Identity Is the First Critical Infrastructure

When identity fails, healthy systems become unusable and attackers inherit authority. Recover identity before the applications that depend on it.

The answer

Institutions call networks, cloud platforms and payment systems critical infrastructure. Identity sits underneath all of them. If the directory, domain, privileged accounts or recovery channels fail, healthy applications become unavailable to legitimate users and available to the wrong ones.

Institutions call networks, cloud platforms and payment systems critical infrastructure. Identity sits underneath all of them.

If the directory, domain, privileged accounts or recovery channels fail, healthy applications become unavailable to legitimate users and available to the wrong ones. Every recovery plan that begins with servers has started one layer too late.

Identity determines who may recover

During an incident, the institution must establish who is authorised to isolate, restore and reconnect. If that proof depends on the compromised identity system, recovery becomes circular.

Value object — The Identity Continuity Map

- Authoritative identity sources.

- Privileged and recovery identities.

- Independent emergency authentication.

- Critical systems dependent on each source.

- Manual issuance and revocation route.

- Last recovery exercise and evidence.

Recover the control plane first

Prioritise domain, directory, administrator and secure communications. Issue short-lived emergency access through an independently verified process. Restore applications only after trustworthy identities and logging exist.

Identity is not a support service. It is the infrastructure through which the institution proves who may act.

Where this breaks

Application recovery fails when the team cannot prove who is entitled to perform it. The incident then drives administrators toward shared accounts and support exceptions.

The operating move

Create an identity recovery core that survives the primary directory: independently verified leaders, protected recovery material, secure communications and short-lived emergency roles.

Rank sovereign identity systems.

Separate recovery factors.

Pre-authorise emergency issuers.

Restore logging before broad access.

The test

Disable the primary identity source in an exercise. The institution passes only if it can establish legitimate authority without borrowing the failed system.

Sources

  1. NIST Digital Identity GuidelinesNIST Digital Identity Guidelines

    Primary authority

  2. NIST SP 800-34 Rev. 1: Contingency Planning GuideNIST SP 800-34 Rev. 1: Contingency Planning Guide

    Primary authority

  3. FINMA: Revised circular on operational risks and resilienceFINMA: Revised circular on operational risks and resilience

    Primary authority

Adam J. De CollibusFounding Partner, Svperior / Systems Engineering

Jonathan P. De Collibus

Jonathan co-founded Svperior in 2014 and leads its cyber practice. His work sits where adversarial pressure, technical architecture, and consequential decisions meet, with experience across clinical, financial, public-sector, and private-client systems where confidentiality, continuity, and technical correctness carry material consequences.

Cyber strategy / Adversarial assessment / Security architecture / Private systems

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry
Identity Is the First Critical Infrastructure \