Subscribe to the Non-Human & AI Identity Journal

What do teams get wrong about backup separation in cloud data protection?

Teams often assume that a logically separate backup is enough, even when it remains inside the same cloud security sphere as production. True resilience depends on whether the backup can survive account compromise, destructive deletion, and the same administrative failure domain as the source system.

Why This Matters for Security Teams

Backup separation is often treated as a storage problem, but cloud recovery is really an identity and control-plane problem. If a backup sits under the same account, same admin roles, or same policy plane as production, an attacker who gains one set of privileges can often reach both. NIST Cybersecurity Framework 2.0 and NIST Cybersecurity Framework 2.0 both reinforce that resilience depends on recoverability, not just retention.

The gap shows up clearly in real incidents. NHIMG’s analysis of the Codefinger AWS S3 ransomware attack and the Snowflake breach illustrates how access paths, not only data locations, determine whether backup copies survive a destructive event. The operational mistake is assuming that logical separation inside one cloud tenant is enough protection against account takeover, key misuse, or an over-privileged administrator.

In practice, many security teams discover backup fragility only after production deletion, credential abuse, or a cloud management compromise has already made recovery conditional on the attacker’s cooperation.

How It Works in Practice

Effective backup separation means designing backups to survive the same compromise domain that can destroy production. That usually requires separate identities, separate administrative boundaries, and separate recovery permissions. A backup copy that is immutable but still modifiable by the same principal that manages production is not truly independent. The most resilient patterns use a dedicated backup account or tenant, tightly scoped cross-account access, and explicit deny controls for deletion and encryption key changes.

Teams also need to separate the security of the backup data from the security of the restore path. A backup that cannot be restored without the same compromised role is not useful under attack. Best practice is evolving toward short-lived, narrowly scoped restore access, tested break-glass procedures, and periodic restore drills that verify the backup can be recovered without production dependencies. NIST SP 800-53 Rev 5 and the NIST SP 800-53 Rev 5 Security and Privacy Controls are useful here because they distinguish backup protection, access control, and contingency planning as separate control objectives.

  • Put backups in a separate account, subscription, or project with different administrative ownership.
  • Use immutable storage and deletion locks, but do not rely on immutability alone.
  • Protect backup encryption keys with independent governance, not the same key admin path as production.
  • Test restores from a clean administrative path, not from production credentials.
  • Log and alert on backup policy changes, retention changes, and cross-account access grants.

NHIMG’s 2024 Non-Human Identity Security Report shows why this matters: many organisations still struggle with consistent access across hybrid and multi-cloud environments, which makes backup separation harder to implement consistently. These controls tend to break down when backup administration and production administration are delegated to the same cloud platform team because one privilege set can still erase both the live system and its recovery copy.

Common Variations and Edge Cases

Tighter backup separation often increases operational overhead, requiring organisations to balance stronger recovery guarantees against slower administration and more complex restore workflows. That tradeoff is real, especially in multi-account cloud environments where security teams want isolation without creating so much friction that restore testing stops happening.

There is no universal standard for this yet, but current guidance suggests treating the following as high-risk exceptions: managed backup services that inherit production permissions, snapshots protected only by tagging or soft-delete, and cross-region copies that still sit behind the same identity boundary. The 230M AWS environment compromise is a reminder that cloud scale can magnify a single identity failure across many assets, including recovery infrastructure.

For regulated data, separation may also need to cover retention, legal hold, and encryption key custody. In those cases, the relevant question is not whether a backup exists, but whether an attacker, a careless administrator, or a ransomware event can alter or destroy it before recovery begins. The strongest programs validate that answer with restore drills, access reviews, and independent key control rather than assuming vendor defaults are enough.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.IP-4 Backup recovery processes must survive compromise, not just exist.
NIST SP 800-63 Strong identity proofing and session controls support safer privileged backup access.
NIST Zero Trust (SP 800-207) Zero trust principles support separate trust zones for production and recovery assets.
OWASP Non-Human Identity Top 10 NHI-03 Backup controllers often fail when long-lived non-human credentials are reused.

Validate backups through tested recovery plans that assume production and backup may both be under attack.