TL;DR: Stricter cyber insurance expectations for air-gapped backups and malware scanning at rest are pushing organizations to treat recovery environments as part of the trust boundary, not a passive copy of production data, according to Commvault. SMMPA adopted Commvault Cleanroom Recovery to support rapid restoration of critical systems, with annual testing to validate recovery readiness.
NHIMG editorial — based on content published by Commvault: SMMPA’s Cleanroom Recovery story
By the numbers:
- SMMPA serves 17 municipal utilities.
- SMMPA supports critical power infrastructure with approximately 50 employees.
Questions worth separating out
Q: What breaks when recovery systems are treated as passive backups instead of trusted environments?
A: The main failure is that contaminated identity, malware, or configuration state can be restored along with the data.
Q: Why do air-gapped backups still require privileged access controls?
A: Because the backup plane still has administrators, orchestration accounts, and restore permissions that can be abused.
Q: How can organisations tell whether recovery testing is actually working?
A: Look for evidence that restore tests prove clean execution, not just successful startup.
Practitioner guidance
- Map recovery-plane identities Identify every account, token, role, and service principal that can operate backup, replication, or restore workflows.
- Validate restore cleanliness before cutover Require malware scanning, credential integrity checks, and dependency validation before any restored domain controller, database, or application server is allowed back into production.
- Test recovery with identity failure scenarios Run exercises that assume compromised credentials, not just damaged infrastructure.
What's in the full article
Commvault's full case study covers the operational detail this post intentionally leaves for the source:
- How SMMPA configured Cleanroom Recovery for its VMware environment in Azure.
- The specific systems SMMPA prioritised for restoration, including domain controllers, SQL servers, and application servers.
- How the team aligned the recovery design with cyber insurance requirements for air-gapped backups and malware scanning at rest.
- What the annual testing process looks like in practice and how the team plans to increase test frequency.
👉 Read Commvault's case study on Cleanroom Recovery at SMMPA →
Cleanroom recovery and air-gapped backups: what should teams test?
Explore further
Clean recovery is now an identity governance problem as much as a backup problem. SMMPA’s requirements show that recovery cannot be evaluated only by uptime or data durability. If restored systems bring back compromised access paths, the organisation has only recreated the incident in a new environment. Practitioners should treat restore workflows as part of the identity control plane, not a separate infrastructure concern.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure, according to The 2025 State of NHIs and Secrets in Cybersecurity.
A question worth separating out:
Q: Who should approve a restore when critical systems are involved?
A: Approval should sit with a defined recovery authority, not with whoever happens to hold production admin rights. For critical systems, organisations need clear separation between operational restoration, security validation, and business cutover so no single identity controls the entire recovery path.
👉 Read our full editorial: Cleanroom recovery for critical infrastructure: what SMMPA changed