Cyber resilience is no longer measured by whether backups exist. It’s measured by whether recovery can be executed safely, reliably, and under pressure.
Security leaders must have closer alignment between identity security and backup business continuity and disaster recovery (BCDR) platforms so that when an incident occurs, they can restore operations without disruption and without creating new exposure or compounding risk.
This is why Delinea and Commvault are partnering to extend enterprise-grade privileged access management (PAM) directly into BCDR workflows.
As ransomware, insider threats, and identity-based attacks continue to rise, recovery environments have become a target for cybercriminals. The credentials used to access backup systems, initiate restores and manage recovery workflows are now just as critical as the data those systems protect.
Backup environments are only as trustworthy as the identities allowed to access them
BCDR has evolved—and so have the risks
Historically, BCDR programs focused on data availability. The priority was getting systems back online after hardware failures, outages, or natural disasters. Identity was largely implicit: administrators logged in, ran recovery, and restored systems to operational status.
That model no longer holds.
In the age of AI, modern BCDR environments depend on automation, APIs, service accounts, cloud infrastructure, and increasingly, machine-driven processes that operate with minimal human intervention. AI-assisted tools, orchestration platforms, and automated remediation workflows are becoming part of how organizations respond to disruptions. When recovery actions are triggered at machine speed, access decisions must be made in real time.
At the same time, cyber incidents have become one of the leading causes of operational disruption. Ransomware campaigns routinely target backup infrastructure early in an attack, often by abusing privileged credentials to disable protections or corrupt recovery points. When attackers gain control of identity paths into recovery systems, the impact is immediate and severe. BCDR now relies on secure, verifiable access at the moment it’s needed.
Identity security and credential risk in recovery environments
Identity compromise is a common factor in major breaches, and recovery operations are no exception. Backup jobs, restore processes, and administrative actions all depend on authorization. If the credentials behind those actions are stolen, over-privileged, or poorly governed, recovery can be delayed, manipulated, or blocked entirely.
Breaches caused by stolen or compromised credentials required roughly 11 months to detect and recover from—the longest response lifecycle of any infection vector
- IBM X-Force 2024
The identities involved in BCDR environments are diverse and often overlooked. They include:
- Administrative accounts used to manage backup platforms
- API keys and access tokens used by automation tools
- Service accounts tied to scheduled backup and restore jobs
- Cloud access keys that enable infrastructure-level recovery actions
Many of these are non-human identities (NHIs) used by systems rather than people. As organizations adopt more automation and AI-assisted operations, the number of NHIs involved in recovery workflows continues to grow. These identities often have broad privileges, unclear ownership, and long lifespans, making them difficult to track and easy to misuse.
When credentials are unmanaged or inconsistently protected, they become easier to steal and harder to govern. Manual rotation, embedded secrets, and siloed management increase operational risk, especially in backup environments where a single compromised credential can quietly undermine recovery readiness.
The role of credential vaulting in modern BCDR
Credential vaulting addresses these risks by storing secrets in a centralized, encrypted repository with defined access controls. Credentials are removed from scripts and systems and are retrieved securely only when required.
For BCDR environments, credential vaulting delivers several practical benefits:
- Centralized control: Eliminates credential sprawl and reduces the risk of unmanaged or orphaned accounts across BCDR systems
- Compliance and auditability: Detailed access logs and defined access paths support governance and regulatory requirements, including SOX, HIPAA, PCI-DSS, and GDPR
- Operational efficiency: Automated rotation and secure retrieval remove manual handling and reduce administrative overhead
- Security-first protection: Encryption and least-privilege access policies reduce the risk of unauthorized disclosure or misuse
As recovery processes become faster and more automated, vaulting provides the guardrails that ensure access remains controlled, auditable, and defensible.
Delinea and Commvault: extending identity security into recovery workflows
The Delinea Platform secures both human and machine identities by enforcing least privilege, just-in-time (JIT) access, automated credential rotation, and centralized auditing. Applied to BCDR, these controls help ensure that backup and restore actions are executed by trusted identities under controlled conditions.
As an additional layer of defense, Resilient Secrets has a feature that replicates the entire Secret Server instance every 15 minutes to a secondary location, ensuring privileged credentials remain accessible during "break glass" emergencies when the primary instance is unavailable.
Through the Delinea and Commvault integration, Delinea Secret Server connects directly with the Commvault Cloud platform to strengthen credential security across backup and recovery workflows. This joint integration enables:
- Centralized credential management: Backup credentials can be securely stored, rotated, and governed in a centralized secrets vault rather than embedded within backup systems
- Dynamic, secure retrieval: Credentials are retrieved only when required for backup or restore operations, reducing persistent exposure
- Reduced attack surface: Credentials are no longer stored locally within systems that are commonly targeted during attacks
- Improved audit and compliance controls: Least-privilege policies and detailed activity logs strengthen governance across BCDR environments
Together, we’re simplifying credential lifecycle management across BCDR workflows while reducing reliance on manually configured or embedded secrets. Recovery teams can maintain momentum even when environments are degraded or under attack, and the blast radius of credential compromise within backup infrastructure is significantly reduced.
Credential vaulting is a foundational requirement for modern BCDR strategies. As identity-driven attacks, automation, and AI-assisted operations continue to evolve, securing the credentials that power workflows is crucial for maintaining cyber resilience.
Through our partnership, Delinea and Commvault are helping organizations practice identity-first resilience, ensuring access to critical systems remains controlled, auditable, and trustworthy, no matter how or where disruption occurs.
Try our interactive demo and explore key capabilities of Delinea’s easy-to-use PAM Vault solution at your own pace.
FREE EBOOK
Why workforce credentials need protection
