By NHI Mgmt Group Editorial TeamDomain: Best PracticesSource: AcsensePublished September 5, 2025

TL;DR: Ransomware operators increasingly target backup infrastructure to remove recovery options, and Acsense argues that immutable storage, air-gapped copies, continuous testing, and identity-provider aware recovery are now essential for restoring service and meeting regulatory expectations. The core shift is that backup design has become an IAM resilience issue, not just a storage concern.


At a glance

What this is: This is a guide to ransomware-resistant backup design for identity platforms, with the key finding that attackers now target the recovery stack itself.

Why it matters: It matters because IAM, IGA, and PAM teams need recovery plans that preserve identity services, object state, and auditability when production and backup layers are both under attack.

By the numbers:

👉 Read Acsense's guide to ransomware-proof backup systems for identity recovery


Context

Ransomware-resistant backup systems are a resilience control for identity infrastructure, not just a storage pattern. When an identity provider, its policies, or its configuration backups are corrupted, authentication and access control can fail even if the primary production stack is still partially reachable.

The problem is that many recovery plans assume backups are outside the attacker’s reach. This article argues that attackers now go after the backup layer, so IAM teams need immutable copies, isolated credentials, and tested restoration procedures that can survive deliberate tampering.

For identity programmes, the question is no longer whether backups exist, but whether they can still restore the directory, policies, and application bindings after an attack. That is a typical gap in mature-looking environments that have not tested recovery under adversarial conditions.


Key questions

Q: What breaks when ransomware reaches identity backup systems?

A: Recovery fails when the backup layer shares credentials, network reach, or administrative trust with production. In that setup, attackers can delete, corrupt, or overwrite the last-known-good copy and leave identity teams with no clean restoration path. The result is prolonged authentication outage, stalled application access, and stronger pressure to pay.

Q: Why do identity providers need immutable backups specifically?

A: Identity providers store the policies, mappings, and sign-in logic that make access possible. If those objects are altered or deleted, restoring only the data is not enough. Immutable backups preserve a trustworthy configuration point in time, which is what allows teams to rebuild access without reintroducing attacker changes.

Q: How do security teams know if backup recovery is actually working?

A: They know by testing restorations under realistic conditions and checking whether identity services come back in the right order. A real test should prove that policies, groups, admin roles, and application links are restored cleanly, with RTO and RPO measured and evidence retained for audit and incident review.

Q: Who is accountable when backup recovery for identity systems fails?

A: Accountability should sit with the team that owns identity continuity, not just the storage function. IAM, infrastructure, and GRC all have roles, but the control owner must be able to prove isolation, restore success, and recovery readiness. Regulators increasingly expect documented continuity evidence, not informal assurances.


Technical breakdown

Why backup infrastructure becomes part of the attack surface

Backup systems are often connected to production through management APIs, replication jobs, and service accounts with broad write rights. That makes them attractive after initial access, because deleting or corrupting backups increases leverage without needing to defeat every production control. In identity environments, the most valuable backup targets are configuration objects, policies, groups, mappings, and admin roles, because those determine whether users can sign in and whether services can be reconstituted. If replication is bidirectional or credentials are reused, attackers can push corruption into the recovery copy as easily as they destroy the live tenant.

Practical implication: Treat backup connectors, replication paths, and recovery tenants as privileged identity assets with separate access boundaries.

Immutable and air-gapped recovery copies

Immutability means the backup cannot be altered or deleted for a defined retention period, usually through write-once semantics. Air-gapping means the recovery copy is isolated from the production blast radius, either physically or through a logically separate tenant, account, or network boundary. The combination matters because ransomware often looks for reachable backup targets first. In identity programs, this should cover not just data files but directory state, SSO settings, policy objects, and workflow dependencies, otherwise the backup may restore data without restoring access.

Practical implication: Use separate identity boundaries and retention controls so production credentials cannot modify recovery copies.

Why restore testing matters more than backup creation

A backup that has never been restored is only an assumption. Recovery testing proves that the object set is complete, the order of operations is correct, and the target RTO and RPO are realistic under pressure. For identity platforms, testing must include partial restores of policies or groups, not only full-tenant rebuilds, because many incidents damage configuration selectively. Regular drills also reveal whether token reuse, stale mappings, or hidden dependencies will block a clean rebuild. That is why recovery evidence is a governance control, not an operational afterthought.

Practical implication: Schedule restore drills that validate identity objects, not just storage integrity, and keep pass/fail evidence for audit use.



NHI Mgmt Group analysis

Identity recovery has become a governance domain, not a storage domain. When attackers can erase the recovery path, the control problem is no longer backup capacity but identity continuity. Immutable copies, independent credentials, and tested restores determine whether access can be re-established under attack. Practitioners should treat recovery design as part of IAM resilience, not a separate infrastructure conversation.

Backup compromise succeeds when recovery credentials inherit production trust. The weakest pattern is a backup job that can write back into the same tenant, account, or network it is meant to protect. That collapses the separation between production and recovery and turns the safety net into another privileged pathway. The implication is that recovery identities need their own lifecycle, ownership, and blast-radius limits.

Ransomware resilience for identity hinges on the 3-2-1-1-0 model. Three copies, two media, one off-site, one immutable or air-gapped, and zero errors verified through testing gives identity teams a workable baseline. This is especially important for directory objects, SSO policies, and admin mappings that are often missed in generic backup plans. Practitioners should measure recovery completeness, not just backup success.

Regulatory expectations are now converging on recoverability evidence. NIS2, DORA, and related continuity frameworks expect organisations to prove they can restore operations, not merely say they have backups. That means documented RTO and RPO, test logs, segregation evidence, and accountable ownership for identity recovery. Practitioners should expect auditors to ask whether identity services can come back cleanly after destructive attacks.

Identity backups expose a naming problem that most programmes avoid: recovery privilege. Backup systems need administrative rights, but those rights are often treated as temporary plumbing rather than governed identity. That assumption fails when backup operators, service accounts, and replication jobs can all touch the same recovery plane. The implication is that recovery privilege needs the same scrutiny as production privilege.

From our research:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, which shows how slowly recovery and revocation often move in practice.
  • For the broader control picture, review 52 NHI Breaches Analysis for how exposed credentials and privilege persistence turn into repeatable incident patterns.

What this signals

Recovery resilience now has to be designed as part of identity governance. When identity platforms are the access layer for the business, a backup failure becomes an access failure. That means programme owners should stop treating backup evidence as infrastructure noise and start treating it as part of IAM control assurance, with restore proof tied to continuity objectives.

Recovery privilege is the overlooked control category. Backup operators, replication jobs, and service accounts can all become high-value identities if they can alter the only clean recovery copy. Teams should inventory those identities, apply separate ownership, and ensure their lifecycle is not inherited from production administrative access.

The practical signal is whether your organisation can restore directory state, policy objects, and application bindings without reusing the same trust path that production depends on. If the answer is unclear, the recovery plane is still inside the blast radius, even if the backups are technically immutable.


For practitioners

  • Separate recovery credentials from production identities Create distinct accounts, keys, and admin boundaries for backup operations so production compromise cannot directly alter recovery copies. Keep those credentials outside shared sign-in paths and review them on a separate lifecycle schedule.
  • Make one backup copy immutable and unreachable from production Use write-once retention or logically isolated object storage for the last-known-good copy, and block production systems from having delete or overwrite rights on that copy.
  • Test identity restores, not just file restores Run recovery drills for policies, groups, mappings, admin roles, and application integrations, then record whether the restored identity plane actually allows users and services to authenticate.
  • Map backup controls to continuity and audit evidence Document RTO and RPO, capture restore logs, and keep diagrams showing isolation, immutability, and ownership so continuity reviews can verify the control design rather than trust intent.
  • Reduce blast radius in replication paths Prevent backup replication jobs from using credentials that can also reach live identity infrastructure, and segment the backup network or tenant so compromise does not propagate into the recovery tier.

Key takeaways

  • Ransomware-resistant backups are now part of identity resilience because attackers increasingly target the recovery layer itself.
  • Immutable, air-gapped copies only create value when identity restores are tested and evidence is retained.
  • Identity teams should govern recovery privilege, not just backup storage, because shared trust paths turn safety nets into attack paths.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Backup integrity and recovery identity separation are central NHI governance concerns.
NIST CSF 2.0PR.DS-11Backups, protection, maintenance, and testing map directly to recovery assurance.
NIST SP 800-53 Rev 5CP-9CP-9 covers system backup and aligns with identity recovery evidence.
NIST Zero Trust (SP 800-207)Segregated recovery paths support zero trust assumptions around blast radius.
CIS Controls v8CIS-11 , Data RecoveryData recovery control maps closely to tested identity restoration.

Validate that identity backups are protected, maintained, and routinely tested against recovery objectives.


Key terms

  • Immutable Backup: An immutable backup is a recovery copy that cannot be changed or deleted for a defined retention period. In identity programmes, that means the backup preserves a trustworthy point in time for policies, groups, and access mappings, even if production systems are compromised.
  • Air-Gapped Backup: An air-gapped backup is isolated from the live production environment so attackers cannot reach it through ordinary administrative paths. For identity systems, the point is to keep at least one recovery copy outside the same trust boundary as the tenant, account, or network being protected.
  • Recovery Privilege: Recovery privilege is the administrative authority required to create, manage, and restore backup copies. It becomes a governance issue when the same identities that run production also control the recovery plane, because compromise can then destroy both the live system and the last known good copy.

What's in the full article

Acsense's full guide covers the operational detail this post intentionally leaves for the source:

  • Object-level recovery steps for IDP configuration, policies, groups, and mappings
  • 30-60-90 day operational playbook with restore drills, runbooks, and audit evidence
  • Regulatory mapping for NIS2, DORA, HIPAA, and APRA continuity expectations
  • Hot standby tenant design and independent credential requirements for recovery paths

👉 Acsense's full article covers immutable storage, isolation design, and restore testing in more operational detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity resilience programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org