Backup and recovery integrations depend on secure workload credentials. A single compromised credential can open access far beyond one system, and threat actors know it.
The best static credential is the one you don’t have. Where feasible, move from secret-based authentication to managed identities or other “secretless” approaches, so credentials are issued, protected, and rotated by the platform rather than stored and handled manually. However, we realize this is not always possible for some legacy systems and configurations.
The good news: Even when using long-lived secrets, hygiene can reduce your risk and blast radius.
This post outlines a practical routine that can help ensure your business remains cyber resilient: Rotate credentials, minimize scope, and enforce Conditional Access where possible.
The Baseline: Three Key Controls
Strong credential hygiene comes down to three pillars: rotation, least privilege, and Conditional Access. While you won’t always be able to implement all three for every credential type, these are the right places to start for any environment:
- Rotation and monitoring: Rotate credentials regularly and review authentication activity for anomalies.
- Least privilege: Scope permissions so credentials can perform only the required backup/restore actions. Practical steps include:
- Separate credentials by workload.
- Scope permission to the minimum dataset/site/mailbox/database needed.
- Avoid broad admin roles unless absolutely required.
- Conditional Access: Where supported, set policies to limit when and where credentials can be used, such as:
- Trusted locations and IP ranges
- Risk signals
- Device/session controls
When Conditional Access Isn’t Feasible, Rotation is the Compensating Control
Not every credential type meets Conditional Access requirements. In those cases, rotation limits how long a stolen credential remains useful, and monitoring helps you detect misuse quickly.
Commvault guidance emphasizes rotating passwords, secrets, and credentials regularly across all environments. For single-tenant Azure app registrations protecting M365/D365/Entra ID workloads, Commvault recommends 90-day rotation cycles. Many common security and compliance frameworks (PCI DSS, ISO 27001, SOC 2, NIST) also expect disciplined credentials management, including periodic rotation and review of access.
Consult Your Security Team
Credential hygiene is most effective when it’s consistent. Align with your security team on:
- Rotation intervals (by credential type and risk tier).
- Conditional Access policy design (what’s enforceable without breaking automation).
- Privileged access rules, logging requirements, and review cycles.
Resource Guide
The resources below offer additional context and environment-based guidance on credential protection and access controls.
Commvault
- Rotating Passwords
- Steps by Account Type for Rotating Password
- Best Practice Guide: Enhancing Security with Conditional Access and Sign-In Monitoring
- Create a Client Secret for the Azure App for Exchange Online
Microsoft
- What is Conditional Access?
- Conditional Access for Workload Identities
- Secretless Authentication for Azure Resources
AWS
Google Cloud (GCP)
Will Galway is Deputy Chief Security Officer at Commvault.
