Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Ransomware recovery gaps: are your backups clean enough to trust?


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 235
Topic starter  

TL;DR: Ransomware incidents rose 49% in the first half of 2025 versus the same period in 2024, and Commvault argues that immutable storage, real-time threat scanning, validated recovery, and automated restore workflows are now necessary to preserve recovery confidence. Backup existence alone no longer answers the governance problem when recovery paths themselves can be compromised.

NHIMG editorial — based on content published by Commvault: ransomware resilience through immutable storage, threat scanning, validated recovery, and automated operations

By the numbers:

Questions worth separating out

Q: How should organisations make sure ransomware backups are actually safe to restore?

A: They should validate backup integrity before production restore, not after the fact.

Q: Why do immutable backups matter if attackers already have privileged access?

A: Immutable backups matter because they narrow the attacker’s ability to erase recovery evidence or destroy clean restore points, even when some privileged access has been compromised.

Q: What breaks when backup recovery is automated without clean-point validation?

A: Automation can accelerate the restoration of compromised data if the platform selects the wrong recovery point or trusts tainted files.

Practitioner guidance

  • Separate recovery authority from routine administration Restrict who can change retention, deletion, and restore-policy settings in backup platforms.
  • Require pre-restore validation in isolated environments Test recovery points in a cleanroom or similarly isolated environment before returning them to production.
  • Treat immutability as a governance control, not a storage checkbox Map retention lock, object lock, and WORM protections to named owners, approval paths, and exception handling.

What's in the full article

Commvault's full article covers the operational detail this post intentionally leaves for the source:

  • Immutable storage implementation details across software retention, object lock, and appliance-based protection.
  • Threat scanning mechanics for inline, pre-backup, post-backup, and pre-restore inspection.
  • Cleanroom recovery, bad file indexing, and pave-and-repave workflow specifics for validated restoration.
  • Operational intelligence features such as auto-recovery orchestration and recovery validation reports.

👉 Read Commvault's ransomware defence analysis for immutable backup and clean recovery details →

Ransomware recovery gaps: are your backups clean enough to trust?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9713
 

Backup immutability is a privileged access control, not a storage feature. Once ransomware actors can influence deletion, retention, or recovery policy, the backup platform stops being passive infrastructure and becomes part of the identity attack surface. That means the real control question is who can change recovery state, not just who can read the data. Practitioners should govern immutable storage through the same lens they apply to PAM and recovery authority.

A few things that frame the scale:

  • 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to the 2025 State of NHIs and Secrets in Cybersecurity.
  • A separate finding shows that 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits, according to the same report.

A question worth separating out:

Q: Who is accountable when ransomware reaches the recovery platform itself?

A: Accountability should sit with the owners of backup administration, privileged access, and incident recovery, because the recovery platform is part of the control plane. If a single administrator can change retention or restore policy, the organisation has a separation-of-duties problem as much as a ransomware problem.

👉 Read our full editorial: Ransomware resilience depends on immutable backups and clean recovery



   
ReplyQuote
Share: