Many of the largest enterprises in the world trust Cohesity for next-gen data management. With Cohesity, you can rest assured that your data is protected and secure.
Cohesity’s next-gen data management platform supports intelligent IT operations to unlock data value for operational efficiency and innovation. The Cohesity threat defense architecture provides extensive safeguards to detect and thwart cyberattacks.
Cohesity maintains rigorous product security standards and inspects adoption across every phase of its product lifecycle. Cohesity follows industry best practices and through these security practices as well as the inclusion of security features and functionality, Cohesity delivers secure, highly functional products and services to its customers.
Secure By Design
Cohesity follows fundamental security principles including but not limited to: secure by default, secure failure, and secure implementations of cryptographic algorithms. To ensure the targeted security posture, compliance, and certification of its products as new features are developed, Cohesity aligns the product design with current security best practices.
Development teams at Cohesity engage with a dedicated Product Security team during the design and planning stages of the development lifecycle. Cohesity's Product Security team makes recommendations for the adoption of secure design patterns, performs threat modeling, defines applicable security standards, and sets security requirements.
Cohesity has adopted the STRIDE framework in its design practices to meet security objectives in design and reduce risk, including the identification of threats, attacks, vulnerabilities, and countermeasures that could affect an application or system. Cohesity regularly updates the product threat model based on new features and changes in threats.
Identifying and Setting Security Requirements
Cohesity’s Product Security, Information Security, and product management teams define applicable security standards and mandate security requirements across Cohesity’s entire product and service portfolio.
Cohesity’s platform and infrastructure are regularly subjected to security testing and hardening to enhance security. The OS and components are specifically configured to meet security hardening requirements including Center for Internet Security (CIS) benchmarks and US Department of Defense Security Technical Implementation Guide (STIG) configuration standards.
Cohesity conducts static and binary source code analysis to ensure security hygiene in the application.
Dynamic Application Security Testing
Dynamic application security testing scanners are integrated into the Cohesity development pipeline to scan all significant development branches. Any vulnerabilities found are mitigated per the vulnerability management policy.
Open Source Software Security Scanning
Cohesity performs regular scanning of Cohesity-developed and third-party code and binaries in its repositories to identify usage of open source software (OSS). Both identified security vulnerabilities as well as incorrect usage of OSS are remediated as per Cohesity’s policies.
Cohesity conducts internal penetration testing continuously using various automated techniques integrated into the release cycle. Cohesity also conducts regular external third-party penetration testing. Vulnerabilities found in penetration testing are mitigated per Cohesity’s vulnerability management policy.
Cohesity performs regular vulnerability assessments across its products and internal operations environments. Vulnerability discovery is conducted regularly and results are fed back into the development and deployment to remediate risks. Cohesity remediates vulnerabilities per its vulnerability management policy.
Software Supply Chain Validation
All third-party components integrated into the Cohesity code base, including (but not limited to) open source and commercially licensed packages, source code, binaries, libraries, as well as OEM firmware, are tested regularly for vulnerabilities and other security risks. Risk mitigation practices and third-party vulnerability patching follows Cohesity’s vulnerability management policy.
Engineering infrastructure tools are kept up-to-date with security protections configured. Security checks and options for the compilers and linkers are enforced.
App Ecosystem and Marketplace Security
Cohesity employs multiple controls and practices to ensure the integrity of customer data and the security of apps within the Cohesity Marketplace. These controls include:
Prior to onboarding, all developers and ISVs seeking to develop apps for the Cohesity Marketplace first pass vetting by Cohesity.
Cohesity qualifies all apps before they’re published to the Cohesity Marketplace, including design and vulnerability scanning.
All Marketplace apps intended for use on the Cohesity platform are digitally signed by Cohesity. The Cohesity platform will not execute unsigned or improperly signed apps. Cohesity does not distribute digitally signed Marketplace apps through channels other than its Marketplace.
Use of apps on the Cohesity platform is disabled by default. Explicit opt-in is required.
Apps always execute with multiple degrees of isolation at the network, storage, and microservices levels on the Cohesity platform.
Different apps running on the Cohesity platform cannot communicate or interact with each other by default.
Apps execute within the role-based access control framework on the Cohesity platform.
Security Standards and Programs
Cohesity aligns to industry-standard frameworks for vulnerability management, secure product development lifecycle management, and incident response.
Common Vulnerability Scoring System and Common Vulnerabilities and Exposures
Cohesity rates and prioritizes confirmed vulnerabilities using Common Vulnerability Scoring System (CVSS) version 3. Cohesity will assign a Common Vulnerabilities and Exposures (CVE) identifier to confirmed security vulnerabilities.
Multi-practice Secure Product Development Lifecycle
Cohesity follows a secure product development lifecycle to deliver and maintain security throughout each product’s lifecycle. Cohesity follows the following six practices:
Security in Design
Secure Software Release
Product Security Response
Security Incident Response Services Framework
Cohesity implements a security incident response program designed to quickly and effectively detect, respond to, and recover from security incidents and events. Security events are reported to the Information Security office where issues are tracked and monitored until resolved. On-call response teams manage security and availability events through regularly tested response playbooks and procedures.
Product Incident Response
Cohesity employs a product incident response plan that supports analysis, mitigation, and remediation of vulnerabilities in its products. The plan also covers responsible disclosure from third-party researchers and customers.
Cohesity provides its developers, architects, development managers, release managers, QA engineers, and product managers with security training and resources to incorporate security practices throughout the product development lifecycle. Cohesity conducts quarterly secure coding training covering security best practices in product development that is mandatory for all engineers.
Responsible Disclosure Standards
Cohesity follows industry best practices to discover, investigate, and address vulnerabilities through the product lifecycle using a risk-based approach. Cohesity's dedicated Product Security team promptly investigates and responds to all reports of potential security vulnerabilities, and Cohesity's product incident response plan supports analysis, mitigation, and remediation of vulnerabilities in its products. The plan also covers responsible disclosure processes when issues are reported by third-party researchers, customers, or partners.
Cohesity rates and prioritizes confirmed vulnerabilities using Common Vulnerability Scoring System (CVSS) version 3 and maintains a response SLAs for each severity class.
Resolving Security Vulnerabilities
Cohesity’s remediation of identified vulnerabilities are resolved on a timeframe based on their criticality and impact (as per Cohesity’s vulnerability management policy).
Identifying Confirmed Vulnerabilities
Cohesity will assign a Common Vulnerabilities and Exposures (CVE) identifier to confirmed security vulnerabilities.
Resolving Vulnerabilities in Supported Product Versions
Vulnerabilities identified in all supported product versions will be resolved as per Cohesity’s vulnerability management policy.
Cumulative Vulnerability Fixes
At a minimum, major, minor, and long-term support (LTS) releases of Cohesity products will incorporate cumulative vulnerability fixes from previous releases.
Expedited Maintenance Releases for Critical, High-Impact Vulnerabilities
Cohesity may periodically expedite maintenance releases or patches of supported versions of its products faster than the established SLA in Cohesity’s vulnerability management policy for critical risk, high-impact vulnerabilities.
Notifying Customers of Vulnerabilities
Cohesity will proactively inform customers of vulnerabilities via Support Portal alerts, emails, and/or Field Notices. Knowledgebase articles are published to document the impact of specific vulnerabilities and outline any required actions.
Customers, partners, and third-party researchers may report vulnerabilities in Cohesity products and services by contacting Cohesity Security.
Cohesity maintains rigorous security, privacy, and resiliency standards for its Cohesity-managed cloud services and software as a service (SaaS) offerings. Learn about the key practices that Cohesity follows to keep the Helios platform, services, and customer data secure and available at all times.
Customers may administer the cloud-based Helios platform that provides centralized management and analytics for customers’ self-managed products and services (Helios management service).
Depending on the Cohesity product or service deployed, usage of the Helios management service will be either mandatory or optional for the customer.
The Helios management service, operated by Cohesity, provides customers with centralized management and analytics of their self-managed Cohesity products and Cohesity-managed data management services. It is not mandatory for customers to register self-managed products with the Helios management service
If customers do opt to register, the customer’s products will communicate with the Helios management service to provide product telemetry necessary to provide service as well as provide cloud-based centralized management and analytics. For more details about the Helios management service, please refer to the Helios SaaS Security Brief found on the Cohesity documentation portal.
Data Management Services
Cohesity-managed data management services are a family of SaaS offerings that allows customers to store, manage, and secure their data in Cohesity’s cloud-based infrastructure. Customers must manage these services through the Helios management service. Cohesity’s data management services are available to customers on a subscription basis.
As part of some Cohesity data management services, Cohesity may require customers to deploy the Helios SaaS connector. This SaaS connector is an on-premises VM deployed in the customer data center and establishes a secure channel for connecting on-premises data sources with Cohesity’s data management services.
Security Architecture and Tenant Isolation
The Helios data management environments are logically segregated with the management and data services from one another.
The Cohesity-managed Helios services are natively multitenant, where each tenant is implemented as a unique organization. Organizations are logically segregated and the organization’s resources, such as data, policies, administrators, etc. are restricted to the organization to which they belong.
Dedicated tenant data repositories ensure customer data is isolated from other customers.
Cohesity ensures logical security by deploying access control based on Zero Trust principles to prevent unauthorized access or compromise of its cloud infrastructure, including the Helios management service and Cohesity-managed data management services.
Customer Authentication and Access Control
The Helios management service provides customers a broad set of controls to manage user accounts and their assigned access in accordance with strong security standards and their own security policy. In every tenant organization, an admin user manages the other users in that organization. Organization admins can add and manage users through role-based access controls (RBAC). Applying principles of least privilege and separation of duties can be achieved with fine-grained control over standard and custom defined roles. Tenant admins can also integrate the Helios management service with existing identity providers. This enables each organization to apply its specific authentication controls for password policy, multifactor authentication (MFA), and more.
Employee Authentication and Access Control
Cohesity maintains a highly restrictive approach to internal access to Helios management services. Access is based on a strict need-to-know basis related to the job responsibility for managing and maintaining the system. Cohesity adheres to the principles of least privilege and separation of duties, and applies internal access and authorization controls. Before a user can log in to a particular role, they must meet established qualification criteria and obtain documented management approval beforehand in every case. A unique user ID and multifactor authentication are required for all Cohesity users.
For the Helios management service, each tenant's data and metadata are logically segregated and isolated from that belonging to other tenants. For the Cohesity-managed data management services, unique storage repositories are allocated to each tenant, ensuring that content from one tenant is never shareable with or accessible by other tenants.
Data Resiliency and Availability
The Helios management service maintains an availability rate of 99.9% (three 9s), not inclusive of scheduled or emergency maintenance windows. Helios data management services rely on Amazon Web Services (AWS) S3 service in customer-defined regions spanning across a minimum of three availability zones, each separated by many miles within the same AWS region. The AWS S3 service guarantees 99.999999999% (eleven 9s) of data durability. In the event of a disaster scenario, the Helios management service can recreate data stored in the data management service using just the data stored in S3.
All customer data—both metadata in the Helios management service and data in the data management services themselves—is encrypted at rest and in flight using strong, industry-standard encryption algorithms, and protocols.
All customer data flowing to and from the Helios management service and data management services is encrypted in flight to ensure utmost confidentiality as well as prevent authorized disclosure or modification. Cohesity utilizes the TLS 1.2 and mTLS protocols for transport layer security with only FIPS-approved cipher suites with Perfect Forward Secrecy (PFS) protection.
All customer data in the Helios management service and data management services is encrypted at rest using AES-256 encryption. All encryption keys are securely stored in an external key management system (KMS). Additionally, customers using a Cohesity-managed data management service have multiple options for securely managing their encryption keys—either relying on Cohesity’s managed Key Management Service (KMS) or managing their own keys via Amazon Web Services KMS.
Infrastructure Attack Defenses
Cohesity has several measures in place to address distributed denial of service (DDOS), intrusions, and malware attacks. These safeguards are built into the monitoring infrastructure that we have implemented to manage the Helios environment. Cohesity uses firewalls to monitor connections constantly and detect anomalies. As anomalies are detected, Cohesity blocks and evaluates the connection into the Helios control plane environment. The servers, containers, and infrastructure within the Helios control plane environment are monitored for vulnerabilities with remediation occurring on a regular basis.
Cohesity maintains a business continuity plan covering business operations and disaster recovery response. We regularly assess risks to the business and apply appropriate treatment plans to bring risks within acceptable levels. The plan identifies critical business processes, documents threats that could cause business disruption, and addresses recovering connectivity and supporting systems to ensure Cohesity’s obligations to its customers can be met.
Cohesity has a threat and vulnerability management program to continuously monitor for vulnerabilities that are acknowledged by vendors, reported by researchers or discovered internally through vulnerability scans, penetration testing or identification by Cohesity personnel. Threats are ranked based on severity level and assigned for remediation as needed.
Monitoring and Alerting
Helios implements continuous monitoring for both the security and availability of the service.
Monitoring is a function of every service, with key performance indicators and metrics built in from the start. Dashboards and metrics are tracked by the monitoring and response teams. Alerts are designed in the development process. Alerts are reviewed by the cloud operations team and the development teams to ensure that thresholds are set and monitored while deploying to production.
Cohesity's corporate security practices demonstrate our commitment to ensuring the security, safety, and compliance of Cohesity and customer assets. Cohesity takes the security of our customers’ information very seriously and the execution of the controls outlined here demonstrate how we establish trust with our customers, partners, and others.
Information Security Organization
Led by Cohesity's CISO and overseen by the Cohesity Security Council, Cohesity Information Security is a dedicated team of professionals with the mission of ensuring the security, safety, and compliance of Cohesity systems, processes, data, and personnel as well as the assets entrusted to us by our customers.
Information Security Policies
Cohesity's Information Security policy suite covers the organization, its personnel, and information assets. The policies are aligned with industry standards and include domains such as security organization, acceptable use of assets, access controls, and information classification and handling. Policies are reviewed regularly by Cohesity Information Security and updated as appropriate.
Security Awareness Training
Cohesity Information Security is responsible for establishing information security training requirements and ensuring that all personnel complete training and understand their responsibilities. Information security training is built into our new-hire onboarding experience and annual retraining is required. Training is augmented with regular presentations, communications, and learning sessions on particular topics. Where appropriate, business units will receive specialized training for their roles and job responsibilities, such as members of the engineering team receiving regular training covering security principles and secure development practices.
Cyber Risk Management
Cohesity leverages a Cyber Risk Management Program to identify, prioritize, and manage risks to its IT assets, including system infrastructure, networks, endpoints, data, and intellectual property. Through its Cyber Risk Management Program, Cohesity identifies internal and external cyber risks, the likelihood of them occurring, and their potential impact. Cohesity collaborates with risk owners to mitigate and remediate risks, in accordance with Cohesity’s risk appetite.
Vendor Risk Management
Cohesity’s Vendor Risk Management Program reviews and validates the security posture of its third-party vendors prior to onboarding and conducts follow-up assessments in accordance with the established vendor tier. Cohesity manages and monitors vendor security risks through its risk management program in alignment with Cohesity’s security posture, customer commitments, and applicable regulatory requirements.
Threat Intelligence and Vulnerability Management
Cohesity Information Security maintains a Vulnerability Management Program which identifies and partners with control owners to remediate vulnerabilities to help reduce threats to Cohesity’s products and infrastructure. In addition, penetration testing is conducted against applicable Cohesity assets, and remediation is prioritized to optimize Cohesity’s security posture.
Cohesity Information Security maintains an Incident Management Policy with procedures that provide the structure and guidance for our response operations. The incident response procedures of this policy provide the steps to be followed by Cohesity personnel to ensure the quick detection of security events and vulnerabilities as well as to promote rapid response to security incidents, including identifying, assessing, containing, mitigating, and recovering from incidents.
Upon employment, background checks are conducted. Personnel also receive and acknowledge the company Code of Conduct, policies, and non-disclosure agreements.
Cohesity office locations are physically secured with guards or lobby personnel. Badged access controls are centrally managed and maintained. Access to secured areas requires escalated privileges. Camera systems are in place. All locations have 24x7x365 gated and guarded entry, employ camera and lighting systems, and require badged access for named individuals. Cohesity is SOC 2 certified and can be provided upon request.
Cohesity follows personal data confidentiality guidelines and processes personal data in accordance with applicable data protection laws and regulations. All personal data remains the property of the customer. Information on Cohesity’s security compliance and certifications can be found here. Moreover, our Data Processing Addendum (available at www.cohesity.com/agreements) specifies numerous legal, technical, and organizational protections which apply to our customers where applicable.
Cohesity may process personal data outside of the European Economic Area (EEA). An example of this processing may be the provision of 24/7 support services if the customer chooses to share personal data with Cohesity. The legal mechanisms used to allow for such data transfers are the standard contractual clauses (SCC), as further detailed in Cohesity’s Data Processing Addendum available at www.cohesity.com/agreements.
Cohesity currently has support centers in the USA, Ireland, India, Canada, and Japan.
Cohesity processes personal data in accordance with all applicable data protection laws and regulations, including laws and regulations of the European Union (GDPR), the European Economic Area and their member states, Switzerland and the United Kingdom, the California Consumer Privacy Act (CCPA), and the Personal Information Protection and Electronic Documents Act (Canada) in each case as and to the extent applicable to Cohesity as a matter of law with respect to the processing of personal data. More information may be found in our Data Processing Addendum available at www.cohesity.com/agreements.
Under applicable data protection laws and regulations, such as the GDPR, when a customer uses Cohesity’s products and services and shares personal data with Cohesity, the customer is generally considered the data controller and appoints Cohesity to act as a data processor.
California Consumer Privacy Act (CCPA) compliance is addressed in detail in our Data Processing Addendum available at www.cohesity.com/agreements.
Data Processing Agreement
Cohesity’s Data Processing Addendum is available at www.cohesity.com/agreements. It applies automatically to all customers using Helios SaaS and is incorporated into Cohesity’s Helios SaaS Terms of Service (also available at www.cohesity.com/agreements). If a customer believes that the Data Processing Addendum should apply to other activities, please contact Cohesity Legal.
Cohesity maintains a comprehensive security certification program designed to protect our customers’ data confidentiality, integrity, and availability in accordance with industry, US government, and international standards. Cohesity's products and services have also been certified by independent third-party auditors to meet various security standards.
SOC 2 Type II Report
The Cohesity Helios SaaS platform undergoes annual Service Organization Controls 2 (SOC 2) Type II audits to evaluate its information security system controls as they relate to the security, availability, and confidentiality of the Trust Services Criteria.
Cohesity's products and services adhere to the security benchmarks and requirements that are aligned with Health Insurance Portability and Accountability Act (HIPAA) guidelines.
Trade Agreements Act Compliance
Cohesity complies with the Trade Agreements Act (TAA) and hardware ships from San Jose, California. Cohesity white label systems are manufactured and assembled in designated countries that are TAA-compliant.
National Defense Authorization Act of 2019
Cohesity complies with Section 889 of the National Defense Authorization Act of 2019.
US Department of Defense Information Network Approved Products List
The Cohesity platform has been certified by the Defense Information Systems Agency (DISA), an agency within the US Department of Defense (DoD), for inclusion on the DoD Information Network (DoDIN) Approved Products List (APL). The DoDIN APL is a single, consolidated list of products that have met stringent cybersecurity and interoperation certification requirements for deployment on DoD networks.
FedRAMP is a U.S. government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by the U.S. government. This security compliance framework aims to protect U.S. citizens’ data in the cloud.
Cohesity maintains ATOs for its products to operate within highly classified US Department of Defense (DoD) agency networks, US Department of Energy (DoE) networks, and US intelligence community networks. Security Technical Information Guides (STIG) are available for Cohesity products for deployment on DoD Top Secret networks.
Common Criteria EAL2+
The Cohesity platform is Common Criteria certified at EAL2+ ALC_FLR.1. Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria) is an international standard (ISO/IEC 15408) for computer security certification.
The cryptographic module employed within Cohesity's products has been validated by the United States National Institute of Standards and Technology (NIST) at the Federal Information Processing Standards (FIPS) 140-2 Level 1 standard. FIPS 140-2 is a US government standard for cryptographic modules providing assurances that the module design and implementation of cryptographic algorithms are secure and correct.
SEC 17a‐4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d)
The Cohesity platform has in-built support for write-once, read-many (WORM) functionality. Its WORM implementation has been assessed as compliant with SEC 17a‐4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d) rules by Cohasset Associates.