Separated Duties
Operators can restore service but cannot remove protections, so no single compromised account can both run and destroy recovery.
A compact executive walkthrough that proves an attacker reaching an admin account still cannot erase recovery — clean copies survive, controls hold, and the business returns to service with evidence.
Pattern B answers the security sponsor question: if ransomware reaches a privileged account, can it also destroy our ability to recover? It proves the answer is no — backup destruction is made noisy and blocked through separated duties, soft delete, and immutable vault locks, so clean recovery points survive and the business can restore priority service with board-ready evidence.
Leaders see the impact: destructive attempts are detected before recovery is lost.
Compromised access cannot erase the recovery promise or weaken controls.
Protected recovery points remain available when the business needs a clean copy.
The team restores, validates, and briefs executives with evidence.
Start with the executive concern: the attack is serious, but the organization can still see what happened and preserve clean recovery choices.
Operators can restore service but cannot remove protections, so no single compromised account can both run and destroy recovery.
Soft delete and immutable vault locks keep clean recovery points available long enough to choose a safe restore.
Produces one incident pack: timeline, blocked actions, available recovery points, restored service, and the next governance step.
| Artifact | Use It For | Link |
|---|---|---|
| Infrastructure Guide | Deploy the workload/protection separation, soft delete, and immutable locks. | INFRASTRUCTURE_DEPLOYMENT_GUIDE.md |
| Spec | Review RBAC separation, retention, immutability, and cleanup. | SPEC.md |
| KQL | Show backup failures, RBAC access audit, and soft-delete operations. | backup-failures / rbac-audit / soft-delete |
| Source | Open the implementation package in GitHub. | GitHub source |