The Hidden CPS 230 Risk No One’s Talking About: Your Backup Platform

David Long
Aug 2
4 min read

Updated: Aug 8

A menacing, metallic black bull with glowing red eyes stands in a dark server room, symbolising unyielding strength. The text reads: “THE LAST LINE STANDS ALONE. Because resilience isn’t shared. CPS 230 demands it. — In resilience, there is no herd immunity. Your backup must stand apart - immovable, independent, and ready. CPS 230 doesn’t tolerate shared weakness. It demands proven recovery strength.

CPS 230 is a seismic shift in how Australian financial institutions must manage operational risk and resilience.

Boards are reviewing business continuity plans. Third-party relationships are under the microscope. And DR testing is suddenly on every CIO’s calendar.

But amid the checklists, briefings, and compliance reviews, one critical risk continues to be overlooked:

👉 Your backup platform.

Because when something goes wrong - and it will - resilience doesn’t come from the cleanest BCP document or the best post-mortem.

It comes down to one question:

Can you recover?

Independently. Instantly. In compliance.

⚡ The Moment of Truth Isn’t the Outage - It’s the Recovery

Ransomware. Azure identity failures. Global SaaS platform disruptions. These aren’t hypotheticals - they’re regular headlines.

But when the incident happens, it’s not the root cause your executive team obsesses over.

It’s the recovery.

“Where’s the data?”

“How fast can we restore it?”

“Who controls access to our backups?”

“Are we still compliant - or exposed?”

If your backup lives inside the same blast radius that just failed, those answers may not be what you need to hear.

⚠️ The Hidden Risks Behind Most SaaS Backup Architectures

Most “enterprise-grade” SaaS backups today quietly replicate the same weaknesses they’re supposed to protect against.

These risks fall into two distinct - but often overlapping - failure categories:

1️⃣ Shared Infrastructure Risk

Backups are stored in the same cloud platform and infrastructure as production, creating a shared failure domain. If the platform fails - both go down.

🔁 Microsoft 365 → Often backed up via Microsoft 365 Backup, AvePoint, or Veeam Data Cloud - all inside Azure
🔁 Entra ID, D365, Azure DevOps → Native snapshots live in Azure regions, dependent on Microsoft identity and access layers
🔁 Salesforce → Backups via OwnBackup or Veeam, typically stored in AWS
🔁 Jira, Confluence, Zendesk → 3rd-party backups (e.g., CloudAlly) often hosted in AWS

📉 When platform = production = backup, there's no true redundancy - just a mirrored failure.

A split graphic comparing two cloud environments. On the left, a blue Azure cloud with icons for Microsoft 365, Entra ID, and Teams shows a cracked lightning bolt and red warning symbols — labelled “Production + Backup in Azure = Same Cloud, Same Risk.” On the right, two green Keepit clouds labelled “Primary Backup Copy” and “Secondary Site” are marked “Isolated. Immutable. Instantly Recoverable.” with key resilience benefits listed. — If production and backup live in the same cloud, they fail the same way. Shared infrastructure is shared risk - and a single point of failure. CPS 230 requires true separation, not just replication.

2️⃣ Jurisdictional Risk (The CLOUD Act Problem)

Even if your backup lives in a separate region or cloud, the legal ownership of the infrastructure still matters.

🇺🇸 Vendors like Microsoft, Google, Veeam, AvePoint, OwnBackup and AWS are all U.S.-based
🛰️ Even when data is stored in Australia, it may be accessible under the U.S. CLOUD Act
⚖️ This introduces legal and compliance conflict for APRA-regulated entities requiring full sovereignty

Jurisdiction follows the vendor - not the server. Data residency means nothing if foreign law enforcement can demand access.

A silhouetted figure stands in a data centre, facing the U.S. Capitol building in the distance. Overhead, cloud provider logos for AWS, Azure, and Google float in a connected network diagram. A glowing red “OPEN” sign sits inside the server racks. Text reads: “Data sovereignty is about who controls the infrastructure – not where it’s located… even if it’s stored in Australia. — Where your data lives matters. But who owns the infrastructure matters more. U.S. eadquartered platforms can be compelled under the CLOUD Act - even when data resides in Australia. CPS 230 expects you to know the difference.

💡 Real Resilience Means Recovery Outside the Blast Radius

Keepit was designed to break both of these risk patterns - not just as a backup vendor, but as a platform for operational independence.

✅ Off-cloud and off-platform - no Azure, AWS, or GCP dependency
✅ Immutable by design - via blockchain-based object storage
✅ Hosted in Australia - local data centres, full transparency
✅ Instant recovery - no delays, no dependency on vendor access
✅ Compliant architecture - aligns with APRA’s resilience expectations

True resilience lives outside the blast radius. Keepit delivers immutable backup - isolated from Microsoft, AWS, and Google Cloud. Hosted securely in Australia. Built for CPS 230.

CPS 230: Where Keepit Delivers

A circular, futuristic infographic with six labelled segments surrounding the words “CPS 230 – APRA-inspired.” Each segment highlights a resilience pillar — Immutability & Recovery, Operational Resilience, Operational Risk Management, Third-Party Risk, Data Sovereignty, and Auditability & Assurance — with “Keepit Contribution” points explaining how Keepit meets each requirement. — Keepit maps directly to all three CPS 230 pillars: Operational Resilience: Restore even during M365 failure. Operational Risk: Immutable, air-gapped protection. Third-Party Risk: No dependency on hyperscalers. Resilience, compliance, and control without compromise.

1. Operational Resilience

“Maintain critical operations during disruption”

Keepit allows recovery even if Microsoft or Salesforce are offline:

📁 Access emails, SharePoint, Teams, Entra ID
🔐 Restore identity and permissions
📜 Maintain audit trails and compliance logs

2. Operational Risk Management

“Identify and mitigate operational risk”

Keepit removes the operational fragility of shared cloud platforms:

🚫 No reliance on Azure, AWS, GCP
🔒 Immutable by architecture
👁️ Full audit trails and forensic recovery

3. Third-Party Provider Risk

“Manage risk from critical service providers”

Keepit offers full transparency and zero hyperscaler dependence:

🛰️ Hosted in Australia - not on U.S.-controlled infrastructure
🧾 Clear line of sight to where your data is - and isn’t
🧠 Proven separation for CPS 230 assurance reviews

🧠 Why This Matters

A serious-looking news anchor in a suit stands at a press podium, surrounded by cameras and reporters. The words “DON’T MAKE THE HEADLINES” appear above him, with “SYSTEM OUTAGE” in bold red behind his head. A caption at the bottom reads: “Resilience only matters – if you can recover, independently, instantly, and in compliance.” — When production fails, the only question that matters is: “Can we recover - independently, instantly, and in compliance?” Resilience isn’t a report. It’s a moment of truth. CPS 230 makes that moment non-negotiable.

🔗 Let’s Redefine Resilience

CPS 230 isn’t just a compliance exercise. It’s a shift in mindset from failover planning to recovery proof.

And that starts with backup.

At FullBackup, we’ve partnered with Keepit to help Australia’s financial institutions stay one step ahead.

✅ Immutable

✅ Independent

✅ Instantly restorable

✅ Hosted in Australia

✅ Outside of Cloud Act risk

✅ Built for CPS 230

👉 Ready to prove your resilience under CPS 230?

Book a demo → https://www.fullbackup.com.au/demo-and-pilot or chat with our team - and see how Keepit keeps you in control when it counts.