Key Points
- Hyperconverged nodes bundle compute, storage, and networking -- clusters start at 3 nodes and scale linearly by adding more.
- No master node -- all nodes participate equally, eliminating single points of failure and enabling dynamic rebalancing.
- SpanFS is the distributed file system foundation: it provides SnapTree metadata for unlimited snapshots, global deduplication, strict consistency, and simultaneous NFS/SMB/S3 access.
- DataProtect = unified backup/recovery; SmartFiles = multiprotocol file/object services; CloudArchive = long-term archival to AWS/Azure/GCS.
- Cloud Services extend the platform: CloudTier (cold data tiering), CloudReplicate (DR replication), SiteContinuity (failover orchestration), FortKnox (SaaS cyber vault).
Cluster Architecture
Cohesity runs on clusters of interconnected commodity x86 nodes. Each node is hyperconverged -- bundling compute, storage, and networking -- so there is no separate storage array. A minimum deployment starts at three nodes. The architecture is masterless: every node participates equally, which eliminates single points of failure and allows dynamic data rebalancing as nodes are added or removed.
flowchart LR
subgraph Cluster["Cohesity Cluster (No Master Node)"]
direction LR
N1["Node 1\nCompute + Storage + Network"]
N2["Node 2\nCompute + Storage + Network"]
N3["Node 3\nCompute + Storage + Network"]
N4["Node N\n(Scale Linearly)"]
end
N1 <--> N2
N2 <--> N3
N3 <--> N4
N1 <--> N3
N2 <--> N4
subgraph SpanFS["SpanFS Distributed File System"]
direction LR
D1["Global Deduplication"]
D2["Unlimited Snapshots"]
D3["Multi-Protocol Access\nNFS / SMB / S3"]
end
Cluster --> SpanFS
SpanFS Features
| Feature | Description |
|---|
| SnapTree (B+ Tree Metadata) | Distributed metadata structure enabling unlimited snapshots with no performance impact |
| Distributed NoSQL Store | Consistent, distributed store for metadata management at scale |
| Multi-Protocol Support | Simultaneous NFS, SMB, and S3 access on the same data |
| Global Deduplication | Variable-length deduplication across all workloads and protocols |
| Strict Consistency | Data resiliency through strict consistency across all nodes |
| No Master Node | Fully distributed; scales linearly with dynamic rebalancing |
Data Cloud Components
| Component | Primary Function | Protocols/Targets | Use Case |
|---|
| DataProtect | Backup & recovery | VM, physical, DB, cloud, K8s | Daily backups, instant recovery |
| SmartFiles | File & object services | NFS, SMB, S3 | Unstructured data management |
| CloudArchive | Long-term archival | AWS S3/Glacier, Azure Cool, GCS Nearline | Compliance retention |
Animation: Data Flow Through Cohesity Platform Components
flowchart TD
subgraph Services["Cohesity Data Cloud Services"]
DP["DataProtect\nBackup & Recovery"]
SF["SmartFiles\nFile & Object Services"]
CA["CloudArchive\nLong-Term Archival"]
end
subgraph Cloud["Cloud Services"]
CT["CloudTier"]
CR["CloudReplicate"]
FK["FortKnox\nCyber Vault"]
SC["SiteContinuity"]
end
subgraph Foundation["SpanFS Foundation"]
FS["SpanFS Distributed File System\nSnapTree | NoSQL Store | Global Dedup"]
end
DP --> FS
SF --> FS
CA --> FS
CT --> FS
CR --> FS
FK --> FS
SC --> FS
Key Points
- CloudTier automatically tiers cold data to cloud storage (AWS S3, Azure Blob, GCS) while retaining metadata on-premises for fast lookups.
- CloudReplicate replicates data to cloud vendors for disaster recovery and migration.
- SiteContinuity provides automated failover/failback orchestration for business continuity.
- FortKnox is a SaaS cyber-vaulting solution creating a virtual air-gap with immutable copies in Cohesity-managed vaults.
- Deployment flexibility: entirely on-premises, entirely in cloud, or hybrid -- all managed via a single control plane (Helios).
Cloud-Native Services
Beyond DataProtect, SmartFiles, and CloudArchive, Cohesity extends into hybrid and multi-cloud environments with several cloud-native services:
- CloudTier -- Automatically tiers cold data to cloud object storage (GCS, Azure, Amazon S3) while keeping metadata on-premises for fast lookups.
- CloudReplicate -- Replicates data to cloud vendors for DR and migration scenarios.
- SiteContinuity -- Automated failover and failback orchestration for mission-critical workloads.
- FortKnox -- SaaS-based cyber-vaulting storing immutable copies in Cohesity-managed cloud vaults, providing a virtual air-gap between production data and backups.
Hybrid Deployment Model
Organizations can run Cohesity entirely on-premises, entirely in the cloud, or in a hybrid configuration. All deployment models are managed through a single control plane (Helios), providing centralized visibility and policy management across geographies, sites, and cloud regions.
Key Points
- Defense-in-depth: Seven layers from Human to Data -- failure of any single layer does not compromise the system.
- Four Pillars: (1) Data Resiliency (immutability, encryption, fault tolerance), (2) Access Control (MFA, RBAC, Quorum), (3) AI-Driven Detection (classification, behavioral analytics, YARA), (4) Extensibility (SIEM/SOAR, Cisco SecureX, Tenable).
- DataLock provides time-bound WORM -- even admins cannot modify/delete protected data before expiry.
- Quorum Authorization requires two-person approval for critical operations, preventing single-credential compromise.
- Architecture aligns with NIST Cybersecurity Framework and counters all three ransomware evolution stages: encryption, backup deletion, and exfiltration.
Seven Defensive Layers
| Layer | What It Protects | Example Controls |
|---|
| 1. Human | People and processes | Security awareness training, RBAC, SSO, MFA |
| 2. Physical | Facilities and hardware | Guards, biometrics, fire suppression |
| 3. Perimeter | Network boundary | Next-gen firewalls, vulnerability testing, DDoS prevention |
| 4. Internal Network | East-west traffic | Data encryption in transit, filtering, micro-segmentation |
| 5. Host | Operating systems | Automated patching, endpoint AV, OS hardening |
| 6. Applications | Software layer | AI/ML anomaly detection, least privilege, encryption |
| 7. Data | The data itself | AI detection, access controls, encryption at rest, immutability |
flowchart TD
L1["Layer 1: Human\nTraining, RBAC, SSO, MFA"]
L2["Layer 2: Physical\nGuards, Biometrics, Fire Suppression"]
L3["Layer 3: Perimeter\nFirewalls, Vulnerability Testing, DDoS Prevention"]
L4["Layer 4: Internal Network\nEncryption in Transit, Micro-Segmentation"]
L5["Layer 5: Host\nOS Hardening, Patching, Endpoint AV"]
L6["Layer 6: Applications\nAI/ML Anomaly Detection, Least Privilege"]
L7["Layer 7: Data\nEncryption at Rest, Access Controls, Immutability"]
L1 --> L2 --> L3 --> L4 --> L5 --> L6 --> L7
Four Pillars of Threat Defense
Pillar 1: Data Resiliency -- Immutability (DataLock WORM), FIPS-validated AES-256 encryption at rest and in transit, fault tolerance through distributed architecture with strict consistency.
Pillar 2: Access Control -- MFA, granular RBAC, Quorum Authorization (two-person approval for destructive operations), continuous monitoring with SIEM/SOAR integration.
Pillar 3: AI-Driven Detection -- Data classification to find sensitive data, adaptive behavioral analytics for anomaly detection, near real-time threat detection with native AV and Google-powered threat intelligence, custom YARA rules.
Pillar 4: Extensibility -- Integrations with Cisco SecureX, Tenable, and broader cloud/endpoint/identity/SIEM/SOAR ecosystem.
Animation: Four Pillars of Threat Defense Building on SpanFS
Key Points
- Data resilience = "Can we get our data back?" (survives failures); Data security = "Is our data safe from unauthorized access?" (prevents compromise). Both are needed.
- Security Advisor workflow: Scan → Score → Remediate. Provides a quantitative security posture score.
- Security Advisor evaluates access control settings, audit logs, encryption framework, and more across all clusters via the Helios Dashboard.
- Available at no additional cost to all Cohesity customers globally.
Data Resilience vs. Data Security
Data resilience ensures data survives hardware failure, corruption, disaster, or ransomware encryption. It answers: "Can we get our data back?"
Data security ensures unauthorized parties cannot read, modify, or exfiltrate data. It answers: "Is our data safe from unauthorized access?"
A backup system with strong resilience but weak security is like a bank vault with an indestructible door but no lock. Cohesity addresses both: Pillar 1 ensures recoverability, while Pillars 2-4 ensure security.
Security Advisor
Security Advisor scans the Cohesity environment and produces a quantitative security posture score. It evaluates access control settings, audit logs, encryption, and more. Administrators can drill into details and receive specific remediation recommendations.
flowchart LR
A["Run Security\nAdvisor Scan"] --> B["Receive Security\nPosture Score"]
B --> C{"Score\nAcceptable?"}
C -->|Yes| D["Monitor &\nMaintain"]
C -->|No| E["Review Detailed\nRecommendations"]
E --> F["Remediate\nConfiguration Gaps"]
F --> A
D -.->|"Periodic Rescan"| A
Worked Example: A new branch cluster scores 62/100. Security Advisor flags: MFA not enabled, audit logs not forwarded to SIEM, backup policies missing DataLock. After remediation, the score rises to 91/100.
1. In a ransomware attack, the attacker encrypts all production data and threatens to publish it online. Which two elements of the CIA triad are under attack?
Confidentiality and Integrity
Availability and Confidentiality
Integrity and Availability
Only Availability
2. Under Zero Trust, a backup operator with valid credentials and MFA wants to delete a protected backup policy. What additional control does Cohesity enforce?
The operator must connect from the corporate VPN
A second administrator must approve via Quorum Authorization
The deletion is automatically scheduled for 30 days later
No additional control; valid credentials and MFA are sufficient
3. Which regulatory framework provides the Identify, Protect, Detect, Respond, Recover structure that Cohesity explicitly aligns to?
GDPR
HIPAA
NIST Cybersecurity Framework
PCI DSS
4. Which CIA triad principle is most directly addressed by Cohesity's DataLock (WORM) feature?
Confidentiality
Integrity
Availability
Non-repudiation
5. A financial services firm must maintain immutable audit trails for financial records. Which regulation drives this requirement?
HIPAA
GDPR
SOX (Sarbanes-Oxley)
PCI DSS
Key Points
- CIA Triad: Confidentiality (encryption + RBAC + MFA), Integrity (DataLock WORM + checksums), Availability (fault tolerance + RTO/RPO targets).
- Ransomware attacks all three CIA elements simultaneously: encryption destroys availability, leak threats violate confidentiality, record alteration compromises integrity.
- Zero Trust = "never trust, always verify" -- every request authenticated/authorized regardless of origin; least privilege; Quorum for destructive operations.
- NIST CSF (Identify, Protect, Detect, Respond, Recover) is the primary framework Cohesity maps to -- critical for COH350.
- Key regulations: NIST CSF, GDPR, HIPAA, SOX, PCI DSS -- all addressed by Cohesity's encryption, RBAC, DataLock, audit logging, and policy-driven retention.
CIA Triad in Backup & Recovery
| Principle | General Definition | Application to Backup & Recovery |
|---|
| Confidentiality | Only authorized parties can access data | Encryption at rest/in transit; RBAC and MFA |
| Integrity | Data has not been tampered with | DataLock WORM; checksums verify no alteration |
| Availability | Data is accessible when needed | Fault tolerance; recovery meets RTO/RPO targets |
flowchart TD
subgraph Attack["Ransomware Attack Vectors"]
A1["Encrypt Data\n(Destroy Availability)"]
A2["Threaten to Leak\n(Violate Confidentiality)"]
A3["Alter Records\n(Compromise Integrity)"]
end
subgraph Defense["Cohesity Threat Defense Response"]
D1["Immutable Backups\n+ Fault Tolerance"]
D2["AES-256 Encryption\n+ RBAC + MFA"]
D3["DataLock WORM\n+ Checksums"]
end
A1 -->|"Countered by"| D1
A2 -->|"Countered by"| D2
A3 -->|"Countered by"| D3
Zero Trust Principles
- No implicit trust -- every API call and user action is authenticated and authorized, even for internal cluster operations.
- Least privilege -- RBAC ensures users can only perform role-appropriate actions.
- Quorum authorization -- critical operations require multi-administrator approval.
- Microsegmentation -- network traffic within the cluster is segmented.
- Continuous verification -- Security Advisor and AI-driven analytics monitor posture in real time.
Regulatory Landscape
| Regulation | Scope | Relevance to Data Protection |
|---|
| NIST CSF | US federal & critical infrastructure | Identify, Protect, Detect, Respond, Recover -- Cohesity's primary alignment framework |
| GDPR | EU personal data | Encryption, access controls, right to deletion |
| HIPAA | US healthcare | Encryption, audit logging, access controls for PHI |
| SOX | US public companies | Immutable audit trails, data retention for financial records |
| PCI DSS | Payment card data | Encryption, access control, network segmentation |
1. In a ransomware attack, the attacker encrypts all production data and threatens to publish it online. Which two elements of the CIA triad are under attack?
Confidentiality and Integrity
Availability and Confidentiality
Integrity and Availability
Only Availability
2. Under Zero Trust, a backup operator with valid credentials and MFA wants to delete a protected backup policy. What additional control does Cohesity enforce?
The operator must connect from the corporate VPN
A second administrator must approve via Quorum Authorization
The deletion is automatically scheduled for 30 days later
No additional control; valid credentials and MFA are sufficient
3. Which regulatory framework provides the Identify, Protect, Detect, Respond, Recover structure that Cohesity explicitly aligns to?
GDPR
HIPAA
NIST Cybersecurity Framework
PCI DSS
4. Which CIA triad principle is most directly addressed by Cohesity's DataLock (WORM) feature?
Confidentiality
Integrity
Availability
Non-repudiation
5. A financial services firm must maintain immutable audit trails for financial records. Which regulation drives this requirement?
HIPAA
GDPR
SOX (Sarbanes-Oxley)
PCI DSS