By NHI Mgmt Group Editorial TeamPublished 2026-05-11Domain: Governance & RiskSource: Commvault

TL;DR: VM migration to Red Hat OpenShift Virtualization is typically phased, leaving VMware, Kubernetes, and new virtualized workloads operating in a mixed state where protection gaps can emerge, according to Commvault. The governance problem is continuity: resilience, recovery, and policy enforcement have to follow the workload across the transition, not after it.


At a glance

What this is: This is a migration-focused analysis of protecting VMware and OpenShift Virtualization workloads with a unified, Kubernetes-native data protection model.

Why it matters: It matters because identity and access teams, platform engineers, and resilience owners need consistent governance when workloads move across hybrid states and protection boundaries shift.

By the numbers:

👉 Read Commvault's analysis of VM migration protection for OpenShift Virtualization


Context

VM migration to OpenShift Virtualization is not a single cutover event. In practice, enterprises run a mixed environment during transition, with legacy VMware workloads, new OpenShift Virtualization VMs, and containerized applications all coexisting while protection and recoverability expectations stay in place.

The core governance issue is that change windows create uneven visibility and inconsistent operational controls. When workloads move but protection workflows do not, organizations inherit a gap between where the data lives and how it is governed, recovered, and monitored.


Key questions

Q: How should teams govern VM migration when VMware and OpenShift Virtualization run together?

A: Treat the transition as a hybrid governance state, not a simple infrastructure swap. Define who owns protection, recovery, and access decisions for each workload phase, then align policies so VMware, OpenShift Virtualization, and container environments are controlled consistently until the migration is complete.

Q: Why does VM migration increase resilience and recovery risk?

A: Migration changes platform boundaries, workload placement, and operational workflows at the same time. That combination creates gaps in visibility and protection if backup, recovery, and monitoring processes are still tuned to the old environment instead of the mixed state.

Q: What do security and platform teams get wrong about unified protection?

A: They often treat unification as a tooling choice rather than a governance choice. A single platform only helps if policy, restore workflows, and accountability are consistent across all workload types, otherwise the organisation simply centralises complexity instead of reducing it.

Q: Who is accountable when migration recovery fails?

A: Accountability should sit with the team that owns the migration state and the recovery policy, not just the platform administrator or the backup operator. If workload ownership, restore authority, and migration planning are split, failures become harder to triage and slower to resolve.


Technical breakdown

Why mixed-state VM migration creates protection gaps

A phased migration creates a temporary but real hybrid operating model. Virtual machines may still run on VMware while other workloads move into OpenShift Virtualization and adjacent containers share the same clusters. That mixed state matters because backup, recovery, and monitoring are often designed around a stable platform boundary. When the platform boundary shifts mid-migration, teams can end up with duplicated tooling, inconsistent policy enforcement, or workloads that are technically moved but operationally governed as if nothing changed.

Practical implication: Treat the migration window as a separate governance state and map protection ownership before workloads move.

Kubernetes-native protection for virtual machines and containers

Kubernetes-native protection means the backup and recovery model aligns with the orchestration layer rather than treating VMs and containers as unrelated assets. In this model, policy can be applied consistently across virtualized and containerized workloads, reducing the need for separate workflows. The important technical point is not the label, but the control plane consistency: if the same orchestration context governs both workload classes, recovery and access processes can remain predictable as infrastructure changes underneath them.

Practical implication: Standardize protection policy at the platform layer so VM and container governance does not diverge during migration.

Immutable backups and recovery flexibility in transition windows

Migration periods raise ransomware and operational failure risk because data is moving and configurations are changing. Immutable backups reduce the chance that recovery copies are altered during a compromise, while in-place and out-of-place recovery give operators options if a migration step fails or a timeline shifts. The key mechanism is resilience under uncertainty: restoration has to work even when the original placement, configuration, or schedule no longer matches the planned end state.

Practical implication: Validate that recovery paths work both during migration and after cutover, not only in steady state.


Threat narrative

Attacker objective: The objective is to interrupt recovery confidence by exploiting inconsistency in protection and resilience across the migration path.

  1. Entry occurs when infrastructure transitions create a wider attack surface, including inconsistent tooling and partially migrated workloads that are harder to monitor uniformly.
  2. Escalation happens when a failure in migration protection or a ransomware event reaches data and backup assets that were not governed consistently across the hybrid estate.
  3. Impact is operational disruption, recovery delay, or data loss if the organisation cannot restore workloads quickly and with full configuration context.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Hybrid migration creates an identity and governance seam, not just an infrastructure seam: when workloads move from VMware into OpenShift Virtualization, the organisation often keeps multiple operational models alive at once. That is where control drift appears, because protection policy, recovery ownership, and access boundaries no longer align cleanly with workload placement. Practitioners should treat the migration window as a governance state with its own controls, not as an implementation detail.

Tool sprawl is a governance problem before it is a cost problem: separate protection stacks for legacy VMs, Kubernetes, and migrated workloads create overlapping administration paths and uneven enforcement. That increases the chance that recovery, retention, and visibility differ by environment even when risk tolerance does not. The practical implication is that standardisation matters because consistency is what keeps governance defensible during change.

Immutable recovery logic is central to modern resilience planning: if backup copies can be modified, recovery assurance is only theoretical during a migration or ransomware event. Air-gapped and immutable backups shorten the path from incident to restoration by preserving a trustworthy recovery point. For practitioners, this means resilience design has to be evaluated as part of platform migration planning, not after the new state is already live.

OpenShift Virtualization pushes teams toward platform-level governance: once virtual machines are managed inside Kubernetes, the old separation between VM operations and cloud-native operations becomes less useful. That does not remove complexity, but it changes where policy needs to live. Practitioners should expect recovery, monitoring, and operational control to move closer to the platform layer.

Portable recovery is the real migration test: in-place and out-of-place recovery are not convenience features, they are proof that migration has not trapped the organisation inside a single operational assumption. If workloads can be restored with their configuration context intact, the business can absorb failed cutovers without turning modernization into a prolonged outage. Teams should test for that flexibility before they need it.

From our research:

  • 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
  • 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
  • Migration governance should also be read alongside NHI Lifecycle Management Guide when workload ownership and recovery authority change during platform transitions.

What this signals

Migration programmes need lifecycle thinking, even when the subject is infrastructure: when workloads move, the associated credentials, backup access paths, and recovery permissions often move more slowly than the workload itself. That creates a control lag that looks operational on the surface but behaves like identity sprawl underneath, so teams should review entitlement ownership as part of migration planning.

The governance lesson is that resilience is only durable when recovery access, platform access, and workload ownership are aligned. Where that alignment is missing, a migration can succeed technically while still leaving the organisation exposed to stale access paths and confused recovery authority.

Identity blast radius: the longer a migration keeps multiple platforms and protection stacks alive, the more likely one stale access path or restore dependency can affect more than one environment. Practitioners should shrink that blast radius by standardising ownership before platform cutover and by testing recovery with the same discipline used for access reviews.


For practitioners

  • Map migration-state governance separately from steady-state operations Define how protection, monitoring, retention, and recovery ownership change when workloads are pre-migration, mid-transition, and post-cutover. Keep a distinct control model for the hybrid period so teams know which platform owns each workload at each stage.
  • Consolidate protection workflows across VMs and containers Reduce parallel backup and recovery processes by aligning policy, access, and restore procedures across VMware, OpenShift Virtualization, and containerized applications. This lowers the chance of inconsistent recovery behaviour between workload classes.
  • Verify immutable recovery points before migration begins Check that backup copies cannot be altered and that restore jobs preserve full VM context and configuration. Test recovery against both a failed migration and a ransomware-style disruption so the team validates the actual recovery path.
  • Test out-of-place recovery for failed cutovers Run scenario exercises that restore a VM to an alternate location when the original migration path fails or timing shifts. The goal is to prove the organisation can recover without being tied to one platform state.

Key takeaways

  • VM migration to OpenShift Virtualization creates a mixed operating state where protection and recovery controls must stay consistent across old and new platforms.
  • Immutable backups, threat detection, and flexible recovery are not add-ons during migration. They are the controls that determine whether change becomes an outage.
  • Platform simplification only improves governance when policy, ownership, and recovery workflows are standardised across VMs and containers.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.IP-4Migration protection and recovery align with maintaining technology resilience during change.
NIST SP 800-53 Rev 5CP-9Backup capability is central to preserving recoverability during hybrid migration.

Use CP-9 to verify backups are protected, restorable, and tested across the migration path.


Key terms

  • Hybrid migration state: A transitional operating condition where legacy and modern platforms run together while workloads move between them. In identity and resilience planning, this state demands separate ownership for protection, recovery, and access because control boundaries no longer match the production architecture exactly.
  • Immutable backup: A backup copy that cannot be altered or deleted for a defined period, even by privileged operators. It is used to preserve trustworthy recovery points during ransomware events or migration failures, when compromised administrative paths could otherwise corrupt restoration data.
  • Out-of-place recovery: A restore method that brings a workload back to a different location or environment than the original one. It is valuable when a migration path fails, because it lets teams recover configuration and data without depending on the exact platform state that caused the problem.

What's in the full article

Commvault's full article covers the operational detail this post intentionally leaves for the source:

  • How Commvault Cloud maps protection workflows across VMware VMs, OpenShift Virtualization VMs, and containerized applications.
  • The specific recovery options available when a migration step fails or timelines shift, including in-place and out-of-place restore paths.
  • How immutable backup handling and threat-hunting support are positioned for migration resilience.
  • The platform versions and compatibility notes that matter if you are preparing a production rollout.

👉 Commvault's full post covers the migration workflow, resilience features, and recovery options in more operational detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org