Meeting Compliance Requirements with Point-in-Time Recovery and Investigation
“We need to provide the auditors with a report showing who had access to our financial systems nine months ago.”
If this request sends a chill down your spine, you’re not alone. For organizations relying on identity systems like Okta with standard 90-day log retention, such requests can be nearly impossible to fulfill without the right tools.
In today’s regulatory environment, maintaining historical identity data isn’t just a good practice—it’s a compliance requirement. Yet many organizations discover too late that their identity backup solution isn’t designed to meet these requirements.
In this post, we’ll explore how point-in-time recovery and tenant investigation capabilities are essential for meeting compliance obligations, and how Acsense provides these capabilities through a unique database-driven architecture.
The Compliance Challenge with Identity Data
Regulatory frameworks across industries increasingly require organizations to maintain comprehensive historical records of who had access to what systems and when:
- SOX compliance requires demonstrating separation of duties and access controls for financial systems, with receivable and payable ledgers needing to be retained for 7 years
- GDPR mandates the ability to report on who had access to personal data, emphasizing that “data cannot be kept indefinitely”
- HIPAA requires audit controls and comprehensive access reporting for protected health information, with HIPAA-related documents requiring retention for at least 6 years from their creation
- PCI-DSS v4.1 demands tracking and monitoring of all access to cardholder data, with specific requirements for system log retention
Recent regulatory frameworks are raising the bar even higher for data retention and investigation capabilities.
The EU’s Digital Operational Resilience Act (DORA) specifically requires financial entities to have in place mechanisms to “promptly detect anomalous activities,” in accordance with Article 17, “including ICT network performance issues and ICT-related incidents,” and to “identify potential material single points of failure.”
Similarly, the NIST Cybersecurity Framework 2.0—particularly in its Respond and Recover functions—
“emphasizes the importance of thorough analysis and investigation as crucial steps in effective incident response and recovery. This includes forensic analysis, determining the impact of incidents, and performing mitigation activities to prevent the spread of events.”
These requirements align perfectly with point-in-time recovery and investigation capabilities, as they enable organizations to detect, analyze, and respond to changes in their identity environment across extended time periods.
The financial impact of regulatory non-compliance has grown substantially over the past decade. Research indicates that
“organizations are facing a 45 % increase in non-compliance expenses since 2011,” according to findings from an independent Ponemon Institute study commissioned by Globalscape that surveyed dozens of multinational corporations.
The financial consequences are significant—organizations typically face average non-compliance costs of approximately “$14 million,” with some cases reaching nearly “$40 million,” based on the research data.
Point-in-Time Recovery: Beyond Basic Snapshots
Traditional backup approaches typically rely on daily snapshots—full copies of your environment taken at fixed intervals (usually every 24 hours). While this provides some historical reference, it falls far short of compliance requirements for several reasons:
- Limited granularity: Changes that occur between snapshots are lost
- Fixed recovery points: You can only recover to predetermined times (midnight, for example)
- Limited history: Many solutions only retain a limited number of snapshots
"While GDPR does not provide a specific timeframe for retaining personal data, it emphasizes that data cannot be kept indefinitely. To comply with GDPR requirements, companies must establish a data retention policy with flexible, configurable retention periods".
This need for flexible, configurable retention policies is difficult to satisfy with rigid snapshot-based approaches.
Acsense’s approach is fundamentally different.
Rather than taking periodic snapshots, our platform captures every change to your identity environment in a purpose-built database. This allows for precise point-in-time recovery to any moment—not just predetermined backup windows.
This difference becomes critical in compliance scenarios.
For example, if an auditor asks about system access at 2:37 PM on a specific date six months ago, a snapshot-based solution would only be able to provide information from the nearest snapshot (which might be midnight or noon).
Acsense, however, can show the exact state of your identity environment at 2:37 PM on that day, including all user attributes, group memberships, and application assignments.
Tenant Investigation for Compliance Reporting
Beyond recovery, compliance often requires investigating changes over time.
“In compliance with the GDPR, organizations are required to conduct a data inventory to collect and manage records of processing activities, including establishing the categories of data and tracking who had access to what resources and when”.
Acsense’s tenant investigation capability allows you to:
- Compare any two points in time in your identity environment
- Identify all changes between those points
- Generate comprehensive reports of these changes
- Export findings for audit documentation
This capability transforms compliance investigations from painful, multi-day projects into straightforward tasks that can be completed in minutes.
Consider a scenario where an auditor asks:
"Show me all privilege escalations for financial system access that occurred during Q2."
With traditional identity management, this would require manually reviewing countless logs and piecing together information from multiple sources. With Acsense’s tenant investigation, you can simply select the start and end dates, apply the relevant filters, and generate a comprehensive report.
Acsense’s tenant investigation tools provide exactly this visibility into identity changes over time, satisfying both compliance requirements and security best practices.
Real-World Compliance Use Cases
SOX Compliance: Demonstrating Separation of Duties
A financial services firm needed to demonstrate that no single individual had both approval and execution rights for financial transactions over the past fiscal year. SOX compliance requires specific internal controls for financial reporting, with documentation that must be retained for 7 years in many cases.
Using Acsense’s tenant investigation, they were able to:
- Select multiple points throughout the year for investigation
- Generate reports showing group memberships and application access for finance team members
- Verify that proper separation of duties was maintained
- Provide documented evidence to auditors
The entire process took less than an hour, compared to the estimated week of work it would have required without these capabilities.
Data Access Investigation for GDPR
Following a data subject access request, a European organization needed to determine exactly who had access to a specific customer’s personal data over the previous 11 months. GDPR mandates that organizations must
“establish a data retention policy that defines the duration for which personal information will be retained“.
With Acsense, they:
- Used point-in-time recovery to examine their identity environment at monthly intervals
- Identified all users with access to the relevant applications
- Generated comprehensive reports for their Data Protection Officer
- Demonstrated compliance with GDPR’s accountability principle
What would have been virtually impossible with standard identity management tools became a straightforward compliance process.
Healthcare Breach Investigation
A healthcare provider detected unauthorized access to patient records.
To comply with HIPAA breach reporting requirements, they needed to determine exactly when the breach began and what records might have been affected.
The latest HIPAA guidance from 2024 requires covered entities to
“implement technical and procedural mechanisms to record and examine activity in information systems that contain or use ePHI”.
Using Acsense’s tenant investigation:
- They compared their current identity configuration with points in time before the suspected breach
- Identified unauthorized changes to access permissions
- Pinpointed when the changes occurred
- Generated the required documentation for regulatory reporting
The Database Difference
The capabilities described above aren’t simply features—they’re the result of a fundamentally different approach to identity backup and recovery.
By building on a database architecture rather than simple file storage, Acsense enables:
- Granular tracking of every change to every object
- Relationship mapping between identity objects
- Millisecond-level queries across large datasets
- Complex comparisons between different points in time
This architecture was specifically designed to address the compliance challenges that organizations face with their identity systems.
According to NIST Special Publication 800-53 Rev. 6, organizations must "perform reviews and analyses of information system audit records for indications of inappropriate or unusual activity".
Acsense’s database-driven approach makes these reviews both possible and practical.
Beyond Compliance: Operational Benefits
While meeting compliance requirements is essential, these same capabilities deliver significant operational benefits:
- Quickly investigate unexpected changes to your identity environment
- Understand the impact of configuration changes over time
- Create documentation for governance processes
- Support security investigations with precise historical data
The Tenant-Level Time Machine
Okta’s native system log keeps 90 days of events.
After that, evidence evaporates.Okta Docs
By contrast, a purpose-built IAM backup engine stores every change as a new version, forever (or the retention you set).
The result is a Time Machine:
What you can do | How it helps | Persona impact |
Scrub through time to any second, day or year | Pinpoint when a mis-configuration entered the tenant | CISO, Incident Response |
Compare two points in time (e.g., pre-deployment vs. now) | Instantly see added / removed policies, apps, roles | DevOps, Change Management |
One-click rollback at object-level (single group) or bulk (entire tenant) | Undo mistakes without touching healthy objects | IT Admin |
Clone historical state into a sandbox tenant | Safe testing, forensics, training | Compliance, GRC |
Because every version is stored in an immutable, air-gapped database, attackers cannot erase their tracks, and auditors can reconstruct events years later.
Mapping Value To Each Persona
- CISOs & Security Architects
- Assurance: automated tests prove backups are restorable and log integrity is preserved.
- Forensics: full-history Time Machine satisfies incident-response and e-discovery.
- Assurance: automated tests prove backups are restorable and log integrity is preserved.
- IT / IAM Administrators
- Speed: no more manual script-based restores—select a point-in-time and the platform orchestrates rebuilds, including app integrations.
- Granularity: reverse a single bad change instead of nuking the tenant.
- Speed: no more manual script-based restores—select a point-in-time and the platform orchestrates rebuilds, including app integrations.
- Compliance & Risk Officers
- Evidence: downloadable Recoverability Reports show last pass/fail, duration, and coverage—ready for ISO 27001, SOC 2, NIST CSF 2.0 or DORA audits.
- Retention: immutable logs extend far beyond Okta’s 90-day window, supporting long-tail investigations.
- Evidence: downloadable Recoverability Reports show last pass/fail, duration, and coverage—ready for ISO 27001, SOC 2, NIST CSF 2.0 or DORA audits.
- Business & Finance Leaders
- Continuity: faster, predictable recovery slashes outage impact.
- Cost justification: automated testing eliminates labor and reduces breach expenses (IBM data).
- Continuity: faster, predictable recovery slashes outage impact.
Evaluating Your Compliance Readiness
As you assess your organization’s ability to meet compliance requirements for identity data, consider these questions:
- How would you respond to an auditor’s request for identity access information from 9 months ago?
- Can you determine exactly who had access to critical systems at any specific point in time?
- How long would it take to generate a report of all permission changes over a given period?
- Do you have evidence that your identity controls have been consistently enforced?
If answering these questions reveals gaps in your compliance capabilities, it may be time to consider a more robust identity resilience solution.
Want to see how Acsense can transform your IAM compliance capabilities?
Contact us for a demonstration of our point-in-time recovery and tenant investigation features.
References:
- Jatheon. “Data Retention Policy 101.”
https://jatheon.com/blog/data-retention-policy/
- Nexsan. “Understanding Data Retention Policies for Regulatory Compliance Practices.” https://www.nexsan.com/resources/understanding-data-retention-policies-for-regulatory-compliance-practices-2/
- 15 Essential Regulatory and Security Compliance Frameworks. https://secureframe.com/hub/grc/compliance-frameworks
- The True Cost of Compliance With Data Protection Regulations. https://www.globalscape.com/resources/whitepapers/data-protection-regulations-study
- The NIST Cybersecurity Framework (CSF) 2.0 https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
- Fortra. “Data Classification: Enabling Compliance with GDPR, HIPAA, PCI DSS & SOX.” https://dataclassification.fortra.com/blog/data-classification-enabling-compliance-gdpr-hipaa-pci-dss-sox-more
- What Is Data Retention? Implementing Effective Practices. https://bigid.com/what-is-data-retention/
- Data retention and the GDPR. https://www.dpocentre.com/data-retention-and-the-gdpr-best-practices-for-compliance/
- How Long Can You Store Data Under GDPR? https://blog.rsisecurity.com/how-long-can-you-store-data-under-gdpr
- What Is a Data Retention Policy? Best Practices + Template. https://drata.com/blog/data-retention-policy
