TL;DR: 42% of modern cloud application outages cannot be fixed with a simple backup restore and 78% of organisations need more than a month to restore complete environments, with average rebuild labour costs reaching $210,836 annually, according to Commvault research. Manual recovery is no longer compatible with cloud-native complexity, configuration drift, and multi-cloud fragmentation.
At a glance
What this is: This is an analysis of ESG research showing that cloud-native application recovery is often a rebuild problem, not a restore problem, and that rebuilds create major time, cost, and operational drag.
Why it matters: It matters to IAM and security practitioners because cloud recovery depends on identity, access, and configuration consistency across services, environments, and teams, especially where workload identity and privileged access control shape rebuild reliability.
By the numbers:
- 42% of modern cloud application outages can’t be resolved with a simple backup restore, according to Commvault’s ESG research.
- 66% of organizations need at least a week to restore core functionality, according to Commvault’s ESG research.
- 90% of surveyed organizations use two or more cloud providers, according to Commvault’s ESG research.
- 47% of all new application development is now cloud-native, according to Commvault’s ESG research.
👉 Read Commvault's analysis of the hidden cost of cloud complexity and rebuilds
Context
Cloud-native recovery is failing because many teams are still treating modern applications as if they can be restored like legacy systems. In practice, distributed services, configuration drift, and multi-cloud variation turn recovery into a rebuild exercise that depends on repeatable access, privilege, and configuration control.
The identity connection is real even in a cloud resilience story. Rebuild workflows often rely on service accounts, secrets, certificates, and privileged automation paths, so inconsistent identity governance can slow recovery just as much as missing infrastructure can. For IAM and PAM teams, this is a resilience problem as much as an access problem.
The article argues that the old backup-and-restore model is no longer enough for cloud-native estates. That starting position is now typical rather than exceptional in environments that have adopted microservices and multiple cloud providers.
Key questions
Q: What breaks when cloud-native recovery depends on manual rebuilds?
A: Manual rebuilds break when teams cannot reliably recreate the same configuration, access, and trust relationships that existed before failure. In cloud-native environments, that usually means outages last longer, recovery costs rise, and the final rebuilt service differs from the original. The biggest weakness is reproducibility, not just speed.
Q: Why do multi-cloud environments make recovery harder to govern?
A: Multi-cloud environments multiply the number of identity models, automation paths, and policy differences that recovery teams must coordinate. If access, secrets, and orchestration are not standardised across providers, rebuilds become inconsistent and slower to execute. The more platforms you operate, the more important uniform recovery policy becomes.
Q: How do you know if configuration drift is undermining resilience?
A: You know drift is undermining resilience when rebuilds require manual fixes, environment recreation takes longer than expected, or restored services do not match the pre-failure baseline. Drift often appears first as inconsistent permissions, missing secrets, or non-reproducible deployment states. Those are early warning signs of broken recovery governance.
Q: Who is accountable when recovery workflows fail during an outage?
A: Accountability should sit with the teams that own application configuration, cloud platform controls, and identity governance together, because rebuild failure usually crosses all three domains. If service identities, privileged automation, and recovery permissions are not defined before the outage, no single team can restore the service cleanly.
Technical breakdown
Why cloud-native rebuilds are harder than restores
Cloud-native systems are built from many loosely coupled services rather than a single recoverable application stack. A restore can bring back data, but it often cannot recreate the exact application state, dependencies, networking, and access paths required for the service to function. That is why rebuilds are often needed after outages, especially when configuration drift has accumulated across environments. In these setups, recovery is not only an infrastructure task. It is also an identity and orchestration problem because workloads, secrets, and roles must be re-established in the right order.
Practical implication: treat recovery design as a governed rebuild workflow, not a backup exercise.
How configuration drift undermines resilience
Configuration drift happens when production environments gradually diverge from the intended baseline through manual changes, patching differences, or inconsistent deployment paths. In cloud-native estates, drift is especially dangerous because it breaks reproducibility. If the failed environment cannot be recreated exactly, rebuild time increases and confidence in the restored service falls. Identity controls contribute here too, because drift often includes inconsistent permissions, stale secrets, and mismatched trust relationships between components. The result is a recovery process that is slow, brittle, and dependent on tribal knowledge.
Practical implication: version-control infrastructure, permissions, and secrets alongside application code.
Why multi-cloud consistency is an access governance problem
Multi-cloud resilience is difficult when each platform handles identity, policy, and automation differently. Even if teams standardise tooling, they still need to reconcile service principals, workload identities, rotation methods, and recovery permissions across environments. The more variation there is, the more likely recovery will fail at the access layer before it fails at the infrastructure layer. That makes cloud resilience a governance issue, not just an engineering issue. Recovery succeeds when the same identity and control assumptions hold across every platform that may need to be rebuilt.
Practical implication: establish uniform access and recovery policy across cloud providers before an outage exposes the gaps.
NHI Mgmt Group analysis
Cloud resilience now depends on identity consistency as much as infrastructure automation. This article shows that rebuilds fail when teams cannot recreate the same access, configuration, and trust relationships that existed before the outage. In cloud-native estates, service accounts, secrets, certificates, and privileged automation paths are part of the recovery surface, not just the control plane. Practitioners should treat identity governance as a resilience dependency, not a separate IAM programme.
Configuration drift is the hidden control gap behind many failed rebuilds. The research’s time and cost figures are not just an operations warning, they are evidence that environments are no longer reproducible at scale. When configuration state diverges, recovery becomes a manual reconstruction effort and every missing control multiplies delay. The practical conclusion is that drift management must include permissions, secrets, and workload identities, not only infrastructure settings.
Multi-cloud resilience creates a standardisation problem that most organisations have not solved. A build process that works in one cloud but not another is not resilient, it is conditional. The 90% multi-cloud figure in the article signals that recovery governance now has to span multiple identity models, multiple automation stacks, and multiple operational teams. That is where consistent policy and repeatable access patterns become the difference between restoration and prolonged outage.
Automatic rebuilds are becoming a governance requirement, not a convenience feature. The article makes clear that manual recovery consumes labour, delays strategic work, and introduces human error at the worst possible moment. For identity leaders, the implication is direct: if workload identities, privileged automation, and secrets cannot be recreated predictably, then the recovery model is still dependent on manual intervention. Organisations should measure whether rebuilds are actually executable under outage conditions, not just documented in a runbook.
What this signals
Cloud resilience programmes are moving toward identity-aware recovery design. When rebuilds fail, the issue is often not only application state but whether the organisation can re-establish workload identities, secrets, and privileged automation fast enough to meet the recovery objective. That makes the recovery programme an IAM and PAM concern as much as a platform engineering concern.
Configuration drift is becoming a board-level resilience risk because it turns recovery into reconstruction. Teams that cannot reproduce environments will keep paying the same hidden tax in downtime, labour, and operational fatigue. The practical response is to govern rebuildability as a measurable property, not an assumed one.
The broader signal is that cloud-native adoption is outrunning operational standardisation. Organisations that invest in repeatable access patterns, controlled secret handling, and consistent recovery permissions will have a better chance of keeping resilience promises when outages occur.
For practitioners
- Map recovery-critical identities Identify every service account, API key, certificate, and automation role needed to rebuild core applications, then classify them by recovery dependency and privilege level.
- Standardise rebuild permissions across clouds Align the permissions required for recovery workflows in each cloud so rebuild automation does not depend on environment-specific manual exceptions.
- Version-control configuration and access state Store infrastructure definitions, access policies, and secret references in a controlled release process so the rebuild target matches the intended baseline.
- Test recovery as an operational exercise Run rebuild drills that validate whether teams can restore core services without relying on undocumented access, ad hoc approvals, or one-off administrator intervention.
- Reduce drift before the outage exposes it Track and remediate configuration drift across permissions, network settings, and workload trust paths, because drift extends downtime and makes rebuilds less reliable.
Key takeaways
- Cloud-native outages increasingly require rebuilds, which makes recovery slower, more expensive, and more dependent on repeatable configuration.
- The research points to configuration drift and multi-cloud inconsistency as the main reasons traditional restore models are failing.
- Identity, secrets, and privileged automation need to be designed into recovery workflows before an outage turns them into bottlenecks.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.IP-3 | Recovery processes and configuration drift are central to this cloud resilience article. |
| NIST SP 800-53 Rev 5 | CP-10 | CP-10 directly addresses system recovery and fits the rebuild focus of the article. |
| CIS Controls v8 | CIS-11 , Data Recovery | The article is fundamentally about recovery performance and consistency under outage conditions. |
| ISO/IEC 27001:2022 | A.8.13 | Backup and recovery controls are relevant where cloud rebuilds replace simple restoration. |
| NIST Zero Trust (SP 800-207) | Identity and access consistency across environments supports zero trust recovery design. |
Use A.8.13 to govern recovery capability, then test whether restore assumptions still hold in cloud-native estates.
Key terms
- Configuration Drift: Configuration drift is the gradual divergence between an intended system baseline and what actually exists in production. In cloud-native environments, drift can affect permissions, secrets, network settings, and deployment state, making rebuilds harder to reproduce and increasing the chance that recovery will fail or behave differently than expected.
- Cloud Rebuild: A cloud rebuild is the process of recreating an application and its supporting environment rather than simply restoring a backup. It usually becomes necessary when services, dependencies, identities, or configuration state cannot be recovered reliably from snapshots alone, especially in distributed and multi-cloud setups.
- Recovery Baseline: A recovery baseline is the defined set of configurations, permissions, and dependencies that an application must have in order to be restored consistently. It matters because rebuilds only work when the target state is known, versioned, and repeatable across environments.
- Recovery-critical Identity: A recovery-critical identity is a service account, automation role, certificate, or secret that must exist for a system to be rebuilt or brought back online. These identities are often overlooked until an outage, when missing or misconfigured access becomes a recovery blocker.
What's in the full article
Commvault's full article covers the operational detail this post intentionally leaves for the source:
- The survey methodology behind the 40.6 person-day rebuild figure and the labour cost calculation.
- The practical mechanics of Cloud Rewind and the recovery workflow it is designed to support.
- The webinar discussion with the report author and Commvault speakers on cloud resilience operations.
- The business impact breakdown behind revenue loss, customer churn, and staff stress during rebuild events.
👉 Commvault's full post covers the research details, recovery cost breakdown, and webinar discussion.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, secrets management, and identity lifecycle fundamentals. It is designed for practitioners who need to connect identity controls to operational resilience and access governance.
Published by the NHIMG editorial team on 2025-08-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org