Are your backups isolated from production credentials (separate cloud account, immutable, air-gapped)?
Demonstrate that backup repositories and their access credentials are architecturally segregated from production systems such that a production credential compromise cannot result in backup deletion or encryption.
Description
What this control does
Backup isolation ensures that backup data and the credentials required to access or delete backups are logically and physically separated from production systems. This separation is typically achieved through separate cloud accounts with distinct identity providers, immutable storage configurations (write-once-read-many), or air-gapped systems with no network connectivity to production. Isolation prevents attackers who compromise production environments from destroying backups, which is a common ransomware tactic to force payment by eliminating recovery options.
Control objective
What auditing this proves
Demonstrate that backup repositories and their access credentials are architecturally segregated from production systems such that a production credential compromise cannot result in backup deletion or encryption.
Associated risks
Risks this control addresses
- Ransomware operators who gain domain admin or cloud account privileges destroy backups before encrypting production systems, eliminating recovery options
- Insider threats with production access delete or corrupt backups to cover fraud, sabotage, or data exfiltration
- Lateral movement attackers escalate from production workload compromise to backup infrastructure, modifying retention policies or purging recovery points
- Credential stuffing or password spray attacks that succeed against production accounts also compromise backup systems using shared credentials
- Cloud account compromise allows attackers to delete immutable backup vaults or modify lifecycle policies via inherited IAM roles
- Misconfigured cross-account trust relationships enable production service principals to invoke backup deletion APIs
- Backup administrator accounts stored in the same identity directory as production accounts become pivot points after directory compromise
Testing procedure
How an auditor verifies this control
- Obtain network topology diagrams and account/subscription architecture documentation showing the logical separation between production and backup environments
- Review identity and access management configurations to confirm backup access credentials are managed in a separate identity provider, tenant, or directory from production
- Inspect cloud account or subscription configurations to verify backups reside in a separate account with distinct root credentials and no cross-account write permissions from production
- Examine backup storage configuration settings to confirm immutability features are enabled (object lock, compliance mode, WORM storage) with retention periods exceeding business requirements
- Test cross-account IAM policies and trust relationships by attempting to access backup resources using production service principals and verifying denial
- Review access logs for backup infrastructure over the past 90 days to confirm no production credentials or service accounts have authenticated to backup systems
- For air-gapped backups, verify physical network isolation by tracing network paths and confirming scheduled connectivity windows with documented change approvals
- Validate that backup restoration procedures document the use of separate administrative credentials and do not require production credentials for recovery operations