The cybersecurity industry has been echoing a mantra for years: it’s not a question of if an organization will be attacked, but when. However, in 2025, a new idea is gaining traction among IT teams: it’s not enough to just be able to recover data; you must also ensure that the recovery process itself isn’t the weak link. In many incidents, attackers don’t enter “brute force”; they use credentials, often with elevated privileges, operating calmly as if they possess a legitimate key.
In this context, Commvault (NASDAQ: CVLT) announced on December 11, 2025, a partnership with Delinea, a company specializing in privileged access management (PAM). The agreement involves a technological integration that connects Commvault Cloud with Delinea’s Secret Server. The clear promise is to help clients strengthen the security of credentials tied to backup and recovery environments, facilitate regulatory compliance, and reduce operational friction in an area where mistakes can be costly.
“Identity” as the new perimeter: attackers no longer need to break down the door
In 2024, according to figures cited in the announcement, nearly one-third of security incidents (33%) involved compromised privileged identities. This data highlights an uncomfortable reality: when an attacker gains an account with high-level permissions — or manages to escalate to it — defenses shift from focusing solely on firewalls or EDRs to how access is controlled, how long it lasts, and what traces are left behind.
The problem has been worsened by a less visible but common phenomenon among technical teams: the proliferation of non-human identities. These are credentials for applications, scripts, pipelines, and automated services that run critical processes. Most are created out of necessity, many are maintained out of inertia, and quite a few end up with more permissions than needed. In backup environments, they often have broad access to read, copy, move, or restore data. When this power falls into the wrong hands, the company’s backup—or its recovery plan—becomes a top target.
Because the modern attacker isn’t just after encryption. They also seek to delete copies, sabotage restorations, or insert persistence into systems that should rescue the business when everything else fails.
What changes with the integration: Less exposed credentials and more controlled access
The integration of Commvault Cloud with Delinea Secret Server targets a critical point: preventing backup credentials from residing in the system too long, being overly dispersed, or managed manually in ways that are hard to audit. Both companies explain that the joint technology introduces three layers of control with the same goal: reduce permanent privileges and enhance traceability.
1) Centralized management and credential rotation
A key challenge in large organizations is that the data protection environment becomes a “parallel ecosystem”: service accounts for connecting to repositories, credentials to run jobs, access for restorations, keys for automation… Over time, some duplicate, others are orphaned, and many stay active out of fear of breaking processes.
This integration aims to centralize this chaos in a secrets vault, allowing controlled storage, governance, and rotation of credentials. The business message is clear: less complexity and fewer “forgotten accounts” that could serve as perfect entry points.
2) Just-in-Time (JIT) access for each backup or restore
The second pillar is the JIT approach: generate temporary credentials for each operation and revoke access afterward. It’s a mindset shift. Instead of “an account with always-available privileges,” the focus is on ephemeral credentials that exist only as long as necessary.
In an environment where attackers seek persistence, reducing this window can be decisive. If the credential isn’t available when the attacker seeks it, the breach becomes more difficult. Additionally, if each issuance and revocation is logged, the level of control increases significantly.
3) Auditability and least privilege for compliance without improvisation
The third axis is audit and compliance: applying the principle of least privilege (only what’s necessary, only when needed) and maintaining detailed logs to demonstrate control. The announcement explicitly mentions support for compliance initiatives often on the agendas of large companies and regulated sectors, including SOX, HIPAA, PCI-DSS, and GDPR.
This isn’t just “on paper.” In practice, many organizations face audits where they must explain who accessed what, why, and for how long. When backup processes are critical and complex, traceability stops being a luxury and becomes essential for peace of mind.
An approach that combines business continuity and identity security
From Commvault, the narrative is “unified resilience”: merging data security, identity resilience, and cyber-recovery into a single platform. The messaging suggests that recovery shouldn’t be isolated in a separate department but should coexist with security, identity, and daily operations.
Delinea, on its part, emphasizes a key idea: cyber-resilience depends equally on the ability to recover and on doing so reliably. In a real incident, the worst scenario is discovering that copies exist… but the attacker also holds the key to manipulating them.
This is the silent fear among many CISOs: that the attacker arrives at the recovery system before the response team does. Therefore, any improvement in credential security within the backup domain is seen as a direct reinforcement of the core continuity plan.
Available worldwide at no additional cost for joint customers
The announced integration is offered globally to clients using both solutions and, according to shared information, at no extra cost. This is noteworthy in a market where many “integrations” end up as extra modules, separate licenses, or lengthy consulting projects.
Here, the focus appears to be on accelerating adoption: integrating PAM controls into backup and restore workflows as soon as possible reduces the risk that mismanaged credentials turn recovery into a weak spot.
A clear conclusion: backup is no longer just about capacity; it’s about trust
For years, the backup conversation centered on how much data could be stored, how fast recovery was, and whether deduplication or immutability was used. All that still matters. But the current context raises a equally uncomfortable question: who can touch those copies?
The partnership between Commvault and Delinea aims to answer that. Because in the real world, resilience is measured by the ability to get back up after an attack. And here, credential management—both human and machine—stops being a hygiene issue and becomes one of the most strategic decisions in modern IT.
Frequently Asked Questions
Why are credential-based attacks especially dangerous in backup environments?
Because if an attacker gains privileged credentials, they can sabotage backups, prevent restores, or manipulate the recovery process without triggering as many alerts as a noisy attack.
What does applying Just-in-Time access mean for backup and restore jobs?
It means generating temporary credentials solely for the specific task and revoking them afterward, reducing exposure time and risk of misuse.
What are non-human identities, and why do they matter in enterprise cybersecurity?
They are credentials for services, applications, and automation. They grow rapidly, are often poorly controlled, and may accumulate excessive permissions, making them attractive attack targets.
How does a secrets management system support GDPR compliance in data recovery processes?
It facilitates least privilege, rotation, and detailed access logs, improving control over who accesses personal data during critical operations like copying and restoring.
source: Security News