AI models businesses are betting their futures on.
This week, Commvault is at re:Invent (Booth #621) showcasing a set of technologies—specifically around their Clumio integration and the new Cloud Rewind capability—that I believe represent a tipping point for our industry. They are moving the conversation from “Backup” to “Resilience Operations” (#ResOps).
In this deep dive, I want to unpack exactly what is happening in Vegas. I’m going to take you through the technical weeds of why protecting AI data lakes is a nightmare, why “Recovery-as-Code” is the only viable path forward for cloud-native apps, and why the Commvault Cloud Unity platform might just be the most important architectural shift we see in 2025.
The Iceberg Expedition: Protecting the AI Foundation
Let’s talk about the Yeti in the room. If you are walking the floor at re:Invent, you are likely hearing a lot about Apache Iceberg. For the uninitiated, Iceberg is an open table format for huge analytic datasets. It allows engines like Spark, Trino, and Flink to work with large tables safely and reliably. It is effectively the standard for the modern Data Lakehouse.
But here is the catch: Iceberg is complex. It manages data through a tree of metadata files, manifest lists, and manifest files that point to the actual data files in S3. If you corrupt the metadata layer of an Iceberg table, the data is technically still there, but your query engine can’t find it. It’s like tearing the index out of an encyclopedia. The information exists, but it is inaccessible.
Native cloud snapshots are the default protection mechanism here, but they have severe limitations when applied to this architecture. Keeping long-term snapshots of petabyte-scale data lakes is prohibitively expensive. You often have to roll back the entire bucket, not just a specific table or namespace. And perhaps most critically, if an attacker compromises your AWS admin credentials, they can delete the snapshots just as easily as they deleted the live data.
Enter Clumio: Air-Gapped, Iceberg-Aware Resilience
This is where Commvault’s integration of Clumio technology changes the game. They are marketing this as the “industry-first cyber resilience for AI Data Lakehouses on AWS”.
Why is “Iceberg-aware” important? Because Clumio understands the metadata structure. It doesn’t just blindly copy objects; it understands the transaction logs and the versioning history of the Iceberg table itself.
The most impressive stat I’ve seen is the scalability. Clumio is architected to protect S3 buckets containing 70+ billion objects. Let that sink in. 70 billion. This is possible because Clumio was built natively on AWS using serverless microservices. It doesn’t rely on legacy media servers or bottlenecks. It scales up protection resources dynamically as the data grows, and scales them down when the job is done.
Crucially, Clumio provides an air-gapped copy of this data. The backups are stored in a separate security sphere, outside of your primary AWS account. This is the “break glass in case of emergency” vault. Even if a bad actor gains root access to your production AWS account and wipes the S3 buckets and the local snapshots, the Clumio copy remains immutable and untouched.
My Expert Take:
We have to stop pretending that snapshots are backups. They aren’t. They are operational conveniences. In the era of ransomware that specifically targets backup catalogs, relying on a snapshot that lives in the same AWS account as the production data is negligent.
What impressed me most here isn’t just the “Air Gap”—it’s the Iceberg awareness. Commvault isn’t just backing up the S3 bucket; they are backing up the logic of the data lake. That’s a subtle but massive difference. If you’ve ever tried to manually reconstruct an Iceberg manifest from a raw S3 dump, you know it’s impossible at scale. By solving for the structure of the data, not just the storage, Commvault is proving they understand the specific pain points of the AI architect.
Cloud Rewind and the “Recovery-as-Code” Revolution
While protecting the data lake is critical, we have to talk about the application layer. This is where I believe the most exciting innovation is happening. Commvault is showcasing Cloud Rewind (born from the Appranix acquisition), and it fundamentally redefines what it means to recover a cloud application.
In a cloud-native world, an “application” is not a server. It is a loose collection of services: EC2 instances, EKS pods, RDS databases, S3 buckets, and—most importantly—the glue that holds them together: VPC configurations, Security Groups, IAM Roles, Load Balancers, and Transit Gateways.
If a cyberattack hits, the attackers often modify these configurations to maintain persistence or cause chaos. They might open port 22 to the world, change IAM roles to grant themselves admin rights, or delete the VPC peering connections. When you try to “restore,” you might get your database back. But if the security groups are wrong, the app can’t talk to the database. If the load balancer rules are gone, the customers can’t reach the app. You are left trying to put Humpty Dumpty back together again, manually.
The Solution: Cloud Rewind
Cloud Rewind takes a completely different approach. It discovers the entire application “assembly”. It maps the dependencies between the compute, the storage, and the network. It effectively captures the “DNA” of your cloud environment.
When it comes time to recover, it doesn’t just restore the data. It uses AWS CloudFormation to rebuild the environment from code. It spins up the VPCs, re-applies the correct security groups, restores the IAM roles, and then rehydrates the data into that clean environment.
This provides two massive benefits:
-
Drastic Reduction in MTTR: You aren’t spending days troubleshooting network connectivity. The environment is rebuilt automatically to a known-good state. Commvault claims this delivers “industry-first automation to dramatically shrink MTTR”.
-
Cleanroom Recovery: Because you are rebuilding the infrastructure from code, you can choose to rebuild it in a completely isolated “Cleanroom” environment for forensics or testing, ensuring you aren’t restoring malware back into production.
My Expert Take:
This is the “sleeper hit” of the conference. For 20 years, I’ve watched admins high-five over a successful data restore, only to spend the next 48 hours frantically manually reconfiguring the network because the IP addresses changed or the security groups were wiped.
Cloud Rewind acknowledges a hard truth: in 2025, the infrastructure is the application. If you can’t recover the code that defines your environment alongside the data that populates it, you aren’t resilient. You’re just archiving. By integrating with CloudFormation and CI/CD pipelines, Commvault is finally speaking the language of the DevOps team, not just the backup admin. This is “Recovery-as-Code,” and it’s long overdue.
The DynamoDB “Time Travel” Feature
There is one more specific feature announcement that deserves a spotlight, especially for the developers in the room: Clumio Backtrack for Amazon DynamoDB.
DynamoDB is the workhorse of modern, high-scale web applications. It powers shopping carts, gaming leaderboards, and real-time inventory systems. It changes milliseconds by millisecond. Traditionally, restoring DynamoDB is a blunt instrument. You restore the whole table to a point in time. But what if you only need to roll back a specific set of records? What if a bad code push corrupted the user profiles for users in Europe, but the users in Asia are fine?
Backtrack for Amazon S3 and DynamoDB introduces granular precision. It allows for “object-level time travel”. You can find specific objects or prefixes and restore them precisely without rolling back the entire database. This leverages S3 Versioning for near-instant rollbacks, even at massive scale.
For a DevOps team, this is magic. It means a bad deployment doesn’t require a massive outage to fix. You can surgically repair the damage while the application stays online.
My Expert Take:
Anyone who has ever had to tell a CTO “we have to take the whole platform offline to fix a database error” knows the pit in your stomach. It’s career-limiting.
The granularity here is the key value proposition. This isn’t about disaster recovery; it’s about operational resilience. It’s about giving developers a “Undo Button” for their daily work. By enabling granular rollback of DynamoDB tables, Commvault is moving into the “Day 2 Operations” space. They aren’t just saving you from hackers; they are saving you from your own bad code pushes. And let’s be honest—bad code pushes happen way more often than nation-state attacks.
The Strategic Shift to #ResOps
The overarching theme of all these announcements—from the Iceberg protection to Cloud Rewind—is unification. Commvault is positioning the Commvault Cloud Unity platform as the single pane of glass for the hybrid enterprise.
We see this in the TCO narrative as well. Commvault is claiming customers save, on average, over 30% over AWS backup costs by switching to their cost-optimized storage. In the current economic climate, that is a conversation starter for every CIO. You aren’t just selling “insurance” against a hack; you are selling immediate budget relief.
This connects back to the concept of #ResOps. It’s the idea that resilience isn’t a passive insurance policy you buy and forget. It is an active operational discipline. It involves continuous discovery of workloads, continuous testing of recovery plans, and continuous optimization of costs.
My Expert Take:
I mentioned in my last post that Commvault is drawing a line in the sand. At re:Invent, they are reinforcing that line with concrete tech.
The acquisition of Clumio wasn’t just about buying technology; it was about buying “cloud-native” DNA. They aren’t trying to shoehorn a legacy media agent into an EC2 instance. They are using serverless architectures. They are using infrastructure-as-code.
This is a Commvault that looks and acts like a cloud-native security company. By unifying data security, identity resilience, and now this deep AWS integration on one platform, they are solving the “tool sprawl” problem that plagues every CISO I talk to. If they can execute on this vision of a single dashboard for on-prem, SaaS, and cloud, they will have solved one of the biggest headaches in IT.
The Future is Continuous
We are entering a new phase of the cloud. The “move fast and break things” era is over. The regulators are watching, the shareholders are watching, and the ransomware cartels are definitely watching. We are now in the era of #ContinuousBusiness. The goal is not just to run in the cloud, but to persist in the cloud despite the inevitable failures and attacks.
Commvault’s showing at AWS re:Invent 2025 is a statement of intent. By unifying data security, Clumio’s scale-out storage, and Cloud Rewind’s infrastructure automation, they are building the ultimate safety net for the AI era. They are proving that resilience isn’t just a checkbox. It’s an operation. It’s a discipline. And it’s the only way to survive the climb.
Action Plan for Attendees
If you are currently navigating the chaos of the Venetian, here is my shortlist of what you actually need to see to validate this for yourself:
-
Go to Booth #621: Ask to see the Cloud Rewind dependency mapping. Seeing your infrastructure visualized as code is an eye-opener.
-
Attend the Session: Wednesday, Dec 3 at 11:30 AM (Mandalay Bay, Oceanside B). The session “Suggested Best Practices to help simplify resilience at scale for GenAI data & apps” (Session ID: STG317-S) will cover the practicals of data corruption in AI models.
-
Play the Game: If you have time Thursday, the “Z-Virus 2.0” GameDay experience (1:00 PM at Smith & Wollensky) is a unique way to stress-test your recovery skills in a gamified environment.
About the Author: Roger Lund is a 20-year industry architect, founder of vbrainstorm.com, and a Tech Field Day Delegate. He specializes in data resilience, cloud architecture, and the intersection of infrastructure and AI.
