1. What is the name of Cohesity's purpose-built Linux-based operating system?
CohesityLinux
DataOS
SpanOS
ClusterOS
2. Starting from Cohesity version 6.8, what SSH security feature is enabled by default?
SSH is completely disabled on all nodes
The Secure Shell feature restricts SSH to a limited command environment
SSH requires a hardware security token for all connections
SSH is only allowed from the Helios management console
3. What mechanism does Cohesity use to achieve zero-downtime cluster upgrades?
Blue-green deployment with a standby cluster
Rolling upgrades with VIP migration
Hot-swapping node hardware during operation
Pausing all backup jobs until the upgrade completes
4. What three-step workflow does Security Advisor use to improve cluster security posture?
Detect, Analyze, Report
Audit, Alert, Enforce
Scan, Score, Remediate
Monitor, Assess, Harden
5. Which two industry hardening frameworks does Cohesity SpanOS align with?
NIST CSF and ISO 27001
CIS Benchmarks and STIG
PCI DSS and SOC 2
OWASP and MITRE ATT&CK
The foundation of any hardened system begins at the operating system layer. Cohesity runs a purpose-built Linux-based OS called SpanOS, and its security controls start there.
Linux-Based OS Hardening
Cohesity Data Cloud follows a secure-by-default design philosophy. Out of the box, the platform includes:
- Zero trust architecture
- AES-256 encryption for data at rest
- TLS v1.3 with strong ciphers for data in transit
- Immutable backup snapshots
- Multifactor authentication support
At the network level, all ports are disabled by default except for known required ports. Preconfigured IP tables allowlist only the services that need to communicate internally. The cluster is FIPS 140-2 certified, always operates in FIPS mode, and does not support TLS v1.1 or below.
Think of FIPS 140-2 certification as a government stamp of approval on a bank vault's lock mechanism. It does not just mean the lock works — it means the lock has been independently tested, validated, and certified to meet a rigorous federal standard.
SSH and Console Access Restriction
SSH restriction is one of the most critical hardening measures. Since version 6.8, the Secure Shell feature restricts SSH access to a limited command environment rather than full OS-level shell access. Administrators can execute CLI commands and run diagnostics but cannot browse the filesystem or modify OS-level files directly.
| Control | Default Behavior | Recommendation |
|---|
| SSH access to host OS shell | Restricted (enabled by default from v6.8) | Keep enabled |
| Direct filesystem access | Disabled by default | Do not enable unless required |
| Root user access | Limited via Secure Shell | Maintain restriction |
For console access, Cohesity introduced the Split Key feature in version 7.0. This mandates a challenge-response system when a user attempts to access the console via IPMI. The response codes can only be generated by opening a support case with Cohesity SREs.
sequenceDiagram
participant Admin as Administrator
participant Cluster as Cohesity Cluster
participant Support as Cohesity SRE (24x7)
Admin->>Cluster: Request console access via IPMI
Cluster->>Admin: Generate challenge code
Admin->>Support: Open support case with challenge code
Support->>Support: Verify identity and authorize
Support->>Admin: Provide response code
Admin->>Cluster: Enter response code
Cluster->>Admin: Grant console access
Split Key works like a safe deposit box at a bank — you need your key and the bank manager's key to open it. No single person can gain access alone.
Service Account Management
Cohesity's security architecture is built on least privilege and segregation of duties:
- The "support" user account has read-only privileges by default
- Only the cluster administrator can escalate the support user's privileges
- Sudo access is disabled by default for the support user
- MFA should be enabled for both admin and support user accounts
Role-Based Access Control (RBAC) supports three methods: default roles, individual user-based roles, and user groups-based roles. Best practice is to deploy SSO with user groups-based RBAC.
Quorum approval (dual control) requires that critical system changes be authorized by more than one person, preventing a rogue or compromised administrator from acting unilaterally.
Patch Management
Cohesity provides one-click, non-disruptive cluster upgrades that handle software, security, firmware, and OS upgrades through a single workflow. Each node upgrades sequentially while other nodes absorb its workload via VIP migration (Virtual IP migration), ensuring zero downtime.
Rolling Upgrade with VIP Migration
Watch each node upgrade sequentially (red = upgrading, green = complete)
Node 1
Node 2
Node 3
Node 4
Long-Term Support (LTS) releases are supported for a minimum of twelve months, with six months of overlapping coverage between two LTS releases to give organizations a comfortable migration window.
Attack surface refers to the sum of all points where an unauthorized user could attempt to enter or extract data from a system. Reducing it is an ongoing discipline, not a one-time event.
Identifying Exposed Services
Cohesity's platform consolidation approach inherently reduces the attack surface by unifying backup, DR, file services, object storage, dev/test, and analytics on a single platform. However, administrators must still actively audit what is exposed:
| Exposure Point | Risk | Mitigation |
|---|
| Open network ports | Unauthorized service access | Verify only required ports are open; use firewall rules |
| IPMI management interface | Console hijacking | Restrict to management network; enable Split Key |
| SSH access | OS-level compromise | Keep Secure Shell enabled (default from v6.8) |
| API endpoints | Automated attack vectors | Enforce API authentication; use RBAC for API users |
| Syslog transport | Log interception | Enable encryption between cluster and syslog server |
| Agent communication | Man-in-the-middle attacks | Keep agents at same version as cluster; use TLS |
Attack Surface Reduction — Building the Castle Wall
Closing ports and disabling services builds a stronger perimeter
Disabling Unused Connectors
Every enabled but unused connector is an unnecessary door. Administrators should periodically audit for:
- Unused data protection policies retaining stale connections
- Integration endpoints (cloud tiering targets, external NAS mounts) no longer active
- Service accounts created for testing and never removed
- Marketplace applications installed but not actively used
Minimal Privilege Access
Data exposure reduction extends to who can see what data and when:
- Immutable snapshots: The original "gold copy" is never mounted or exposed. Access requires creating a zero-cost clone.
- DataLock WORM: Creates time-bound locks on backup snapshots that cannot be deleted even by administrators.
- RBAC and custom roles: Ensures backup operators, security officers, and auditors each have narrowly scoped permissions.
graph LR
Backup[Backup Job] --> Gold[Gold Copy Snapshot]
Gold -->|Immutable - Never Exposed| Storage[(Protected Storage)]
Gold -->|Zero-Cost Clone| Clone[Read-Write Clone]
Clone --> App[Application / User Access]
Admin[Administrator] -.->|Cannot Delete| Gold
Attacker[Attacker] -.->|Cannot Modify| Gold
DataLock[DataLock WORM Policy] -->|Time-Bound Lock| Gold
Security Advisor is a built-in, no-cost tool available via Cohesity Helios that assesses, scores, and helps improve cluster security posture. It launched in December 2021.
Dashboard and Scoring
Security Advisor operates through a three-step workflow: Scan, Score, Remediate.
- Scan: Evaluates security configurations across clusters — access control, audit logs, encryption framework
- Score: Generates a numerical score indicating performance against best practice recommendations
- Remediate: Provides actionable recommendations on addressing potential risks with detailed guidance
Security Recommendations
Security Advisor evaluates four primary dimensions:
| Category | What It Evaluates | Example Findings |
|---|
| Access Control Settings | Permissions, authentication, privilege management | MFA not enabled; default password unchanged |
| Audit Logs | Logging configuration, retention, monitoring | Retention below threshold; syslog not configured |
| Encryption Frameworks | Data-at-rest and data-in-transit encryption | Node-to-node encryption disabled |
| Cluster Security Configurations | Multi-site deployment consistency | Inconsistent settings across geographies |
When prioritizing remediation, focus on: (1) authentication gaps, (2) encryption gaps, (3) access control gaps, (4) logging and monitoring gaps.
Automated Checks
Security Advisor provides centralized visibility across all clusters spanning geographies, sites, and regions through the Helios Dashboard. Key capabilities include executive-ready security scorecards, detailed configuration issue analysis, and native Helios integration requiring no additional licensing.
Security Advisor complements CyberScan, a Marketplace application that scans backup snapshots for indicators of compromise (IOCs) and known vulnerabilities. Security Advisor hardens the platform; CyberScan ensures the data being protected is not already compromised.
graph TB
subgraph "Security Advisor"
SA[Platform Configuration Scanning]
SA --> AC[Access Control]
SA --> AL[Audit Logs]
SA --> EF[Encryption Framework]
SA --> CC[Cluster Configuration]
end
subgraph "CyberScan"
CS[Backup Data Scanning]
CS --> IOC[Indicators of Compromise]
CS --> Vuln[Known Vulnerabilities]
CS --> Malware[Malware Detection]
end
SA -->|Score and Remediate| Posture[Improved Security Posture]
CS -->|Alert and Quarantine| Posture
Tracking Improvements
Security posture requires ongoing measurement. Best practices:
- Baseline: Run an initial scan after deployment or major configuration changes
- Remediate in priority order: Critical findings first (authentication, encryption), then moderate
- Re-scan regularly: Monthly or quarterly to detect configuration drift
- Document and report: Use executive scorecards for leadership communication
- Integrate with change management: Tie scans to change control processes
CIS Benchmark Alignment
The Center for Internet Security (CIS) Benchmarks are consensus-based configuration guidelines developed by security practitioners worldwide. Cohesity's SpanOS ships with many CIS-aligned configurations already applied at the factory level, covering:
- Filesystem permissions and mount options
- User account and authentication policies
- Network configuration and firewall rules
- Logging and auditing settings
- Service and process restrictions
CIS alignment is not something you build from scratch — it is something you verify and maintain after deployment, particularly after upgrades or configuration changes.
STIG Compliance
The Security Technical Implementation Guide (STIG) is published by the US DoD's DISA. Cohesity SpanOS implements many STIG controls across these categories:
| STIG Category | Scope | Description |
|---|
| APSC-DV | Application Security | Authentication, authorization, session management |
| RHEL | Operating System | Red Hat baseline controls adapted for SpanOS |
| SRG-APP | Application Security Requirements Guide | Logging, access control, data protection |
STIG compliance is particularly important for government, defense, financial services, and healthcare organizations.
Hardening Checklist for New Deployments
| # | Hardening Action | Category | Priority |
|---|
| 1 | Change all default passwords before going live | Access Control | Critical |
| 2 | Enable cluster-wide encryption at initial installation | Encryption | Critical |
| 3 | Verify Secure Shell is enabled (default from v6.8) | SSH Restriction | Critical |
| 4 | Enable MFA for admin and support user accounts | Access Control | Critical |
| 5 | Enable Split Key for IPMI console access (v7.0+) | Access Control | High |
| 6 | Configure Quorum approval for privileged operations | Access Control | High |
| 7 | Enable node-to-node encryption | Encryption | High |
| 8 | Deploy SSO with user groups-based RBAC | Access Control | High |
| 9 | Set audit log retention to 180+ days | Logging | Medium |
| 10 | Restrict IPMI traffic to management network only | Network | Medium |
| 11 | Apply DataLock WORM policies to critical backups | Data Protection | Medium |
| 12 | Run initial Security Advisor scan and establish baseline | Posture Scoring | Medium |
1. What is the name of Cohesity's purpose-built Linux-based operating system?
CohesityLinux
DataOS
SpanOS
ClusterOS
2. Starting from Cohesity version 6.8, what SSH security feature is enabled by default?
SSH is completely disabled on all nodes
The Secure Shell feature restricts SSH to a limited command environment
SSH requires a hardware security token for all connections
SSH is only allowed from the Helios management console
3. What mechanism does Cohesity use to achieve zero-downtime cluster upgrades?
Blue-green deployment with a standby cluster
Rolling upgrades with VIP migration
Hot-swapping node hardware during operation
Pausing all backup jobs until the upgrade completes
4. What three-step workflow does Security Advisor use to improve cluster security posture?
Detect, Analyze, Report
Audit, Alert, Enforce
Scan, Score, Remediate
Monitor, Assess, Harden
5. Which two industry hardening frameworks does Cohesity SpanOS align with?
NIST CSF and ISO 27001
CIS Benchmarks and STIG
PCI DSS and SOC 2
OWASP and MITRE ATT&CK
6. What does the Split Key feature require in order to grant IPMI console access?
A one-time password generated by an authenticator app
A response code obtained by opening a support case with Cohesity SREs
Approval from at least three cluster administrators
A signed certificate from the organization's PKI infrastructure
7. What is the default privilege level of the Cohesity "support" user account?
Full administrator with sudo access
Read-only privileges
Write access to backup policies only
No access until explicitly granted by Cohesity SRE
8. What happens to the original "gold copy" backup snapshot on Cohesity?
It is mounted read-write for direct application access
It is replicated to a secondary site and then deleted locally
It remains immutable and is never directly exposed; access requires a zero-cost clone
It is compressed and archived to cold storage after 30 days
9. What distinguishes CyberScan from Security Advisor?
CyberScan is a paid add-on while Security Advisor is free
CyberScan scans backup data for IOCs and vulnerabilities, while Security Advisor scans platform configuration
CyberScan replaces Security Advisor in version 7.0 and later
CyberScan only works with cloud-deployed clusters
10. What is the recommended RBAC deployment method for enterprise Cohesity environments?
Default predefined roles applied at login
Individual user-based role assignment
SSO with user groups-based RBAC
Local accounts with custom roles per cluster
11. Which STIG category covers Red Hat Enterprise Linux baseline controls as adapted for SpanOS?
APSC-DV
SRG-APP
RHEL
NIST-800
12. What is the minimum support duration for a Cohesity Long-Term Support (LTS) release?
Six months
Twelve months
Eighteen months
Twenty-four months