Professional Documents
Culture Documents
Data Segmentation
The Cohesity cluster architecture provides virtual data isolation through Storage Domains.
Each Storage Domain encrypts the data stored in it using its own independent keys.
During initial cluster setup, encryption can be enabled for the entire cluster so that the data
in all Storage Domains will be encrypted. If encryption is not enabled during cluster
creation, it can be enabled at the Storage Domain level. Note that once encryption is set
during cluster or Storage Domain creation, it can not be disabled later.
Each Cohesity View is assigned a Quality of Service (QoS) Policy. A QoS Policy determines
the priority of I/O (when contention occurs).
Cohesity supports all the major cloud vendors, including Amazon, Microsoft Azure, Google
and Oracle, and any S3 compatible storage.
l You register the cloud storage as an External Target on the cluster and provide the
cloud storage access keys. The access keys are encrypted and stored on the Cohesity
cluster using AES-256 encryption in CBC mode. You can update the access keys from
the Cohesity Dashboard or by using the Cohesity REST API. (DataPlatform does not
rotate the access keys.)
l Though the access keys are specific to the cloud storage provider, the DataPlatform
key storage security is the same regardless of the cloud provider. DataPlatform is
FIPS certified and has an internal software-based key management system (KMS)
that stores the key encryption key (KEK).
l DataPlatform establishes a connection to the External Target only when making REST
API calls to perform an archive or recovery operation.
l DataPlatform does not include the External Target access keys in the API request. The
request is signed using the External Target’s access key and the signature is sent
using the Authorization request header.
l DataPlatform uses TLS 1.2 to encrypt in-flight data. Currently, DataPlatform does not
use mTLS (2-way SSL) in communication with External Targets.
CloudArchive and CloudArchive Direct uses its own encryption, independent of data at rest
encryption. The cipher suite used for encryption is AES-256-CBC.
l Cloud Archive encryption is on by default but can be turned off. Cohesity recommends
keeping it on.
l Both the data encryption key (DEK) and KEK are encrypted, distributed for resiliency
across the cluster and stored in SSD.
l The cluster creates a new DEK for each External Target. DataPlatform provides two
options. You can:
l Store the data, metadata and encryption keys (DEK/KEK) in the External
Target.
l Store the data, metadata, and DEK only in the External Target. This requires the
KEK to be downloaded and stored outside of the cluster. Without the
downloaded keys, future CloudRetrieve operations will not be possible.
Key Management
The Cohesity cluster has a built-in key manager that generates keys and stores them
internally on the SSDs in encrypted form. Data on the Cluster is encrypted using a Data
Encryption Key (DEK) and the DEK is in turn encrypted using a Key Encryption Key (KEK).
The encryption/decryption process is done within the Cohesity cluster and is transparent to
all inbound/outbound protocols and applications such as backup, archiving and file services.
Also, the keys are stored in a distributed fashion to be resilient to disk and Node failure.
The default key rotation policy for KEK is 90 days, but the administrator can configure a
different value. There is no other user intervention needed while using the internal Key
Management Server (KMS).
Cohesity supports the SafeNet external Key Management Server.
Ports Employed
For a list of firewall ports used by the Cohesity cluster, see Manage Firewall Ports.
All access methods require an SSL connection that uses TLS 1.2 or above. The connection
uses strong ciphers for the established session. When the Cohesity cluster is created, a self-
signed X.509 certificate (PEM format only) is generated for this purpose. The certificate
must have the "Common Name" field set to the server’s hostname (for example, a VIP's
DNS name). Certificates are stored in the boot disk. They are replicated to other Nodes as
part of Cluster formation using RPC calls. When the key expires, the web browser marks the
session as invalid. Users can import new certificates to re-establish the session.
Users can overwrite this X.509 certificate according to their company policy.
Authentication
Authentication is required for all management methods (the Cohesity Dashboard, CLI and
API). Only a user with an account on the Cluster can authenticate to the Cluster. Cohesity
supports three types of accounts.
l Local User Account—A user account is created locally on the Cluster. This user can
access only this Cluster. When the account is created, a password is assigned to the
user and required to authenticate to the Cluster. This password is stored on the
Cluster.
l Active Directory—A user account that exists on an Active Directory server. This
user can access all the Clusters that have joined the Active Directory. The user uses
the Active Directory password to authenticate to the Cluster. The Cluster
authenticates the user with Active Directory. The password is not stored on the
Cluster.
l Single Sign-On - A Single Sign-on (SSO) user account that uses the supported
Identity Provider (IdP) to authenticate to the Cohesity cluster. Cohesity DataPlatform
supports major IdP vendors such as Okta, Duo, Ping, and Azure AD.
Cohesity supports two types of authorization data on a file: Windows-style access control
lists (ACLs) and POSIX mode bits (UNIX permissions). ACLs are used when a file is
accessed from SMB. POSIX mode bits are used when a file is accessed via NFS.
l NFS access is controlled via whitelisted IP addresses. Client IP addresses that are
whitelisted are allowed to mount an NFS share.
l The whitelist is set at the Cluster level and View level override is available.
l Cohesity DataPlatform supports RPCSEC_GSS protocol for NFS.
Beginning with version 6.0, support for mixed-permission environments is available. The
supported scenarios are:
Amazon S3
Cohesity supports:
Authorization
Authorization is implemented at two levels.
l The operation level, where operations are restricted to authorized users only.
l The object level, where objects are restricted to authorized users only.
Accounting
Accounting is implemented at two levels.
Audit Trail
Every user operation that changes the Cluster is audited and the audit log is saved. The log
contains the original value and the value after the operation. For a list of logged operations,
see Audit Logs. Cohesity stores audit logs on the Cohesity cluster. Users can read them
using the standard NFS, SMB and S3 protocols and can export the logs to a syslog server.
Compliance
The following sections explain how Cohesity addresses various guidelines and
specifications.
l It is a catalog of criteria and a framework for organizing a subset of the criteria into
security specifications
l It is a methodology for evaluating security features
l It can be applied to hardware, software, firmware, or a combination thereof
l It allows vendors to describe a product's security functionality with proof to support
their claims
Cohesity realizes the value of being a Common Criteria participant. To view the CC
certificate, see MyCC.
l In the financial services industry, SEC Rule 17a-4(f) specifies that “electronic records
must be preserved exclusively in a non-rewriteable and non-erasable format.”
l Other industries must meet similar requirements when they store mission critical
information.
GDPR imposes a broad set of legal, governance and technical requirements on companies
processing personal data. A subset of these requirements—those related to data protection
and data management—are particularly relevant for storage platforms used to store
personal data.
Cohesity has a strong vision to enable our customers to be at the top of their GDPR
compliance. The tools and product functionality that Cohesity provides as part of its vision
fall into the following categories:
Monitor l GDPR mandates companies to l Prevent portability of PII using White Lists
monitor for and report security l Receive notifications or warnings when data
breaches. is tiered, archived, or replicated to a non-
l Companies are obliged to Cohesity target
communicate breaches to relevant l Receive notification when data leaves EU
supervisory authorities, and to while still on Cohesity
affected individual in certain cases.
l Ability to export cluster and system level
l Demonstrating appropriate reporting audit logs for additional analytics and
procedures post identification of a breach detection
breach can validate compliance.
Search l GDPR mandates that any EU l Search within unstructured data for multiple
resident can request visibility of PII categories of PII
from a company. l Input PII patterns and their variations, and
l They can also request for the PII to file types (txt, doc, pdf, xls, zip, jpeg) to scan
be deleted, modified / corrected, or using templates
exported out. l Inject custom code to run data processing
jobs on stored data using in-place analytics
tool
Locate l GDPR mandates getting a 360- l Scheduled update to data maps that
degree view of what PII is stored by delineate the following:
an organization. In addition, the l Location and Movement Tracking
organization should be aware of: (source & destination) of PII
l What PII they store and why l Categories of PII stored
l Where does it come from l File containing PII
l Where the data is stored, l Retention policies of PII
and the retention policy on
l Access rights to PII
the personal data
l Leverage Cohesity reports to complete Data
l Who has access to the data
Protection Impact Assessments (DPIAs), if
l And, monitor the movement needed.
of the data
l Here, PII needs to be kept only for l Granular control over and automation of
the time period relating directly to retention policies enables customers to keep
the original intent of capturing the PII only for intended periods
data. l Effectively relocate files to on demand to
minimize spread of PII data
Copyright
Copyright © 2021 Cohesity, Inc. All rights reserved. Product specifications, release dates,
prices, and all other documentation are subject to change without notice. Cohesity, Inc.
makes no warranties, express or implied, with regards to this documentation, all of which is
provided “AS IS”. No part of this documentation or any related software may be
reproduced, stored, transmitted, or otherwise distributed in any form or by any means
(electronic or otherwise) for any purpose other than the purchaser's personal use without
the prior written consent of Cohesity, Inc. You may not use, modify, perform or display this
documentation or any related software for any purpose except as expressly set forth in a
separate written agreement executed by Cohesity, Inc., and any other use (including
without limitation for the reverse engineering of such software or creating compatible
software or derivative works) is prohibited, except to the extent such restrictions are
prohibited by applicable law.
Trademarks
Cohesity, SpanFS, SnapTree and ActiveRx are registered trademarks of Cohesity and/or its
affiliates. Other names may be trademarks of their respective owners.
Published on February 24, 2022 01:19 AM