Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cleanroom recovery and air-gapped backups: what should teams test?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10141
Topic starter  

TL;DR: Stricter cyber insurance expectations for air-gapped backups and malware scanning at rest are pushing organizations to treat recovery environments as part of the trust boundary, not a passive copy of production data, according to Commvault. SMMPA adopted Commvault Cleanroom Recovery to support rapid restoration of critical systems, with annual testing to validate recovery readiness.

NHIMG editorial — based on content published by Commvault: SMMPA’s Cleanroom Recovery story

By the numbers:

Questions worth separating out

Q: What breaks when recovery systems are treated as passive backups instead of trusted environments?

A: The main failure is that contaminated identity, malware, or configuration state can be restored along with the data.

Q: Why do air-gapped backups still require privileged access controls?

A: Because the backup plane still has administrators, orchestration accounts, and restore permissions that can be abused.

Q: How can organisations tell whether recovery testing is actually working?

A: Look for evidence that restore tests prove clean execution, not just successful startup.

Practitioner guidance

  • Map recovery-plane identities Identify every account, token, role, and service principal that can operate backup, replication, or restore workflows.
  • Validate restore cleanliness before cutover Require malware scanning, credential integrity checks, and dependency validation before any restored domain controller, database, or application server is allowed back into production.
  • Test recovery with identity failure scenarios Run exercises that assume compromised credentials, not just damaged infrastructure.

What's in the full article

Commvault's full case study covers the operational detail this post intentionally leaves for the source:

  • How SMMPA configured Cleanroom Recovery for its VMware environment in Azure.
  • The specific systems SMMPA prioritised for restoration, including domain controllers, SQL servers, and application servers.
  • How the team aligned the recovery design with cyber insurance requirements for air-gapped backups and malware scanning at rest.
  • What the annual testing process looks like in practice and how the team plans to increase test frequency.

👉 Read Commvault's case study on Cleanroom Recovery at SMMPA →

Cleanroom recovery and air-gapped backups: what should teams test?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9696
 

Clean recovery is now an identity governance problem as much as a backup problem. SMMPA’s requirements show that recovery cannot be evaluated only by uptime or data durability. If restored systems bring back compromised access paths, the organisation has only recreated the incident in a new environment. Practitioners should treat restore workflows as part of the identity control plane, not a separate infrastructure concern.

A few things that frame the scale:

A question worth separating out:

Q: Who should approve a restore when critical systems are involved?

A: Approval should sit with a defined recovery authority, not with whoever happens to hold production admin rights. For critical systems, organisations need clear separation between operational restoration, security validation, and business cutover so no single identity controls the entire recovery path.

👉 Read our full editorial: Cleanroom recovery for critical infrastructure: what SMMPA changed



   
ReplyQuote
Share: