Veeam Believes You Need Cyber Insurance Insurance

Cyber insurance is supposed to be your salvation when disaster strikes. Veeam and others at its VeeamON conference in Miami this week are increasingly convinced that what the world really needs is salvation from cyber insurance.

Anyone who’s helped a client complete a book-length application questionnaire lately knows why. Despite halting signs of progress, coverage continues to grow harder to get, harder to afford, and harder to use.

Data from Veeam’s latest Ransomware Trends Report, published this week, illustrates the matter. Just under three-fourths of businesses polled for that study saw their cyber insurance premiums climb in the last year, 43% saw their deductibles rise, and 10% saw their benefits drop. A mere 8% suffered none of those problems.

Indeed, some of the people Channelholic spoke with this week can imagine a realistic future in which some businesses simply can’t find coverage worth having at any price. “This whole model looks like it’s becoming increasingly untenable,” says Dave Russell, Veeam’s vice president of enterprise strategy.

It’s a frustrating situation for MSPs and their customers alike. Veeam believes data protection is the best revenge. The company likes to say, with tongue only slightly in cheek, that the ultimate goal of its various anti-ransomware efforts is to render cyber insurance obsolete. Everyone should have it, Veeam concedes, but if you’ve got the right tools and best practices in place, you shouldn’t need it, just as people who drive safely rarely file auto insurance claims.

“If you don’t have the accident, you won’t need the insurance,” explains Danny Allan, Veeam’s CTO. “The same thing is true in the data protection space.”

The key, Allan emphasizes, is offering comprehensive data protection versus mere backup. In February, Veeam unveiled the first edition of its new Veeam Data Platform. Like that product, the company believes, partners should combine backup with proactive monitoring, orchestrated recovery, and analytics for physical, virtual, and cloud resources. Doing so not only protects businesses better from the digital equivalent of car wrecks, according to Allan, but opens up new revenue opportunities for IT providers as well.

“It allows them to expand horizontally across the infrastructure. It also allows them to expand, I’d argue, vertically into services,” he says.

Not coincidentally, “expand” was the theme of this year’s VeeamON conference. It also inspired a solution introduced this week that draws on Veeam software, online storage from Backblaze, and expertise from BDR service provider Continuity Centers to spin up recovery environments—automatically and on demand—using bare metal cloud servers from data center operator phoenixNAP.

“Essentially, the client logs into our portal, fills out a few forms, and hits the initiate recovery button,” says Continuity Centers CEO Gregory Tellone. A collection of pre-coded scripts handles the rest.

Priced at $99 a month (or $499 for a version that comes with professional services assistance) the solution is designed to be a cost-effective alternative to hot standby environments for companies with SMB-sized budgets and loose recovery time objectives, explains Elton Carneiro, Backblaze’s senior director of partnerships.

“They’re getting insurance without paying for insurance,” he says.

Veeam, for its part, sees lots of room for additional cross-selling across the Data Platform. Indeed, 23% of companies that buy Veeam’s rapidly growing Microsoft 365 backup product, which currently supports 15 million paying users, have no other Veeam products in place when they subscribe. Other customers still think the vendor is all about the virtual machine BDR that originally inspired its name.

“One of my frustrations at Veeam sometimes is that people associate us solely with instant VM recovery,” Allan says.

Thanks for reading Channelholic! Subscribe for free to receive new posts and support my work.

Two VeeamON news notes

1. The Veeam Data Platform’s next big release, due in the second half of the year, will include inline ransomware protection and integration with third-party SIEM services. The former feature will impose only “marginal” overhead on CPU and memory, Allan promises, because it scans only incremental data updated since the last backup. The latter feature will be compatible with SIEM solutions from a range of familiar names.

2. Veeam is actively working with Amazon Web Services, Microsoft, and others to ensure that resellers can profit from sales of Veeam products through hyperscaler marketplaces. And good thing too, because cloud marketplace revenue will soar at an 84% CAGR through 2025 to $45 billion, according to Canalys analyst Jay McBain.

Sales leaders like Larissa Crandall (pictured), who became Veeam’s vice president of global channels and alliances last December, are well aware of such forecasts. Crandall participated in a roundtable with 50 channel chiefs last week. “We were all talking about marketplaces,” she says.

Enabling channel partners to get in on marketplace revenue (without relying on the customized “private offer” features both Amazon and Microsoft provide) is trickier than it sounds, however. Figuring it out is a critical matter for channel-only vendors like Veeam.

“Veeam is a very partner-centric organization,” Crandall says. “We’re not looking at doing a direct model all of a sudden.” Marketplace operators are sympathetic to that aim too, she adds.

“They understand that they need the channel to scale as well,” Crandall notes. “We’ll see how it evolves.”

In the meantime, partners not doing some hard marketplace-related thinking of their own should get started, warns Shiva Pillay, who was named Veeam’s general manager and senior vice president for the Americas last week.

“Those that don’t make the leap to that flexible approach I think will struggle with some of these opportunities, because you’ve got customers that prefer to buy off a marketplace,” he says.

More grim stats from Veeam

Those discouraging cyber insurance statistics I referenced earlier weren’t the only ugly numbers in Veeam’s Ransomware Trends Report. Want some more?

1. Nine percent of organizations struck by ransomware in the last year either didn’t or couldn’t verify that their backups were infection-free before restoring them. Another 12%, as a matter of official policy, restored the backup and then simply watched to see if all hell broke loose again. A further 35% scanned the backup for problems, but only after recovering it into production. Just 44% did what Veeam says everyone should: restore the backup to a safely isolated “sandbox” environment before rolling it out more broadly.

2. Fully 93% of companies struck by ransomware in the prior year say the attacker tried to delete or modify their backups, and 75% say those efforts successfully impacted at least some of their files.

3. Some 98% of surveyed businesses say they use immutability or air-gapping techniques to protect at least some of their backups from tampering. That’s actually good news rather than bad, but Allan suspects most of those companies are more vulnerable than they think.

“There are shades of immutability, and when you ask a customer, ‘do you have immutability’ they don’t always understand the nuances of what that means,” he says.

True immutability, Allan continues, involves among other things either storing physical media offsite somewhere or stashing digital copies in a public cloud. “Send it to [Amazon] S3 or Azure Blob and turn on their immutability,” he counsels. As long as the data’s not connected to your network, it should be safe.

Here’s some encouraging news about immutability before we move on

Vendors are trying to make meaningful immutability easier. One such company, named Object First, was founded last summer by two people familiar to most VeeamON attendees: Veeam co-founders Ratmir Timashev and Andrei Baronov. Its debut product is a pre-configured, appliance-based solution named Ootbi designed to make storing immutable backups plug-and-play simple. The product’s name, in fact, is an acronym for “out-of-the-box immutability”.

“By default, the data’s immutable,” says Tony Liau (pictured), Object First’s VP of product marketing. “Short of someone taking a hammer and smashing the box, that data cannot be deleted.”

$50,000, he adds, buys you 128 TB of scale-out capacity for a three-year term. Multi-tenancy is still on the roadmap, but the system sells exclusively through the channel.

Please spread the word about Veeam’s free training program for women

We can all agree at a time of extremely low tech unemployment that the world needs more women in IT, right? Veeam’s pitching in by offering $2,500 worth of free Veeam Certified Engineer training to 150 women. Details here.

GDAP D-Day has arrived

Don’t say they didn’t warn you. Microsoft has been telling Microsoft 365 resellers for months that it will begin executing forced migrations from delegated administration privileges (DAP) to the new granular delegated administration privileges (GDAP) on May 22nd. Yet according to cloud management vendor SkyKick, over half of partners aren’t ready for the transition yet, and some still don’t even know it’s coming.

“Partners are up to their eyeballs with busy and they’ve been putting this off,” says Darren Peterson, the company’s head of cloud manager products. That’s rapidly becoming less and less true now though, he continues.

“Maybe they haven’t heard the second hand in their ear, but as of May 22nd, that second hand is making a lot more noise,” Peterson notes.

Few partners dispute the reasoning behind the change. DAP basically thumbs its nose at zero-trust best practices by granting every tech access rights to every Microsoft 365 feature.

“It’s basically giving you all the keys to the entire kingdom,” observes Harpreet Duggal (pictured), SkyKick’s global head of product and enterprise marketing. GDAP lets organizations apply least privileged access principles instead.

“If you’re managing only the SharePoint part of my domain, you get that access. If you’re doing the Azure part, you get that access,” Duggal says. “It lessens the surface area for bad things to happen.”

So far, so good. The problem is that moving all their tenants from DAP to GDAP manually takes a typical partner several hours, Duggal says. And that’s if Microsoft hasn’t shut down your DAP settings yet, which it can do with a promised 30 days’ notice any time it wants now that we’re four days past the deadline. If you still haven’t transitioned at that point, you’ll have to get approval to migrate from your clients.

“The partner initiates a request to move to GDAP, that request comes back to the customer, and the customer has to wade through MFA and all the authentication steps,” Duggal says.

Per an announcement we flagged in Channelholic’s very first post, Microsoft will suspend DAP deprecations during June to minimize disruption during the last month of its fiscal year. Duggal, though, expects the company to get right back in the swing of things early in July and then push to have everyone’s DAP shut down by the end of that month.

That means even though a lot of you reading this have probably missed the deadline, you still have anywhere from five to nine weeks to make the switch to GDAP without the pain of requesting end user approval. SkyKick, in a bid to help, has introduced a free automated migration tool. Based on its Security Manager solution, which the company shipped last October, the system lets users define two-year GDAP relationships for their DAP customers via a proprietary Microsoft Partner Center Integration, and then put them in place essentially by enabling a single permissions setting.

You’ll need a SkyKick account and a free Security Manager trial subscription, but don’t need to buy Security Manager. SkyKick expects the tool to remain available at least through the end of July.

Also worth noting

Speaking of Microsoft 365 permissions, Hornetsecurity has an app for that too.

So many events, so little time. If I’d made it to Dell Technologies World this week, I would have been all over the additions to Dell’s as-a-service APEX platform unveiled there.

N-able has been invited to participate in CISA’s Joint Cyber Defense Collaborative, a public-private body charged with reducing supply chain risk for small and medium critical infrastructure entities.

Threat management vendor Seceon has named William Toll (pictured) its new VP of marketing. Acronis partners will probably remember him from his recent stint there as head of product marketing.

KnowBe4 has introduced a security awareness training tool for QR code phishing.

Keeper Security has shipped the password rotation feature that I told you was on the way in recent reporting for ChannelPro.

CompTIA has added six new domain-specific names to its CompTIA A+ certification series.