Subscribe to the Non-Human & AI Identity Journal

Disaster Recovery Iceberg

The Disaster Recovery Iceberg is the hidden configuration layer beneath backups and snapshots that determines whether restored data can actually be used. It includes identity, network, SaaS, and security settings that are often overlooked until an incident forces teams to rebuild them under pressure.

Expanded Definition

The Disaster Recovery Iceberg describes the often invisible recovery dependencies that sit below the backup layer: directory services, privileged accounts, DNS, SaaS tenant settings, certificate trust, network segmentation, and security tooling. In practice, a backup may be intact while the restored environment remains unusable because these supporting controls were never documented, tested, or rebuildable in sequence. That is why NHI Management Group treats the term as a recovery-readiness concept, not simply a backup concern.

Definitions vary across vendors and practitioners, but the consistent idea is that recovery success depends on more than data restoration. A useful comparison is the NIST Cybersecurity Framework 2.0, which emphasises resilience and recovery outcomes rather than isolated technical artefacts. The iceberg model helps teams see that identity and access rebuilding can be as critical as file restoration, especially where NHI credentials, automation tokens, and service accounts must be recreated before applications can start. The most common misapplication is treating backup completion as proof of recoverability, which occurs when organisations validate snapshots but never test the hidden dependencies needed to make the restored system operational.

Examples and Use Cases

Implementing disaster recovery rigorously often introduces more documentation and testing overhead, requiring organisations to weigh faster backup operations against the cost of rebuilding the surrounding control plane.

  • A cloud application restores from snapshots, but the team must first rebuild identity providers, reapply role bindings, and reissue NIST Cybersecurity Framework 2.0-aligned access controls before users can sign in.
  • A SaaS platform backup is available, yet tenant-specific policies, security groups, and audit settings were never exported, so the service cannot pass internal approval to go live after recovery.
  • An automation platform depends on NHI secrets and certificates stored outside the backup scope, so the restored workloads fail until those credentials are rotated and redeployed.
  • A ransomware exercise shows that DNS zones, firewall rules, and privileged access workflows are missing from the runbook, turning a simple restore into a manual rebuild.
  • A regulated business tests recovery for a core system and finds that logging, key management, and retention settings must be reconstructed to satisfy NIST Cybersecurity Framework 2.0 recovery expectations.

These scenarios show why the iceberg metaphor is useful: the visible artefact is the backup, but the operational outcome depends on the surrounding estate being recoverable as a whole.

Why It Matters for Security Teams

Security teams use the Disaster Recovery Iceberg to expose gaps that traditional backup reporting hides. If identity infrastructure, privileged access paths, certificate authorities, SaaS configurations, and NHI secrets are not recoverable in the right order, incident response can stall even when storage systems are healthy. This is especially relevant in environments with heavy automation, where a single service account or API token may be required to restart dozens of dependent workflows.

The term also matters for governance because recovery assumptions often fail during audits, tabletop exercises, and real outages. Teams that align recovery planning to resilience guidance in NIST Cybersecurity Framework 2.0 are more likely to identify these dependencies before crisis conditions. For NHI-heavy estates, the iceberg is larger still: agents, scripts, and integrations can leave behind credential and trust dependencies that are not obvious in backup inventories. Organisations typically encounter the full cost of the iceberg only after a major incident exposes that the environment can be restored on paper but not brought back into service.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while DORA define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 RC.RP-1 Recovery planning and execution directly capture the hidden rebuild steps in this term.
NIST SP 800-53 Rev 5 CP-9 Contingency planning requires backups plus recoverable system state and dependencies.
DORA Operational resilience expectations fit hidden recovery dependencies and restoration testing.

Include identities, keys, configs, and platform dependencies in contingency procedures.