In the data center era, security was about protecting the perimeter. Firewalls, intrusion detection systems, and network segmentation kept the bad guys out. Your data was safe as long as the walls held.

In the cloud, there is no perimeter. There are only identities.

Every access decision in the cloud comes down to one question: is this identity authorized to perform this action on this resource? If an attacker compromises the right identity, they don't need to breach a firewall. They walk through the front door.

Why Identity Compromise Is Devastating

When an attacker gains access to a privileged cloud identity, they can:

The most dangerous part: from the cloud provider's perspective, every action looks legitimate. The correct credentials were used. The API calls were properly authenticated. The activity logs show authorized actions by an authorized identity.

The Identity Attack Surface

Your cloud identity attack surface is larger than you think:

Human identities: Every employee, contractor, and partner with cloud access is an attack vector. Phishing, credential stuffing, and social engineering target these identities relentlessly.

Service accounts: Non-human identities used by applications, CI/CD pipelines, and integrations. These often have overly broad permissions and rarely have MFA enabled.

Federated identities: Single sign-on connections between your identity provider and cloud platforms. Compromising the IdP gives access to everything.

API keys and tokens: Long-lived credentials embedded in code, configuration files, and CI/CD variables. These are routinely leaked in git repositories.

Temporary credentials: Even short-lived tokens can be intercepted and replayed within their validity window.

Protecting Cloud Identity for Data Protection

Enforce MFA everywhere — no exceptions. Every human identity accessing cloud resources must use phishing-resistant MFA. Hardware security keys are the gold standard.

Implement just-in-time access. No standing privileges for administrative actions. Require elevation requests with approval workflows and automatic expiration.

Audit service accounts ruthlessly. Inventory every non-human identity. Apply the principle of least privilege. Rotate credentials on a schedule. Eliminate any service account that hasn't been used in 90 days.

Monitor identity behavior. Deploy identity threat detection that baselines normal behavior and alerts on anomalies — unusual login locations, privilege escalations, bulk data access, or off-hours administrative actions.

Protect your backup identities specifically. The credentials used to manage backup infrastructure should be the most protected identities in your environment. Separate them from general admin accounts. Use dedicated hardware MFA. Implement break-glass procedures for emergency access.

Implement identity-aware backup policies. Your backup system should be able to detect and flag changes made by compromised identities. This requires integration between your identity threat detection and your data protection platform.

The Identity-Backup Connection

Here's what most organizations miss: your backup system is only as secure as the identities that can access it. If an attacker can compromise the identity used to manage backups, they can:

1. Delete all backup copies
2. Modify retention policies
3. Disable backup jobs
4. Corrupt backup data
5. Prevent recovery during an active attack

This is why immutable backup storage with separate identity controls is essential. Your backup infrastructure must be protected by identities that are completely independent from your production environment.

Action Items

1. Audit all identities with access to backup infrastructure this month
2. Implement MFA for every backup admin account this quarter
3. Deploy identity threat detection for cloud environments
4. Test your recovery procedures assuming the backup admin account is compromised
5. Implement immutable storage that cannot be deleted even by backup administrators

Identity is the new perimeter. Protect it accordingly, or your backup strategy is built on sand.