Subscribe to the Non-Human & AI Identity Journal
Home FAQ What breaks when cloud object storage has durability…

What breaks when cloud object storage has durability but no independent recovery layer?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 9, 2026

Durability alone does not protect against ransomware, destructive deletion, logical corruption, or bad lifecycle automation. When those events hit large object stores, the organisation may still lose access to critical data even though the underlying platform remained available. Independent backup copies and tested restore workflows are what turn storage durability into business recoverability.

Why This Matters for Security Teams

Cloud object storage is designed to keep data available through hardware failure, not to guarantee business recovery after a security event. That distinction matters when ransomware encrypts objects, a misconfigured lifecycle rule deletes them, or a privileged workload wipes a bucket. In those cases, the storage service may remain healthy while the organisation still loses usable data. NIST Cybersecurity Framework 2.0 frames this as resilience, not just availability, and the recovery objective depends on independent copies and restore testing.

NHIMG research on Codefinger AWS S3 ransomware attack shows how quickly object storage can become a liability when deletion and encryption are not bounded by separate recovery controls. In practice, many security teams encounter data loss only after the primary bucket is already encrypted or emptied, rather than through intentional recovery testing. That is why durability should be treated as a storage property, not a recovery strategy.

How It Works in Practice

Durability means the platform stores object copies redundantly across infrastructure failures. It does not mean a second, independent recovery layer exists outside the blast radius of the same identity, console, tenant, or automation pipeline. If an attacker gains write or delete permissions, or if a bad script applies a lifecycle rule too broadly, the platform can faithfully preserve the wrong state. Recovery requires separation of control, not just replication of data.

Current guidance suggests designing object storage recovery around three questions: can the original data be restored, can the restore source be trusted, and can the restore path operate after the production account is compromised? The first answer comes from versioning or immutable copies. The second comes from out-of-band backup validation and retention controls. The third comes from an independent account, vault, or backup system with separate credentials and policy boundaries. NIST CSF 2.0 and NIST Cybersecurity Framework 2.0 both support this operational separation under recovery planning and resilience.

  • Use immutable or write-once recovery copies, not only replicated buckets.
  • Store backup copies in a separate security boundary with different access control.
  • Test restore procedures from end to end, including identity, network, and encryption dependencies.
  • Log and alert on destructive actions such as delete markers, lifecycle expiration, and bulk object purge.

For broader cloud compromise patterns, NHIMG analysis of the 230M AWS environment compromise and the Google Firebase misconfiguration breach shows how identity and configuration failures often precede storage loss. These controls tend to break down when the same cloud account owns both production data and its only recovery copy because a single credential compromise can destroy both.

Common Variations and Edge Cases

Tighter recovery control often increases cost and operational overhead, requiring organisations to balance resilience against storage spend, restore complexity, and administrative burden. There is no universal standard for this yet, but best practice is evolving toward separation by account, key, and retention policy rather than relying on one provider’s durability promise.

Object lock, versioning, cross-region replication, and backup vaults solve different problems. Versioning helps against accidental overwrite, but it may not stop an attacker with delete privileges from exhausting versions. Cross-region replication helps availability, but if replication copies corruption or deletion in near real time, it can spread the incident. Object lock and immutable retention improve resistance to tampering, but they still need an independent restore path and tested procedures.

NHIMG’s 2024 Non-Human Identity Security Report found that 88.5% of organisations said their non-human IAM practices lag behind or merely match their human IAM efforts. That gap matters here because backup systems, storage automation, and recovery orchestration are often run by non-human identities with overbroad privileges. If those identities are not tightly scoped, the same automation that improves operations can also accelerate irreversible data loss.

These safeguards become harder to operate when restore workflows depend on the same cloud tenant, the same KMS keys, or the same automation role that was used to destroy the primary data.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0RC.RP-1Recovery planning is central when durability does not equal recoverability.
NIST Zero Trust (SP 800-207)Zero trust supports separating backup access from production storage access.
OWASP Non-Human Identity Top 10NHI-03Non-human identity rotation and scope matter for backup and storage automation.

Define, test, and document restore steps from independent backups before you need them.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org