The Quantum Threat Your Backup Team Isn’t Talking About Yet

The Quantum Threat Your Backup Team Isn’t Talking About Yet

I co-authored this piece with Edwin Weijdema, Field CTO EMEA at Veeam. It originally appeared on the Veeam blog. I’m reposting it here with some additional field context because this topic comes up more and more in enterprise conversations — and most organizations are still thinking about it wrong.

My take before you read: Most security teams frame post-quantum cryptography as a future problem. It isn’t. The “harvest now, decrypt later” model means your backup data is already a target. If you’re storing long-lived encrypted backups today, the clock is already running.


The core argument:

Post-quantum cryptography is not about preparing for a quantum computer accessing your data center tomorrow. It is about protecting long-lived data from adversaries who can capture it today and wait for the technology to decrypt it later. PulseSignal

This reframes the entire timeline. It’s not a 2030 problem. It’s a 2026 planning decision.

Why backup specifically:

Backup contains the most complete, long-lived record of your business — retained specifically because it stays valuable over time. That makes it the highest-value harvest target.

What’s actually at risk:

The quantum threat isn’t symmetric encryption like AES — that holds up well. The real exposure is in key exchange and transport paths, where public key cryptography has been used for decades. That’s where intercepted traffic becomes a future liability.

The practical steps you can take right now:

  • Encrypt backup data at rest with strong symmetric encryption and treat your keys like crown jewels
  • Segment and isolate management planes — reduce the blast radius
  • Use immutability so ransomware can’t rewrite history
  • Run your recovery drill before an incident forces the timing
  • Take inventory of where public key cryptography lives in your environment
  • Push your vendors for crypto agility and clear PQC roadmaps

The compliance reality nobody mentions:

In FIPS-regulated environments, you can’t just flip on a PQC algorithm and call it compliant. You need a validated cryptographic module. That certification cycle takes time — which is exactly why PQC planning needs to start now, not when the standards fully mature.


Read the full article on the Veeam blog:
Why Post-Quantum Cryptography Matters Now

Derran Guinan
Field CTO · Americas

Field CTO for the Americas at Veeam. 30+ years in IT and cybersecurity. I write about data protection, security architecture, and AI from the field — honest takes for practitioners, not press releases.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *