Identity is now the control point for everything ...

Identity has always played a central role in IT environments. From Active Directory through to modern identity providers, access control has long been a core part of how organisations manage systems and users.
What has changed is not the existence of identity. It is the role it now plays and the level of risk attached to it.

Across all IT environments, identity sits at the centre of access. Users connect to SaaS platforms like Microsoft 365 and Salesforce, cloud and on-premises infrastructure, and business-critical applications, all through identity.

That means identity is no longer just a layer within the architecture. It is the control point for it.

If identity is compromised, attackers do not need to bypass infrastructure controls. They can simply log in. And when they do, they do not just gain access to live systems. They gain access to the tools and data organisations rely on to recover. Backup infrastructure, recovery points, response capabilities. All of it becomes a target.

That is why immutability and covert protection, core capabilities within Assurestor’s NG platform, are so important. Ensuring backup data cannot be altered or deleted, regardless of who has access, removes one of the most critical leverage points an attacker can exploit.

The attack surface has changed ...

For a long time, protection strategies focused on infrastructure. Servers, storage, networks. That made sense because that is where the risk lived.

But environments have changed, and so has the way attacks happen. Today, most successful attacks do not break through walls. They walk through the door using stolen or compromised credentials. They target identity platforms directly. They escalate privileges quietly, moving through systems without triggering the alerts that traditional infrastructure controls were built to catch.

This changes what organisations need to think about. It is no longer just about keeping attackers out. It is about what happens when someone is already inside, using access that looks completely legitimate.

The recoverability gap ...

Identity resilience is the ability to back up, recover and restore identity configurations, access policies and user data quickly after a breach or outage. Yet one of the most common conversations we have with organisations is around a belief that because identity sits within a major SaaS platform, it is automatically protected. It is an understandable assumption, but it is one that leaves a lot of organisations exposed.

According to Gartner’s 2024 IAM Leadership Survey, 54% of organisations have seen an increase in identity-related breaches, with one in three experiencing business interruptions, financial loss or regulatory penalties as a result. The gap between assumption and reality is not just a security problem. It is a business risk.

Most identity platforms are built to handle authentication, availability and access management. What they are not built to do is provide independent backup of identity data, recovery of configurations, rollback of changes, or protection against actions that are accidental or deliberate.

That creates a gap. Not in access control, but in recoverability. An identity platform being available is not the same as it being recoverable. Configurations, policies, roles and access rights can be changed, corrupted or deleted. Without independent protection, restoring them to a known good state is not straightforward. In a real incident, that gap can significantly extend recovery time and the overall impact on the business.

“Assurestor’s latest Next Generation (NG) platforms include broad support to protect the key identity providers used by modern organisations, including Microsoft Entra ID, Okta Identity Cloud and AWS IAM.”
Jason Reid, Managing Director, Assurestor

Identity is now a resilience issue ...

Identity has traditionally sat within the security function. But in practice, it now touches far more than that.

When identity is compromised, the consequences spread quickly. Access to SaaS platforms can be disrupted, data can be altered or deleted, and privileges can be escalated across multiple systems. In serious cases, entire environments can be affected before the incident is even detected.

At that point, the challenge is not prevention. It is recovery. And recovery requires more than good security tooling. It requires the ability to restore identity to a known good state, quickly and with precision. That is why identity now sits at the intersection of security, data protection and disaster recovery, and why organisations that treat it as a resilience issue are in a much stronger position when something goes wrong.

“Identity is no longer just a security concern, it is a business resilience one. Organisations that protect and recover their identity systems with the same rigor as their critical data are the ones that stay operational when things go wrong.”
Andy Fernandez, General Manager of AI and Cyber, HYCU

What organisations should be thinking about ...

Protecting identity properly means treating it as part of a broader resilience strategy, not a separate workstream. That means ensuring identity data and configurations are protected independently, that recovery is fast and granular, and that identity is included in wider backup and recovery planning alongside SaaS, cloud and infrastructure.

The organisations getting this right are not necessarily the ones with the most tools. They are the ones that have closed the gaps the obvious tools leave behind. Find out how Assurestor’s NG platforms can help close those gaps.

Join the conversation ...

We will be exploring identity risk and modern data protection in more detail in our upcoming session with HYCU.

Webinar: Identity and Modern Data Protection
7th May - 3.00 pm
We will be covering how identity risk is evolving, where traditional approaches fall short, and what organisations and partners should be thinking about next.
Register Here

Final thought ...

Identity is not a new concept. But the role it plays, and the impact it can have when things go wrong, has changed significantly.
Protecting it properly is no longer optional. It is part of protecting everything else.