Backup Is “Boring”? Veeam’s Michael Cade on Ransomware, Edge & the Hypervisor Hunger Games

Bruce Kornfeld

Welcome to PodMagic, real conversations about solving real IT challenges. I’m your host, Bruce Kornfeld, the Chief Product Officer at StorMagic. And we’re always exploring how to deliver simple, reliable technology that benefits you and the customers that you serve, whether that’s retail, stores, branch offices, manufacturing sites, or just supporting customers on the front lines.

My goal is to bring interesting guests, deliver some value, and have some fun along the way. Let’s dig in. I’m really excited about today. I’ve got Michael Cade, who’s the Global Field CTO from Veeam. So welcome, Michael, and maybe just a quick intro would be good.

Michael Cade

Hey Bruce. So I’m at Veeam. I’ve been at Veeam for just over 10 and a half years now. Seems wild to say how long. In the backup space. But even before then I was focused around virtualization storage and all of that good stuff as we get into where we are today and where we’re going.

Bruce Kornfeld

Backup, data protection, ransomware. All this stuff is a huge topic in the industry. It’s a lot to talk about, but let’s just start with a fun one. I’ve heard you use the phrase, backup is boring. And you’ve been at Veeam for over 10 years. It must not be that boring. So what do you mean by this?

Michael Cade

I think backup is always at the bottom of everyone’s list, right? We like the insurance policy when bad things happen to your house, to your car, to your data. That’s where backups come in. But it’s a necessity. Everyone needs it and that’s why I’ve been saying backup is boring for the last decade is that it’s relatively boring. Recovery’s fun. Well, probably not for the people recovering. How do we get that data back and how do we get it back as fast as possible? We’re kind of the insurance company for your data. But hopefully throughout this conversation we can get into some of the reasons why I’m sticking around at Veeam and talking about this stuff.

Bruce Kornfeld

I would say it’s a good thing that I have all of the multitudes of insurance that I do personally on auto pay. It just frustrates the hell out of me about all the different amounts of money that I spend monthly on insurance that I seem to never need. But that one day it’s going to be needed.

I’m sure you might be a little tired of talking about it, but it’s still topical, which is that Broadcom bought VMware. In our world, at StorMagic, we focus on the edge. We’re all about hypervisors and storing data and it’s a huge impact for our business. What have you seen at Veeam, what are the ripple effects of the Broadcom VMware acquisition the way you see it?

Michael Cade

Yeah, so I’ve been calling this the hypervisor hunger games and maybe it has disrupted, but it’s definitely made people talk about where they’re running their workloads, be it mission critical workloads or even the tier ones, tier twos, the edge devices, et cetera. There’s a lot of talk track around that disruption in the market about people needing an option, an answer, a way to get away or to move their workloads here, there or everywhere so that they can continue to run their business. That’s a constant in every conversation that we’re having.

Bruce Kornfeld

It seems like what we hear is, a very high majority of enterprises out there, data center and edge use cases, just got fat dumb and happy with VMware. I’m not going to slam Microsoft, Hyper-V is awesome, and a lot of people still use it, but they were dominant market share for hypervisor. And all of a sudden now there’s a lot of desire to change. It’s not easy to change, but I can understand the Hunger Games comment. It’s a free for all out there. What are end users going to go do? It’s pretty complicated, which kind of leads to the next topic, around edge and small sites. What do you see customers struggling with protecting data at the edge? We see a lot of growth in edge computing and customers figuring out how to run things outside of a data center. What are you saying is the customer impact of that?

Michael Cade

I think especially edge as a platform, or edge as a location, has massively grown over the last few years as well as, I think the more and more workload data intensive workloads that work out there on the edge and having to get that data either back to a central location or at least backed up to a location is something that we’re, we’re having to traverse quite, quite a lot. Ultimately an edge device to us today, like an edge device five years ago was probably an IoT type device. Now we’re looking at a minimum number of nodes that run our virtual machines that make up that edge or that what we used to be cool like ROBO type remote office branch office type scenarios. I think that the challenges are still relatively the same in that the speed of light and being able to move that data in the right place is a challenge for a lot of people.

Bruce Kornfeld

What are you seeing for architectures in terms of data protection at the edge? I’m sure it runs the gamut, but are companies storing data locally? Are they using local disk-based backup? Are they doing tape? Are they doing everything to the cloud? What architectures are you seeing out there when customers are trying to protect their data at these smaller sites?

Michael Cade

It’s a bit of everything, but I think to go back to that ROBO edge type scenario, depending on the nature of that data. I’ll use an example of a supermarket, 1500 stores that they’ve almost got a mini data center in each store. They run in virtual machines, 10 plus virtual machines. They’re running their databases. They’re running everything that then syncs back to a central location, but equally, they need to have the ability to run if that connectivity goes down, they need to be able to work. In that particular architecture, they’re running a backup server locally. They’re storing the data there as well for that 7, 14, 30 day type retention. Then they’re tearing that off into the public cloud, into Veeam Vault, which is our SaaS based offering to store data. But equally, they could be using Azure Blob, they could be using AWS 3 for that 30 day plus type retention if it’s important enough data. But then we’ve got on the flip to that, the backups need to come home to a data center. Being able to lift and shift that data back. And I think the architecture depends on what is the edge and how do you define the edge within that company and how important that data is and the disaster or the bad things that happen to that edge is really about the SLAs and if you’re sending data back to a data center and that link speed isn’t particularly great, the recovery time objective is going to be hindered by having that data not on site right next to that workload. It’s a bit of everything I think, though we’re still seeing that traditional model of 7, 14, 30 day type retention as close to the production data on the edge as possible, like a mini data center. But equally, link speed will play a huge part of that depending on where you are in the world being able to send that data off and use the cheap and deep storage solutions that we’ve all come to see over the last 5-10 years.

Bruce Kornfeld

The nice thing for companies like Veeam and StorMagic both is, there’s millions of end users out there. Everyone does things slightly differently. But when they get bought into what you’re talking about, if they need the SLAs, they need to recover quickly. They’re going to do some kind of storage something for backup data. That’s good for Veeam and that’s good for storage companies like us. We love to store more data.

Under the topic of backup, we run into some large enterprises that have thousands of edge sites, small sites. Let’s just say retail. Some of them, though, have chosen to not use a commercial backup package like Veeam. They have an architecture that says, the data at the edge is important, but we don’t need to back everything up all the time. They have technologies to do synchronization at night, to upload transactions. If there’s a catalog or an inventory that, if there’s an outage, they can recreate it pretty quickly. They get the sensitive data on their own just to a data center or a cloud, but they don’t use backup software. How do you react to that?

Michael Cade

I think if it has been architected correctly, the difference between something like a high availability cluster within SQL or something is one thing. But if you replicate a bad change in a SQL database that gets replicated wherever it goes. That’s the whole point between a disaster recovery and a backup solution. I think the awareness is the most important thing. And that’s one thing I’ve learned over the last 10 years of being at Veeam and even working with backup tools over the last 20 years is, they don’t know what bad looks like until they’ve experienced bad, so high availability is great. I encourage everyone should be, if licensing enables it, they should make as much as possible highly available, but that’s not a backup because that generally means you’re going to be replicating. If something bad happens, then it also gets replicated.

Bruce Kornfeld

Yeah, and you’ve got to find a way to recover quickly. And that could be hard if everything’s in the cloud, et cetera. I’ve got a side question for you. I used to do some work with Spectralogic in the tape world. Do people still use tape? Do you run into it a lot? What’s that world like right now? I haven’t followed it.

Michael Cade

My boss Dave Russell is a big proponent of tape and I wanted tape to go away because tape’s hard to deal with, to manage, to send that physical bit of carbon to go off to a mountain somewhere. But ultimately, especially in Europe, where there’s regulations around storing data offsite and in an immutable form where we know that disk storage enables us to have offsite immutable copies of that data. Some regulations just don’t have that knowledge of technology today in 2025 and going wherever we’re going next. Tape is still absolutely needed, especially a lot of financial institutions and healthcare over here in Europe.

Tape is still very much alive. I couldn’t tell you what the latest LTO capacity is. From a Veeam point of view, we still massively support the ability to send backups to tape. Actually when I first started, it was, how are we going to send that 14, 30 day plus data to a tape? Now we’re probably getting to more, how do we send them monthly? How do we send them, maybe even yearly off the table? Let’s keep as much on disk as we can because of the fast recovery experience and then offload for audit for regulation reasons, we’re going to put it to tape. Might hopefully never need to recover from them, but they’ve got them to tick the regulation box.

Bruce Kornfeld

Think about what it would be like if you really needed to recover in a timely manner from tape and that tape is not on-prem, you’re talking days or weeks of shipping.

Let’s go, let’s go back into the hypervisor world question. This is kind of relevant for StorMagic as our SVHCI product is a hypervisor, a full stack HCI. Let’s talk about agent-based backup versus agentless. In a perfect world, a lot of customers have just gotten used to agentless with VMware, but that doesn’t exist in other hypervisors all the time. What advice do you have for end users to think about potentially saying, I know you’re used to agent-based with VMware, but to change hypervisors, you might need to go agent-based. What are the pros and cons here to talk to the audience about how agent-based backup could work for them?

Michael Cade

The first, which is a non-technical is the Veeam Universal Licensing is that, let’s say, you’ve been looking after a hundred, a thousand VMs on say a VMware stack. That same 1000 license that you have at Veeam will follow you anywhere. Whether it’s cloud-based workloads or agent-based workloads. That’s the first, you don’t have to go and buy another product when it comes to Veeam. That’s the first and foremost, which opens the door to that flexibility story about being able to really protect any workload anywhere. In StorMagic’s eyes, we’ve got the ability to protect those mission critical workloads that live on your hypervisor. As we get into the technical, the majority of these important systems are going to be running some sort of important database like a SQL database and no SQL database and MongoDB. For example, they’re going to need some sort of consistency. That runtime means that we’ve got to make sure that we’re talking to the database. You don’t want to just be pulling out the power cable. So that agent approach or agentless is the ability to take a consistent copy of that data and make sure that we can recover that when bad things happen, but equally be granular about what that needs to look like as well.

One of the big ethos of Veeam is the portability story. How can we take any image-based backups and be able to restore that into any location. So from an agent perspective, if we’re taking an agent backup of a Windows server running Microsoft SQL, not only do we have the granularity of being able to say, we’re going to take the backup now and let’s pause the IO and take that consistent copy. That gets stored into something called a VBK format. And that VBK format gives us the ability to restore that either back to an agent or elsewhere. That’s where the flexibility comes in, not only the license, but also the ability to protect that. We also have the explorers that allow us to dive into those applications. MongoDB, Postgres, Microsoft SQL server. We’ve got the ability to take those backups in a consistent fashion, but now we can dive into that database and pull-out individual items. We’ve got that same capability across, whether it’s a virtual machine through native integrations with the hypervisor or through agent based. I don’t see a difference when it comes to agent versus agentless. It just means that we’ve got an agent on that machine, which means we could probably do more with that data.

Bruce Kornfeld

What about from a backup data protection admin perspective? If they are used to using Veeam, the user interface they have, do they have to learn anything new or is it the setup part that’s different, but the administration is the same? Can you talk about that a little bit?

Michael Cade

Another big ethos is the flexibility of being able to use that license wherever it needs to be. During these hypervisor hunger games, making sure that you choose the right district, but also from an agent point of view, the same UI, the same easy look and feel wizard driven approach to be able to protect those agents is exactly the same as from a hypervisor perspective.

Bruce Kornfeld

You get used to what you’re used to. IT departments have gotten used to the simple integration with VMware. They don’t have to think about agents. And now you say, well, if you want to change hypervisors, you might have to do something different. Maybe it’s just comfort or education or something like that, the IT admins have to think outside the box a little bit, but they get the same, they get the same benefits, it sounds like.

Michael Cade

The one thing I’d add as well within the Veeam console from a Veeam data platform perspective is we’ll look after all the deployment and the management and the updates of those agents as they get deployed. We could use Active Directory to deploy out to the machines that you want to be protected. So that could be a mixture of a bit of physical as well as hypervisor-backed virtual machines with our agents. And we use policies to be able to deploy the agent out into those machines, those systems. Equally though, you could do it on a one-to-one basis. That gets a bit hectic if you’re doing more than 10 machines. We want to give you the ability to automate that through Active Directory or through CSV of those machines. Ultimately, we’re going to look after one of the biggest things, and Veeam came out of this. This is how Veeam started. Protected vSphere workloads in an agentless fashion whilst our competition were putting agents on the VMs. Veeam comes along and starts hooking into the vSphere APIs and be able to say, we’re just going to take the backup from there, help working on changeable tracking, et cetera. Then everyone followed suit. The overhead of agents back then was, you had an agent for Exchange, had an agent for SQL, you had an agent for Windows, you had an agent for Linux. You just have multiple agents for a lot of different things. Our agents are Windows, Linux, and within those agents, they enable us to protect the application that’s inside of that machine. Back then there was 40 plus agents to deal with and maintain.

Bruce Kornfeld

I do remember those days. I was at Dell back then. I remember all that. So you’ve made it super easy for agents to be deployed and managed, is basically what you’re saying.

Speaking of which, I had another question on this topic. Installing an agent on every VM can sound like an arduous task, but what have you done to make it easy and what about patching and keeping them updated? Is that hard to do using VMs tools?

Michael Cade

Again, in the same fashion, because we’ve deployed that agent from a centralized location. We’ll also look after the updates to all of those agents that we’re deploying.

Bruce Kornfeld

That’s what I figured. Let’s move on to another one here. Let’s talk about something that’s core to StorMagic. And I assume that Veeam has similar focus, which is simplicity for end users and flexibility. How does that work for Veeam and in the backup world and data protection world, simplicity and flexibility?

Michael Cade

Simple is one of our tag lines. I believe it to be the case, the tagline of it, it just works. You deploy Veeam data platform on-prem and you point it to your infrastructure, be it physical, be it hypervisor, be it cloud. And you start protecting, you start the insurance policy of protecting those workloads, those data endpoints, be it unstructured data, be it agents, be it hypervisors, be it enter ID, et cetera. It’s still just that same wizard driven approach to be able to get protecting those workloads from a simple point of view. From a flexible point of view, touched on Veeam Universal Licensing. That’s the flexibility about not having to go and buy XYZ product today, because that’s what your environment looks like. So then having to go and buy ABC, the following day or 90 days time because of the Hunger Games, that license follows that customer wherever it needs to be. It can be VM to agent, but equally it could be agent to unstructured data. It could be enterprise applications for MongoDB. It’s flexible in terms of, it doesn’t matter what the workload is, it can protect and follow that workload wherever it needs to be.

Bruce Kornfeld

We have a lot of joint customers between Veeam and StorMagic. One of the reasons is what we’re talking about here is, simple approach, flexible approach, and customers like that these days. They have plenty of other things to worry about. They don’t want to spend nights and weekends worrying about setting up and managing their backups, right?

I want to move to ransomware. I am not an IT director but if I was, I would be very stressed about this. What does Veeam do to help end users have a little bit of sanity around being prepared if and when this ever happens to them, what do you guys do to help them?

Michael Cade

There’s a couple of areas. There’s, we’re touching data from a source, from a production perspective, all the way through to protecting that and storing it in a location. As it’s coming through, we’re going to do some inline malware scanning against that data to inform us if something doesn’t look right or is suspicious, we can flag that. You can see that in the UI. You can then go and investigate that. To me as an IT director, that’s great. I’m going to get thumbs up or thumbs down potentially to say something’s bad. And at that point, I wanted to know about that way before then. I wanted to know that from my EDR or EDX type tool. We have something called an incident response API, which enables EDR tools to send the smoke signals when they see something bad happening, which can trigger a backup or a restore job so that you’re ahead of the game. That smoke signal’s gone up, we know that there’s a fire. It might just be an alarm test, but at least we’ve instigated something potentially seconds, hours before the fire erupts and we can start to bring that data up wherever it needs to be, or even just take a backup right now because that smoke signal just came through.

We have the before the backup, the during the backup, and then after the backup, it’s about how do we help our customers store that data in the most secure way possible? We spoke about tape. That’s one way, it’s immutable, it’s offsite, it’s not accessible, it can’t be encrypted, unless you’ve encrypted it. We want to encourage our customers to store that data in an immutable location, object storage, using object lock APIs, et cetera. And that’s all great.

That flow works except for what happens if something wasn’t picked up and stored in a backup. Then when we come to recover that, you don’t want to recover bad data or malicious data. On the way back through, we also have a feature called secure restore, which is going to put everything into an isolated environment. It’s going to run a scan again, using malware tools to make sure that we’re not basically restoring bad data. Maybe that’s come through signature updates or maybe we’re six months down the line and we’re restoring something back that the malware was in the backups at the time. Nothing picked it up, no smoke signals, et cetera, and now it’s in the backup. This gives us the ability to flag that before it comes back.

Bruce Kornfeld

It seems like a lot of things in IT are very hard. I would not want to be an IT manager or IT director. There are so many different ways to solve problems, but in the world of ransomware, do you think customers can have a really sound ransomware protection strategy without the help of their backup provider like Veeam? What if they didn’t use any of your tools? They defend really well without it. Or do you see the backup software as a key component to ransomware protection?

Michael Cade

It’s an interesting take and I mostly see this in the Kubernetes world and the cloud world actually, where I’m just going to use native backup tools. I’m going to create a script that does this, this and this. It’s like Veeam, but I’m using our clone and older technologies and that’s great. It will work to a degree, but you’re not going to be able to integrate everything. You’re not going to see the smoke signals. During the backup, you’re not going to get the DJ, the compression. You’re not going to get the landing in a location that is secure. You’re not going to get the secure restore. I go back to my initial point, backup is boring, don’t spend time doing that. That’s good. Someone is going to build scripts, that is going to take a lot of time. You’re then going to be relying on them from a business perspective, where if you just plumbed in a piece of software, be it Veeam, be it anyone, and orchestrate that solution. Now that person who clearly can do some coding and they can write some scripts, elevate them up the stack and they can do something for the business, and there could be better business outcomes from that. That’s what I’d say. Yes, you can do anything from a script, but someone’s got to maintain that script, offload that maintenance to an enterprise software company. I’m sure you’re the same from a storage stack perspective. You can run storage on a commodity, but it’s not going to be the enterprise solution that you have that stores and looks after the data.

Bruce Kornfeld

You heard it here first, folks. If you’re not using some kind of commercial backup software to help you with ransomware, bad things are going to happen.

Let’s wrap up with an easy one for you, which is just give you the platform and the opportunity to talk about what do you see in the future. Let’s just say beyond one year. Is it three years, five years? Where do you see backup and the data protection world heading in the future?

Michael Cade

We’ve been talking about leveraging data for a long time. I’ve mentioned about backup and insurance policy and a lot of data gets stored in those secure locations and they just get left there until they age out. For a while now Veeam has had the ability to unleash that data, do something with that data. We’ve done well, Bruce, not to mention AI, but we could leverage that data to actually do something from an AI perspective. You’ll store all your mission critical data in that backup. Put that data to work, versus having to put your production workload to work and hinder production workload or production performance for your users. That’s an option.

Another option in the data space is, how do we enable our customers to better understand their data so that they can protect it better. Have a good grasp on what’s gold, what’s silver, what’s bronze, what’s sensitive. Equally, that will then lead also into that AI pipeline creation, or let’s just understand what hasn’t been touched for so long. How many customers out there or how many people out there are storing data? We’re all humans. My garage is an absolute mess of stuff, I’ve moved it here and I haven’t even touched the box. We do that with our data as well. If we could move it off that really expensive enterprise storage and tear that off to cheaper, deeper storage, because we found out we understood our data better. That’s going to enable so many more things from a data security point of view, from a data intelligence point of view, and a protection point of view. How do we be more resilient if we understand our data better? That’s where I think we’re headed.

Bruce Kornfeld

Sounds like in the next few years you’re going to be busy. Michael, this has been awesome. Thank you so much for joining, it’s been great having you. Hopefully, we can have you on again next year sometime. We’re going to keep doing our thing and find more opportunities to solve customers’ problems. Thanks for joining.

Michael Cade

Awesome. Thanks for having me, Bruce.

Bruce Kornfeld

Again, this is Bruce Kornfeld, the host of PodMagic, having real conversations about real IT challenges. Thanks for joining, we’ll see you next time.