Your organization just got hit with a ransomware attack. Your cyber and IT departments are scrambling to get your incident response plan started and operational. All of a sudden, everyone realizes that they cannot log in to anything. Active Directory (AD) must be offline!? Your organization’s authentication and authorization tools are impacted.
After hours of triage and assessing the size of this problem, your cyber incident response team reports that restoring foundational AD and authentication and authorization services will take over a week, if everything goes well.
You thought your resiliency plan with AD backups and a SaaS identity platform was sufficient. But even with SaaS in the mix, recovery is complex and manual, delaying the path back to minimum viable operations when time matters most.
Resilience means you can restore authentication and authorization quickly and predictably in a trusted way, whether the disruption is malicious activity, an outage, or an accidental misconfiguration.
Understanding the Threat
Attackers target AD because it’s the identity control plane. Once they get a foothold, they’ll often establish persistence by creating shadow or backdoor accounts, then harvest credentials, and escalate privileges. With elevated access, they laterally move across systems and applications, sometimes staying quiet long enough that the first clear signal is when authentication starts failing.
They gain a wealth of knowledge of the organizations network, people, and applications. And when they’re ready to maximize impact, they can encrypt or corrupt the AD forest, disrupting logins and complicating recovery across the environment.
Why Identity (and Why AD First)?
It’s common for an organization’s identity stack, especially AD and Entra ID, to become complex over time. Forests expand, permissions sprawl, legacy policies accumulate, and “good enough” processes often turn into long-term security drift. That complexity creates blind spots, and defenders lose crisp visibility into how roles, privileges, and policies evolve.
And it’s never “just AD.” Identity is an ecosystem: identity governance and access solutions (IGA), privileged access, customer identity, identity providers, authentication databases, and single sign-on all connect back to the same truth. That’s why identity incidents (and even everyday misconfigurations) can cause outsized disruption compared to many other infrastructure failures.
The recovery challenge is where most plans get exposed. Even with backups, forest recovery is a multi-step, high-stakes process, where guidance for manual recovery can involve 50 to 100 (or more) individual steps and can take days to weeks, depending on environment complexity and preparedness.
The real question isn’t “do we have backups?” it’s “can the teams leverage the backups to cleanly execute under pressure, and have runbooks been tested and verified so recovery doesn’t become an error‑prone scramble at the worst possible time?”
The Solution
The need to have a recovery plan is great. It needs to be tested and verified. Organizations need to know and understand that your identity management platform is the No. 1 target for cyber criminals and attacks. It needs to be protected as such. It needs to be backed up, tested, and verified it can be recovered. This includes:
- Backups of AD, Entra ID, and IGA platforms.
- Tested and verified recovery plans.
- Isolated recovery environments and Cleanroom Recovery.
- AD recovery workflow and automation.
Strong identity governance and monitoring are still critical, but they’re only part of the equation. You want the ability to detect suspicious identity behavior early, contain it fast, and recover with confidence when something changes that shouldn’t (whether it’s malicious activity or an accidental modification that breaks authentication).
That also means you need to integrate identity account and user activity into SecOps and continuously watch for signals like unauthorized account creation, privilege changes, and abnormal authentication patterns, and have a recovery path that’s proven, repeatable, and clean.
Commvault and Deloitte: A Partnership for Identity Resilience
Identity resilience is a business challenge that requires strong governance, processes, controls, and enabling technology. That’s why Deloitte and Commvault have partnered to deliver comprehensive identity protection, recovery, and resilience programs that organizations can trust when it matters most.
Deloitte brings deep expertise in cyber risk, enterprise resilience, and identity and access management to help Fortune 100 to 1000 organizations design, implement, and operationalize identity resilience programs.
These programs help clients assess security posture, improve detection and response capabilities, and define minimum viable company requirements, and then build tested, verified recovery plans with clear timelines and accountability across business and IT stakeholders. Deloitte turns identity resilience into an executable program with runbooks, testing, and readiness, so teams know what “prepared” looks like under pressure.
Commvault makes resilience programs operational with integrated protection and automated recovery workflows across identity systems, plus Air Gap Protect and Cleanroom Recovery to support repeatable, clean, validated recovery when it matters most. Commvault provides the technology foundation with identity resilience capabilities that include:
- Protection for critical identity systems, including AD and Entra ID, point-in-time comparison and rollback support for unwanted or accidental changes.
- Auditing and detection to surface suspicious modifications early (who changed what, and when), helping reduce the window for attackers to spread or persist.
- Automated recovery workflows, including forest-level recovery automation, to help reduce the manual burden and error risk during identity restoration.
- Cleanroom Recovery to help validate identity recovery in isolation before reintroducing trust back into production.
- Air Gap Protect to help maintain immutable, air-gapped backup copies, creating a protected foundation that supports clean recovery and cleanroom testing when identity (or the environment around it) can’t be trusted.
Take Action
If you want to pressure-test your cyber recovery readiness, start with a Deloitte Active Directory Workshop to map dependencies and produce a clear, actionable plan to recover AD and workloads to production. Then validate it the right way: using Commvault to rehearse recovery in a cleanroom before you ever need it in a real event.
For organizations ready to take the next step, we can extend this into a 30-day pilot that puts clean recovery and testing into motion with real artifacts and measurable outcomes. Contact your Deloitte representative at commvaultsalesteam@deloitte.com or your Commvault representative at deloittealliance@commvault.com for more information.
Dave Nowak is Cyber Defense & Resilience Principal at Deloitte, and Michael Fasulo is Senior Director, Portfolio Marketing, at Commvault.
