Cohesity’s next-gen data management platform supports intelligent IT operations to unlock data value for operational efficiency and innovation. The Cohesity threat defense architecture provides extensive safeguards to detect and thwart cyberattacks.
Cohesity maintains rigorous product security standards and inspects adoption across every phase of its product lifecycle. Cohesity follows industry best practices and through these security practices as well as the inclusion of security features and functionality, Cohesity delivers secure, highly functional products and services to its customers.
Cohesity follows fundamental security principles including but not limited to: secure by default, secure failure, and secure implementations of cryptographic algorithms. To ensure the targeted security posture, compliance, and certification of its products as new features are developed, Cohesity aligns the product design with current security best practices.
Development teams at Cohesity engage with a dedicated Product Security team during the design and planning stages of the development lifecycle. Cohesity's Product Security team makes recommendations for the adoption of secure design patterns, performs threat modeling, defines applicable security standards, and sets security requirements.Expand All
Cohesity’s platform and infrastructure are regularly subjected to security testing and hardening to enhance security. The OS and components are specifically configured to meet security hardening requirements including Center for Internet Security (CIS) benchmarks and US Department of Defense Security Technical Implementation Guide (STIG) configuration standards.Expand All
Cohesity aligns to industry-standard frameworks for vulnerability management, secure product development lifecycle management, and incident response.Expand All
Cohesity provides its developers, architects, development managers, release managers, QA engineers, and product managers with security training and resources to incorporate security practices throughout the product development lifecycle. Cohesity conducts quarterly secure coding training covering security best practices in product development that is mandatory for all engineers.
Cohesity follows industry best practices to discover, investigate, and address vulnerabilities through the product lifecycle using a risk-based approach. Cohesity's dedicated Product Security team promptly investigates and responds to all reports of potential security vulnerabilities, and Cohesity's product incident response plan supports analysis, mitigation, and remediation of vulnerabilities in its products. The plan also covers responsible disclosure processes when issues are reported by third-party researchers, customers, or partners.Expand All
Customers, partners, and third-party researchers may report vulnerabilities in Cohesity products and services by contacting Cohesity Security.
Cohesity maintains rigorous security, privacy, and resiliency standards for its Cohesity-managed cloud services and software as a service (SaaS) offerings. Learn about the key practices that Cohesity follows to keep the Helios platform, services, and customer data secure and available at all times.
Customers may administer the cloud-based Helios platform that provides centralized management and analytics for customers’ self-managed products and services (Helios management service).
Depending on the Cohesity product or service deployed, usage of the Helios management service will be either mandatory or optional for the customer.Expand All
The Helios data management environments are logically segregated with the management and data services from one another.
The Cohesity-managed Helios services are natively multitenant, where each tenant is implemented as a unique organization. Organizations are logically segregated and the organization’s resources, such as data, policies, administrators, etc. are restricted to the organization to which they belong.
Dedicated tenant data repositories ensure customer data is isolated from other customers.
Cohesity ensures logical security by deploying access control based on Zero Trust principles to prevent unauthorized access or compromise of its cloud infrastructure, including the Helios management service and Cohesity-managed data management services.
The Helios management service provides customers a broad set of controls to manage user accounts and their assigned access in accordance with strong security standards and their own security policy. In every tenant organization, an admin user manages the other users in that organization. Organization admins can add and manage users through role-based access controls (RBAC). Applying principles of least privilege and separation of duties can be achieved with fine-grained control over standard and custom defined roles. Tenant admins can also integrate the Helios management service with existing identity providers. This enables each organization to apply its specific authentication controls for password policy, multifactor authentication (MFA), and more.
Cohesity maintains a highly restrictive approach to internal access to Helios management services. Access is based on a strict need-to-know basis related to the job responsibility for managing and maintaining the system. Cohesity adheres to the principles of least privilege and separation of duties, and applies internal access and authorization controls. Before a user can log in to a particular role, they must meet established qualification criteria and obtain documented management approval beforehand in every case. A unique user ID and multifactor authentication are required for all Cohesity users.
For the Helios management service, each tenant's data and metadata are logically segregated and isolated from that belonging to other tenants. For the Cohesity-managed data management services, unique storage repositories are allocated to each tenant, ensuring that content from one tenant is never shareable with or accessible by other tenants.
The Helios management service maintains an availability rate of 99.9% (three 9s), not inclusive of scheduled or emergency maintenance windows. Helios data management services rely on Amazon Web Services (AWS) S3 service in customer-defined regions spanning across a minimum of three availability zones, each separated by many miles within the same AWS region. The AWS S3 service guarantees 99.999999999% (eleven 9s) of data durability. In the event of a disaster scenario, the Helios management service can recreate data stored in the data management service using just the data stored in S3.
All customer data—both metadata in the Helios management service and data in the data management services themselves—is encrypted at rest and in flight using strong, industry-standard encryption algorithms, and protocols.Expand All
Cohesity has several measures in place to address distributed denial of service (DDOS), intrusions, and malware attacks. These safeguards are built into the monitoring infrastructure that we have implemented to manage the Helios environment. Cohesity uses firewalls to monitor connections constantly and detect anomalies. As anomalies are detected, Cohesity blocks and evaluates the connection into the Helios control plane environment. The servers, containers, and infrastructure within the Helios control plane environment are monitored for vulnerabilities with remediation occurring on a regular basis.
Cohesity’s Helios management service and data management services are hosted in Amazon Web Services (AWS). For more information about AWS data center security controls, please visit https://aws.amazon.com/compliance/data-center/controls/.
Cohesity maintains a business continuity plan covering business operations and disaster recovery response. We regularly assess risks to the business and apply appropriate treatment plans to bring risks within acceptable levels. The plan identifies critical business processes, documents threats that could cause business disruption, and addresses recovering connectivity and supporting systems to ensure Cohesity’s obligations to its customers can be met.
Cohesity has a threat and vulnerability management program to continuously monitor for vulnerabilities that are acknowledged by vendors, reported by researchers or discovered internally through vulnerability scans, penetration testing or identification by Cohesity personnel. Threats are ranked based on severity level and assigned for remediation as needed.
Helios implements continuous monitoring for both the security and availability of the service.
Monitoring is a function of every service, with key performance indicators and metrics built in from the start. Dashboards and metrics are tracked by the monitoring and response teams. Alerts are designed in the development process. Alerts are reviewed by the cloud operations team and the development teams to ensure that thresholds are set and monitored while deploying to production.
Cohesity's corporate security practices demonstrate our commitment to ensuring the security, safety, and compliance of Cohesity and customer assets. Cohesity takes the security of our customers’ information very seriously and the execution of the controls outlined here demonstrate how we establish trust with our customers, partners, and others.
Led by Cohesity's CISO and overseen by the Cohesity Security Council, Cohesity Information Security is a dedicated team of professionals with the mission of ensuring the security, safety, and compliance of Cohesity systems, processes, data, and personnel as well as the assets entrusted to us by our customers.
Cohesity's Information Security policy suite covers the organization, its personnel, and information assets. The policies are aligned with industry standards and include domains such as security organization, acceptable use of assets, access controls, and information classification and handling. Policies are reviewed regularly by Cohesity Information Security and updated as appropriate.
Cohesity Information Security is responsible for establishing information security training requirements and ensuring that all personnel complete training and understand their responsibilities. Information security training is built into our new-hire onboarding experience and annual retraining is required. Training is augmented with regular presentations, communications, and learning sessions on particular topics. Where appropriate, business units will receive specialized training for their roles and job responsibilities, such as members of the engineering team receiving regular training covering security principles and secure development practices.
Cohesity leverages a Cyber Risk Management Program to identify, prioritize, and manage risks to its IT assets, including system infrastructure, networks, endpoints, data, and intellectual property. Through its Cyber Risk Management Program, Cohesity identifies internal and external cyber risks, the likelihood of them occurring, and their potential impact. Cohesity collaborates with risk owners to mitigate and remediate risks, in accordance with Cohesity’s risk appetite.
Cohesity’s Vendor Risk Management Program reviews and validates the security posture of its third-party vendors prior to onboarding and conducts follow-up assessments in accordance with the established vendor tier. Cohesity manages and monitors vendor security risks through its risk management program in alignment with Cohesity’s security posture, customer commitments, and applicable regulatory requirements.
Cohesity Information Security maintains a Vulnerability Management Program which identifies and partners with control owners to remediate vulnerabilities to help reduce threats to Cohesity’s products and infrastructure. In addition, penetration testing is conducted against applicable Cohesity assets, and remediation is prioritized to optimize Cohesity’s security posture.
Cohesity Information Security maintains an Incident Management Policy with procedures that provide the structure and guidance for our response operations. The incident response procedures of this policy provide the steps to be followed by Cohesity personnel to ensure the quick detection of security events and vulnerabilities as well as to promote rapid response to security incidents, including identifying, assessing, containing, mitigating, and recovering from incidents.
Upon employment, background checks are conducted. Personnel also receive and acknowledge the company Code of Conduct, policies, and non-disclosure agreements.
Cohesity office locations are physically secured with guards or lobby personnel. Badged access controls are centrally managed and maintained. Access to secured areas requires escalated privileges. Camera systems are in place. Cohesity data centers are certified for ISO 27001, SOC 2, and PCI DSS in addition to other standards. All locations have 24x7x365 gated and guarded entry, employ camera and lighting systems, and require badged access for named individuals.
Cohesity follows personal data confidentiality guidelines and processes personal data in accordance with applicable data protection laws and regulations All personal data remains the property of the customer. Information on Cohesity’s security compliance and certifications can be found here. Moreover, our Data Processing Addendum (available at www.cohesity.com/agreements) specifies numerous legal, technical, and organizational protections which apply to our customers where applicable.
Cohesity may process personal data outside of the European Economic Area (EEA). An example of this processing may be the provision of 24/7 support services if the customer chooses to share personal data with Cohesity. The legal mechanisms used to allow for such data transfers are the standard contractual clauses (SCC), as further detailed in Cohesity’s Data Processing Addendum available at www.cohesity.com/agreements.
Cohesity currently has support centers in the USA, Ireland, India, Canada, and Japan.
Cross-border data transfers are addressed in detail in our Data Processing Addendum available at www.cohesity.com/agreements.
Cohesity processes personal data in accordance with all applicable data protection laws and regulations, including laws and regulations of the European Union (GDPR), the European Economic Area and their member states, Switzerland and the United Kingdom, the California Consumer Privacy Act (CCPA), and the Personal Information Protection and Electronic Documents Act (Canada) in each case as and to the extent applicable to Cohesity as a matter of law with respect to the processing of personal data. More information may be found in our Data Processing Addendum available at www.cohesity.com/agreements.Expand All
Cohesity’s Data Processing Addendum is available at www.cohesity.com/agreements. It applies automatically to all customers using Helios SaaS and is incorporated into Cohesity’s Helios SaaS Terms of Service (also available at www.cohesity.com/agreements). If a customer believes that the Data Processing Addendum should apply to other activities, please contact Cohesity Legal.
Cohesity maintains a comprehensive security certification program designed to protect our customers’ data confidentiality, integrity, and availability in accordance with industry, US government, and international standards. Cohesity's products and services have also been certified by independent third-party auditors to meet various security standards.
The Cohesity Helios SaaS platform undergoes annual Service Organization Controls 2 (SOC 2) Type II audits to evaluate its information security system controls as they relate to the security, availability, and confidentiality of the Trust Services Criteria.
Cohesity's products and services adhere to the security benchmarks and requirements that are aligned with Health Insurance Portability and Accountability Act (HIPAA) guidelines.
Cohesity complies with the Trade Agreements Act (TAA) and hardware ships from San Jose, California. Cohesity white label systems are manufactured and assembled in designated countries that are TAA-compliant.
Cohesity complies with Section 889 of the National Defense Authorization Act of 2019.
The Cohesity platform has been certified by the Defense Information Systems Agency (DISA), an agency within the US Department of Defense (DoD), for inclusion on the DoD Information Network (DoDIN) Approved Products List (APL). The DoDIN APL is a single, consolidated list of products that have met stringent cybersecurity and interoperation certification requirements for deployment on DoD networks.
Cohesity maintains ATOs for its products to operate within highly classified US Department of Defense (DoD) agency networks, US Department of Energy (DoE) networks, and US intelligence community networks. Security Technical Information Guides (STIG) are available for Cohesity products for deployment on DoD Top Secret networks.
The Cohesity platform is Common Criteria certified at EAL2+ ALC_FLR.1. Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria) is an international standard (ISO/IEC 15408) for computer security certification.
More details can be found here.
The cryptographic module employed within Cohesity's products has been validated by the United States National Institute of Standards and Technology (NIST) at the Federal Information Processing Standards (FIPS) 140-2 Level 1 standard. FIPS 140-2 is a US government standard for cryptographic modules providing assurances that the module design and implementation of cryptographic algorithms are secure and correct.
More details can be found here.
The Cohesity platform has been certified by the University of New Hampshire-InterOperability Lab (UNH-IOL) as USGv6 compliant as part of the USGv6 test program.
More details can be found at https://www.iol.unh.edu/registry/usgv6-2008?name=cohesity.
The Cohesity platform has in-built support for write-once, read-many (WORM) functionality. Its WORM implementation has been assessed as compliant with SEC 17a‐4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d) rules by Cohasset Associates.
More details can be found here.
The following resources provide Cohesity customers and partners with more details about Cohesity's security and privacy practices across its products and services.
Cohesity offers a Data Processing Addendum (DPA) for customer GDPR or CCPA compliance needs.
Cohesity may use third-parties as (sub)processors of personal data in order to provide our services.
The Cohesity documentation portal may be accessed from MyCohesity.
The Helios SaaS Security Brief may be found on the Cohesity documentation portal.
The DataPlatform Security white paper may be found on the Cohesity documentation portal.
The DataPlatform Security Hardening Guide may be found on the Cohesity documentation portal.
The Cohesity Ransomware Protection – Prepare and Recover white paper may be found on the Cohesity documentation portal.