The Ultimate Guide to Minimum Viability

Walk through the concept of minimum viability and how our solutions play a role in each stage of your journey. 

Overview 

What’s in this guide

The worst happened. Your organization has been hit by a disaster or cyberattack. Your data, your apps are wiped out. Now what? What’s the minimum you need to recover to have a viable business that can take orders and/or serve the essential needs of the business? And how do you get there? 

Why Minimum Viability? 

Why minimum viability?

The rise of cyberattacks is forcing organizations to rethink their recovery strategies. While detecting threats remains critical, a more significant challenge has emerged: making sure protected data is clean and available to bring a company back online.   
 
With attackers strategically infiltrating systems, staying undetected for extended periods, and creating widespread repeat damage, security and IT teams have begun to focus on advanced practices to minimize the impact of downtime on their most important, business-critical assets.  
  
Minimum viability – sometimes referred to as a “minimum viable company” – means having a keen understanding of just the most critical assets and what it takes to restore them to be operational after a cyberattack or incident.

Develop a Plan 

Developing a plan for minimum viability

Developing a plan for minimum viability starts well before an attack. 
At a high level, these are the practices involved to define what minimum viability means for your organization and how you’ll achieve it in the event of an attack: 
 
Accurate and aligned view of the core processes and dependent systems. 
These are the systems required to minimize downtime so an organization can resume delivering on its mission with minimal disruption (e.g., caring for patients, serving citizens, educating students, supporting customers, etc.).

Organizations usually tier applications and services by priority to the business. For example, ServiceNow’s Business Continuity Management model categorizes applications as:

Business critical

Can’t do anything without these (e.g., Active Directory, order management system). 

Mission critical

Needed for a full recovery of operations for email and accounting.

Non-critical

All other systems. 

It’s not a one-size-fits-all approach, as every organization and its mission is different.
The National Institute of Standards and Technology (NIST) offers a business impact analysis template to help in planning. 

Understanding the cost of downtime for those core resources. This is most commonly measured in cost per minute/hour/day, customer loyalty, patient care, brand impact, regulatory fines, and more. A 2024 report from Enterprise Management Associates puts the average cost of an outage at $14,056 per minute. 

Clear and actionable plan to restore critical systems, data, and processes. 
This includes a focus on both cyber resilience and recovery, thereby maintaining continuity and trust. Focus on who does what and how the teams work together.


Note that a disaster recovery plan can’t be relied on to cover the damage caused by a cyberattack. In our “Preparedness Gap: Why Cyber-recovery Demands a Different Approach from Disaster Recovery” report, we surveyed 500 IT and security leaders to understand how organizations handle disaster vs. cyber recovery, 92% of respondents said they’ve suffered from attacks explicitly targeting backups.  

71% said those kinds of attacks accounted for half or more of all attacks. This, and other factors, make cyber recovery more complicated.

68%

Involves different process 
and workflows

68%

Involves different technologies and features

58%

Involves different personnel and skill sets

54%

More complex

How much more difficult is cyber recovery?

Cyber recoveries
Disaster recoveries
Same difficulty

Technologies are more complex

(N: 340)
64%
14%
21%

Find & retain skilled staff is hard

(N: 289)
59%
15%
26%

Processes & workflows are more difficult

(N: 342)
51%
22%
27%

SLAs are harder to meet

(N: 226)
49%
26%
26%

Practiced ability to enable minimum viability with a focus on cyber resilience. Having a plan alone is not enough. As Mike Tyson famously said, “Everyone has a plan until they get punched in the mouth.”


As part of minimum viability, organizations must include the ability to automate, test, audit, and continually improve rapid restoration, confirming they are ready to remain resilient in the face of evolving threats. This can be tabletop exercises, simulations, and actual testing of the technology involved so you know what to expect when the worst happens.


Remediation of threats and removing back doors prevents further damage. It also prevents bad actors from getting back into the environment, allowing for clean recovery operations without disruption.

Restoration of the previous state without proper threat remediation post-recovery threat scanning, and a period of observability means your systems could be exploited again. Data must be checked and applications purged of potential backdoors and vulnerabilities that could let attackers back in as soon as you think you’ve recovered.

Why cyber recovery is more challenging than traditional disaster recovery

Strongly agree
Agree
Neutral
Disagree

Significant time and effort is required to do forensic analysis to determine the full scope of what was infected.

44%
47%
7%
2%

Recovering without first establishing a cleanroom environment creates significant risk of reinfection.

39%
46%
11%
3%

Rushing to recover from a cyber incident often destroys evidence of how the attack was executed, leaving the organization vulnerable.

32%
51%
11%
6%

Next-gen cyber recovery architecture.
Enables encryption, immutability/indelibility, hardening, any-to-any portability, and dynamic scaling, thereby increasing overall flexibility.

Establishing a strong approach to minimum viability is particularly important today, when the cost of downtime is significant, both financially and reputationally.  

Restoration Workflow

Restoration workflow to minimum viability

In the Preparedness Gap report, 2.3 times more respondents said cyber recovery processes and workflows are more difficult than disaster recovery and nearly 2 times more said SLAs are harder to meet. Realizing that minimum viability is part of a wider incident response and cyber recovery process, how do you overcome those challenges? This workflow for minimum viability can help: 

Remediation of threats

Minimize damage while limiting spread and enabling the preservation of evidence. Identification of the threat will allow you to assess scope, affected systems, data, and business functions. Containment of threat will allow mitigation efforts to remove threat. Eradication will remove threats and malware, close security gaps, and expel attackers from systems.

Restore secure access

Verify that employees can securely access critical systems and data by restoring clean, trusted directory and identity services, like Active Directory, Azure Entra ID, and AWS IAM. 

AD isn’t just about users being unable to log on to their workstations or access email. When AD is down, critical infrastructure can’t come online, applications don’t start, and business grinds to a halt. When Cloud IAM is compromised, complex roles and permissions further inhibit the restoration process. 

Establish secure communications

Provide secure email, messaging, calendaring, and document collaboration with services like Microsoft 365 (M365) and Google Workspace. This should be considered a secondary form of communication outside of primary.  

Email and collaboration tools are vital for modern businesses, allowing teams to work together from anywhere. When these services are down, productivity drops significantly. Secure communications protect against eavesdropping and multiple attack vectors. If M365 is compromised, bad actors can access it in various ways, making a secondary, secure communication channel essential. 

Rebuild infrastructure

Quickly restore essential IT infrastructure and applications to operational status.  

Recovering applications means rebuilding each of the distributed components as well as the underlying infrastructure. Doing so allows you to quickly and cleanly bring back critical and core capabilities. 

Recovering data

Efficiently recover clean and trusted data to minimize the impact of disruptions.  

Data is the lifeblood of modern business. In many cases, reliable access to data is a necessity for a business to operate at its most basic level. Recovering clean data after a cyberattack or security incident is crucial to restoring operations, avoiding interruptions in service, and reducing the risk of reinfection.


 

Cyber recovery needs full vs. partial

62%
 

Percentage of events that only necessitated a portion of the recovery plan to be invoked.

38%
 

Percentage of events needing a full-blown recovery.

How we help

How we help customers with minimum viability

Commvault offers capabilities to help organizations get to minimum viability and beyond as quickly as possible. These include:

AD change analysis and forest-level recovery

Facilitates clean recovery of AD at scale required to rapidly establish minimum viability. Automated, forest-level recovery of AD removes complexity and risk of human error, and accelerates getting critical identity and access management services back online. This means mission-critical infrastructure and applications can be brought online, users and customers can access services, and your business can recover and restore operations.  


Commvault offers automated, forest-level recovery of AD that includes the auto-generation of custom run books and point-and-click simplicity to recover complex AD environments in minutes or hours, rather than weeks.

Cleanroom Recovery & Air Gap Protect

On-demand recovery to secure, isolated locations on the cloud helped by automation, for testing, to conduct forensics, and initial production recovery directly from cloud-based immutable and indelible storage. 

Cleanroom Recovery allows continuous testing and refinement of cyber recovery processes, helping provide clean restores of critical applications in isolated cloud environments. Use the cloud’s elastic scale to store data, practice recovery, and conduct isolated forensic analysis to investigate and remediate threats. 

Cloud-scale recovery

Leverages cloud techniques (even for on-premises environments) to recover large datasets rapidly. Recovering critical data after a cyberattack requires a complex and cumbersome set of operations. However, modern cloud techniques – from the parallel nature of microservices-based to serverless scale – can help streamline large recovery processes to get businesses back online rapidly and reliably. 

Commvault offers automated, cloud-scale recovery capabilities. From leveraging serverless functions for restoring billions of objects in cloud datastores to using containerized microservices to bring cloud-like speed and scale to on-prem recovery, Commvault gives customers cloud-scale recovery to enable reliable, rapid recovery at scale. 

Recovery-as-code

Automates rebuilds of cloud application and infrastructure stacks (networking, DNS, compute) to accelerate restoring minimum viability.  

Commvault Cloud Rewind continuously discovers cloud-based application workloads, automatically maps related network and security dependencies, and protects it all in a segregated, air-gapped environment. Rewind the application stack to a point in time before a breach or configuration error occurred, rebuilding environments through recovery-as-code that can easily integrate into CloudOps processes or CI/CD pipelines. 

Rapid recovery for AI workloads

Residing in object stores like Amazon S3 and S3-based data lakes. This kind of storage requires a new set of protection and recover capabilities to handle the necessary scale. Recovering billions of objects – and helping verify all objects are properly restored and correlated to a previous point in time – is a complex and compute-intensive set of operations.
 

Commvault’s Clumio Backtrack offers protection of emerging workloads in S3, making it possible to recover billions of objects accurately, reliably, and with the speed necessary to minimum viability quickly. 

Cloud security with resource discovery and mapping

To find the hundreds or even thousands of cloud resources used by your organization, including serverless and containerized compute, NoSQL databases, ML and AI services, virtual networking, and more. Unprotected cloud resources, dependencies, and configurations extend the recovery times of restoring critical cloud infrastructure after an outage or attack – a risk that can be avoided with automated cloud resource discovery, mapping, and configuration protection. 

Minimum Viability

Conclusion

Identifying and returning to minimum viability is crucial for any organization to recover quickly and maintain essential operations after a cyberattack. Having the right workflows and following best practices are critical to success.

Commvault Solutions

Explore how Commvault safeguards data from tomorrow’s threats

Commvault’s comprehensive solutions, from directory change analysis to Cleanroom Recovery and Cloud Rewind, provide the necessary tools to help achieve this. By implementing these practices, businesses can enhance their resilience, minimize downtime, and protect their critical assets effectively.

Cleanroom Recovery & Air Gap

Cloud Rewind

Active Directory