By NHI Mgmt Group Editorial TeamPublished 2026-07-07Domain: AnnouncementsSource: Commvault

TL;DR: Google Cloud Storage durability does not cover ransomware, destructive deletion, lifecycle policy errors, or logical corruption, so immutable, air-gapped recovery becomes necessary for petabyte-scale object storage used by AI and analytics workloads, according to Commvault. The real governance issue is that storage availability and recoverability are no longer the same control.


At a glance

What this is: This is an analysis of generally available cloud-native backup and recovery for Google Cloud Storage, with the key finding that durability alone is not enough when object storage becomes a system of record.

Why it matters: It matters because IAM, PAM, and cloud security teams must treat recovery access, backup isolation, and restore scope as governance controls for sensitive data and workload continuity.

By the numbers:

👉 Read Commvault's analysis of immutable backup and recovery for Google Cloud Storage


Context

Google Cloud Storage is often treated as a durable storage layer, but durability does not protect against malicious deletion, ransomware, logical corruption, or lifecycle policy mistakes. Once object storage supports AI pipelines, analytics, archives, and business records, recovery design becomes a governance issue, not just an infrastructure concern.

That distinction matters for identity and access teams because recovery workflows depend on privileged access, backup isolation, and controlled restore rights. If backup copies can be altered through the same control plane as production data, resilience is only partial; independent recovery paths are the safer model for cloud-scale environments.


Key questions

Q: What breaks when cloud object storage has durability but no independent recovery layer?

A: Durability alone does not protect against ransomware, destructive deletion, logical corruption, or bad lifecycle automation. When those events hit large object stores, the organisation may still lose access to critical data even though the underlying platform remained available. Independent backup copies and tested restore workflows are what turn storage durability into business recoverability.

Q: Why do backup and restore permissions need to be treated as privileged access?

A: Because restore rights can overwrite, replace, or expose large volumes of production data, making them a high-impact control path. If the same credentials manage production storage and recovery, one compromise can damage both the primary data and the backup path. Separate privilege boundaries reduce that blast radius.

Q: How do teams know whether cloud recovery controls are actually working?

A: They test them under realistic conditions. Useful signals include successful point-in-time restores, recovery of only the affected object scope, proof that immutable copies cannot be modified, and measured restore times that meet business requirements. If those tests fail, the backup programme is documenting data, not protecting it.

Q: Who is accountable when lifecycle policy mistakes or ransomware affect cloud data recovery?

A: Accountability should sit with the owners of storage governance, backup administration, and privileged access management, because each controls part of the recovery chain. Frameworks such as NIST Cybersecurity Framework 2.0 and NIST SP 800-53 Rev 5 Security and Privacy Controls both expect clear recovery and access responsibilities, not shared assumptions.


How it works in practice

Why object storage durability does not equal recoverability

Durability means the storage service is engineered to keep data available despite infrastructure failure. Recoverability is different: it is the ability to restore data to a known-good point after ransomware, accidental deletion, corruption, or bad lifecycle automation. For cloud object storage, those failure modes can affect millions of objects at once, which means point-in-time recovery, granular restoration, and isolated backup copies are architectural requirements, not convenience features. When the storage layer backs AI and analytics systems, recovery time becomes part of business continuity.

Practical implication: validate whether your cloud storage control model separates durability assumptions from restore authority and recovery scope.

Immutable and air-gapped backups as a resilience boundary

Immutable backups prevent modification after creation, while air-gapping isolates backup copies from the production environment so an attacker or destructive process cannot easily reach both copies at once. In cloud terms, that boundary is what limits blast radius when the primary object store is compromised. This is especially relevant when the same storage backs data pipelines, archives, and application dependencies. Without a separate recovery plane, ransomware or malicious deletion can move from production data into backup data through shared permissions or shared operational workflows.

Practical implication: treat backup isolation and restore privileges as separate access domains with independent governance.

Granular recovery for objects, prefixes, and buckets

Object storage failure is often not all-or-nothing. A single bad policy or application bug can corrupt a prefix, a bucket subset, or only the most recent version of critical data. Granular recovery matters because it lets teams restore only the affected scope, reducing operational disruption and avoiding unnecessary rollback of healthy data. At petabyte scale, full restores are slow, expensive, and disruptive, so the recovery model needs searchability, point-in-time selection, and controlled restoration paths that align with change management.

Practical implication: design restore procedures that can target the smallest affected data scope rather than defaulting to full-bucket recovery.


NHI Mgmt Group analysis

Cloud object storage has become a governance domain, not just a repository. Once AI, analytics, archives, and business records depend on Google Cloud Storage, the question changes from whether data is durable to whether it can be recovered under attack or operator error. That shift forces security teams to think in terms of recovery control, restore scope, and backup isolation. Practitioners should govern cloud storage as part of resilience architecture, not as passive capacity.

Immutable recovery changes the trust model for cloud resilience. If backups sit inside the same operational plane as production storage, the organisation has not really separated protection from compromise. The article’s core implication is that air-gapped, immutable copies create a distinct trust boundary for restore operations. That is the right model for ransomware resistance, but only if restore authority is tightly scoped and audited. Practitioners should treat backup access as privileged access.

Granular restore is now a data governance requirement, not an operational preference. Object storage failures often affect only subsets of data, and restoring entire buckets can create unnecessary downtime and risk. The named concept here is recovery granularity gap: the mismatch between the size of cloud data sets and the precision of recovery controls. Teams that cannot restore at object, prefix, or bucket scope will struggle to keep analytics and AI programmes resilient. Practitioners should test restore precision, not just backup completion.

Multi-cloud resilience is exposing policy drift in backup and access controls. The article notes that many cloud leaders run multiple cloud environments, which means inconsistent recovery patterns become a governance risk. The underlying issue is not cloud diversity itself, but uneven policy enforcement across storage platforms and restore workflows. That inconsistency complicates standardisation, auditability, and incident response. Practitioners should align recovery policy across clouds before the next storage incident does it for them.

Identity controls determine whether recovery is a safety net or a second attack surface. Backup platforms, restore operators, and cloud storage administrators all need tightly constrained privilege. In practice, that means the same teams that govern NHI and PAM should review who can create backup copies, approve immutable retention, and trigger restores. Without that discipline, recovery infrastructure can become another privileged path into the data estate. Practitioners should extend identity governance into the recovery plane.

From our research:

  • 50% of organisations are onboarding new vaults without proper security approval, introducing vulnerabilities and misconfigurations from the outset, according to The 2025 State of NHIs and Secrets in Cybersecurity.
  • 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
  • For related context: 91% of former employee tokens remain active after offboarding, a reminder that recovery and access governance fail when lifecycle controls are not enforced, according to the same research.

What this signals

Recovery policy is becoming part of the identity control plane. As cloud storage grows into a system of record, the teams that manage IAM and PAM need to review who can create immutable copies, approve retention, and execute restores. That is where backup resilience becomes an access governance problem rather than a storage problem.

The most useful next step for practitioners is to align storage recovery with the same discipline used for privileged access reviews. If restore authority is not periodic, scoped, and tested, then incident response will depend on assumptions rather than controls.


For practitioners

  • Separate production and recovery trust domains Use distinct admin roles, distinct credentials, and distinct policy boundaries for Google Cloud Storage administration and backup restoration so an attacker cannot alter both planes through one compromise.
  • Test point-in-time restore at object and prefix scope Validate that teams can restore a single object, a prefix, or an entire bucket from a chosen recovery point, and measure how long that takes under incident conditions.
  • Review lifecycle automation as a destructive change source Treat lifecycle policy updates, retention rules, and automated deletion jobs as governed change events with approval, logging, and rollback procedures.
  • Apply least privilege to backup and restore operators Limit who can create immutable copies, approve retention exceptions, and initiate restores, and review those entitlements alongside privileged access management controls.
  • Align backup governance across cloud providers Standardise recovery objectives, retention policy, and restore testing across AWS and Google Cloud so multi-cloud operations do not produce inconsistent resilience outcomes.

Key takeaways

  • Cloud storage durability does not solve ransomware, deletion, or corruption, so recoverability must be designed separately.
  • Immutable, air-gapped recovery copies create a real resilience boundary only when restore access is independently governed.
  • For AI and analytics workloads, the deciding factor is not how much data is stored, but how precisely it can be restored.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0RC.RP-1Recovery planning is central to this cloud storage resilience topic.
NIST SP 800-53 Rev 5CP-9Backup protection and recovery planning directly align to this control.
CIS Controls v8CIS-11 , Data RecoveryThis topic is fundamentally about recoverability after destructive events.
MITRE ATT&CKTA0040 , Impact; TA0010 , ExfiltrationRansomware and destructive deletion map to impact-driven attack outcomes.
NIST AI RMFMANAGEAI and analytics dependencies make data recovery part of AI risk management.

Use MANAGE to ensure datasets supporting AI workloads have tested recovery paths and clear ownership.


Key terms

  • Immutable Backup: A backup copy that cannot be altered or deleted for a defined retention period. In cloud recovery, immutability is a governance control as much as a technical one, because it prevents attackers or operators from changing the recovery source after compromise or human error.
  • Air-Gapped Backup: A backup environment isolated from the production system so normal production compromise does not automatically reach the recovery copy. In cloud terms, the gap may be logical rather than physical, but the goal is the same: separate trust boundaries and reduce shared blast radius.
  • Recovery Granularity: The smallest data scope an organisation can restore after an incident, such as an object, a prefix, or a full bucket. Higher granularity reduces disruption because teams can repair only the affected data instead of rolling back healthy content along with the damaged data.
  • Lifecycle Policy Error: An accidental or misconfigured automation rule that deletes, moves, or expires data incorrectly. In cloud storage, these errors can behave like an attack because they can remove large data sets quickly and at scale, which makes policy governance part of resilience.

What's in the full announcement

Commvault's full analysis covers the operational detail this post intentionally leaves for the source:

  • Step-by-step guidance on protecting Google Cloud Storage objects, prefixes, and buckets with immutable backup workflows.
  • Operational recovery scenarios for ransomware, accidental deletion, lifecycle policy errors, and data corruption.
  • Implementation detail on managing SaaS-based backup operations without maintaining backup infrastructure.
  • Use-case framing for AI, analytics, and business-critical datasets at petabyte scale.

👉 Commvault's full post covers recovery granularity, air-gapped backup design, and operational simplicity in Google Cloud.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity controls to the operational realities of resilience, recovery, and privileged access.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org