Chapter 5: Security Assessment & Compliance

Learning Objectives

Pre-Quiz: Test Your Current Knowledge

Answer these questions before studying the material. You will see the same questions again at the end to measure what you learned.

Pre-Quiz — Section 1: Compliance and Regulatory Frameworks

1. Which Cohesity feature helps enforce GDPR's data minimization principle by ensuring data is not kept longer than necessary?

A. YARA rules B. Automated retention policies C. FortKnox virtual air gap D. Cortex XSOAR playbooks

2. What does a SOC 2 Type II audit evaluate that a Type I audit does not?

A. Whether cryptographic modules meet FIPS standards B. Whether controls existed at a single point in time C. Whether controls operated effectively over a sustained period D. Whether the platform is authorized for federal cloud adoption

3. When preparing evidence for a HIPAA audit on Cohesity, which step involves using ML-based data classification?

A. Exporting RBAC configuration B. Running a scan to locate where PHI resides across backup environments C. Documenting AES-256 encryption settings D. Pulling user audit trail logs for the review period
Pre-Quiz — Section 2: Data Retention and Legal Holds

4. What happens to backup snapshots when a legal hold is applied in Cohesity?

A. Snapshots are immediately moved to FortKnox B. Normal retention expiration is suspended and data is preserved C. Snapshots are encrypted with an additional key layer D. Snapshots are replicated to a secondary cluster

5. How does DataLock differ from a standard retention policy?

A. DataLock applies only to archived data, not local snapshots B. DataLock prevents deletion or modification even by administrators C. DataLock automatically classifies data using ML D. DataLock replaces the need for Quorum authorization
Pre-Quiz — Section 3: Zero Trust Design Principles

6. Which of the four pillars of Cohesity's Threat Defense architecture addresses SIEM and SOAR integrations?

A. Data Resiliency B. Access Control C. Detection & Analytics D. Extensibility

7. What is the purpose of Quorum authorization in Cohesity's Zero Trust model?

A. It encrypts data using multiple keys simultaneously B. It requires multiple authorized individuals to approve critical operations C. It distributes backup data across multiple geographic regions D. It scans backup data for malware using multiple engines

8. Why is source-side anomaly detection significant compared to backup-cycle detection?

A. It uses less storage space B. It provides earlier identification of threats rather than waiting for the next backup C. It replaces the need for YARA rules D. It only works with cloud-based workloads
Pre-Quiz — Section 4: Third-Party Security Integration

9. In the Cohesity-Microsoft Sentinel integration, what component serves as the data connector between Helios and Sentinel?

A. A Cortex XSOAR playbook B. An Azure Function App C. A Cohesity SpanFS View D. A CrowdStrike Falcon sensor

10. What is the primary difference between SIEM and SOAR platforms in a security operations workflow?

A. SIEM handles encryption while SOAR handles access control B. SIEM focuses on detection and analysis while SOAR automates the response C. SIEM is cloud-only while SOAR is on-premises only D. SIEM replaces SOAR in modern security architectures

11. Which tool does Cohesity support for creating custom threat detection rules to hunt for specific indicators of compromise in backup data?

A. Sigma rules B. Snort signatures C. YARA rules D. Suricata patterns

12. Which Cohesity feature provides a "virtual air gap" by isolating backup copies in a separate Cohesity-managed environment?

A. DataLock WORM B. Security Advisor C. FortKnox D. Quorum

Section 1: Compliance and Regulatory Frameworks

Organizations managing sensitive data must comply with a growing web of regulations. Think of a compliance framework as a blueprint for a building's safety systems: it specifies what protections are required, how they must be tested, and what evidence proves they are in place.

GDPR, HIPAA, SOX, and PCI-DSS Requirements

Each regulatory framework emphasizes different aspects of data protection, but they share common themes: encryption, access control, auditability, and data minimization.

FrameworkFocus AreaKey RequirementsCohesity Capability
GDPREU personal data protectionData minimization, right to erasure, breach notificationDPA, automated retention, AES-256, MFA, ML classification
HIPAAProtected health informationEncryption at rest/transit, access controls, audit logsAES-256, granular RBAC, user audit trails
SOXFinancial record integrityInternal controls, audit trails, data retentionImmutable snapshots, DataLock WORM, audit logging
PCI-DSSPayment card dataEncryption, access restriction, monitoringAES-256, RBAC, SIEM integration, ML classification
graph LR subgraph Frameworks GDPR["GDPR"] HIPAA["HIPAA"] SOX["SOX"] PCI["PCI-DSS"] end subgraph Common_Requirements ENC["Encryption"] AC["Access Control"] AUD["Auditability"] DM["Data Minimization"] end subgraph Cohesity_Capabilities AES["AES-256 Encryption\n(FIPS-validated)"] RBAC["Granular RBAC\n+ MFA"] TRAIL["User Audit Trails\n+ Security Advisor"] RET["Automated Retention\nPolicies"] end GDPR --> ENC & AC & AUD & DM HIPAA --> ENC & AC & AUD SOX --> AUD & DM PCI --> ENC & AC & AUD ENC --> AES AC --> RBAC AUD --> TRAIL DM --> RET

Mapping Cohesity Features to Compliance Requirements

Cohesity maintains an extensive set of security certifications that serve as independent validation:

CertificationDescription
SOC 2 Type IIAnnual audit evaluating security, availability, and confidentiality controls over a sustained period
ISO 27001ISO/IEC 27001:2022 certification for information security management
FIPS 140-2Cryptographic module validated at Level 1 standard
Common CriteriaCertified at EAL2+ ALC_FLR.1
FedRAMP ModerateAuthorized for federal cloud adoption
DoD AuthorizationAuthorization to Operate for DoD, DoE, and intelligence networks
Analogy: Think of certifications like a restaurant's health inspection grades posted in the window. A SOC 2 Type II audit does not just check that controls exist on a single day -- it evaluates whether they operated effectively over a sustained period, like a health inspector returning multiple times throughout the year.

Compliance Reporting and Audit Evidence

Passing an audit requires proving controls are in place. Cohesity supports this through:

Worked Example: Preparing for a HIPAA Audit

  1. Encryption verification -- document AES-256 encryption for data at rest and in transit
  2. Access control documentation -- export RBAC configuration and MFA enforcement status
  3. Data classification report -- run ML scan to locate all PHI across the backup environment
  4. Audit trail export -- pull user access logs for the review period
  5. Retention policy documentation -- export policies showing 6-year PHI retention with automated expiration
flowchart TD START["HIPAA Audit\nPreparation"] --> S1["1. Encryption\nVerification"] S1 --> S2["2. Access Control\nDocumentation"] S2 --> S3["3. Data Classification\nReport"] S3 --> S4["4. Audit Trail\nExport"] S4 --> S5["5. Retention Policy\nDocumentation"] S5 --> AUDIT["Complete Evidence\nPackage for Auditor"] style START fill:#1a73e8,color:#fff style AUDIT fill:#34a853,color:#fff

Key Takeaway

Section 2: Data Retention and Legal Holds

Data retention is the practice of keeping data for a defined period. Getting it wrong creates risk in both directions: delete too early and you violate regulations; keep too long and you increase storage costs and attack surface.

Configuring Retention Policies and Schedules

Analogy: A retention policy is like an expiration date on food packaging. Just as a grocery store removes expired products from shelves, Cohesity automatically expires snapshots once they pass their retention period.
ParameterDescriptionExample
Backup frequencyHow often snapshots are createdDaily at 2:00 AM
Local retentionHow long snapshots stay on primary cluster30 days
Archival retentionHow long copies are kept in archive7 years
Replication retentionHow long copies are kept on remote cluster90 days
Policy assignmentWhich protection groups use this policy"HIPAA-Regulated-Workloads"

Implementing Legal Holds for E-Discovery

A legal hold (litigation hold) is a directive to preserve all data relevant to pending or anticipated litigation. When active, normal retention expiration is suspended -- data must not be deleted regardless of policy.

E-discovery is the process by which electronically stored information is identified, collected, and produced for legal proceedings. Cohesity's legal hold ensures relevant backup data remains available and unaltered.

Worked Example: Implementing a Legal Hold

  1. Identify relevant data -- determine which protection groups, sources, or time ranges are relevant
  2. Apply legal hold -- overrides normal retention policy, preventing automatic expiration
  3. Document the hold -- record scope, date, authorizer, and related legal matter
  4. Monitor the hold -- verify held snapshots remain intact; audit trail confirms no modification
  5. Release the hold -- once legal matter concludes, snapshots resume normal retention lifecycle

DataLock (Retention Lock) and WORM Protection

DataLock is Cohesity's implementation of time-bound WORM (Write Once Read Many) protection. It prevents snapshots from being deleted or modified before their lock period expires -- even by administrators.

Combined with Quorum (multi-person approval for critical changes), DataLock creates a robust chain of custody. No single individual can circumvent retention controls, and the platform contains no service back-doors.

Analogy: DataLock is like a time-locked safe at a bank. Once something is placed inside and the timer is set, nobody -- not even the bank manager -- can open it until the timer expires.

Data Lifecycle Management

  1. Creation -- protection policies define when snapshots are taken and how many copies are created
  2. Tiering -- policies automatically move aging snapshots to cost-effective archival targets
  3. Expiration -- snapshots past retention period (with no legal hold) are automatically deleted
  4. Compliance verification -- audit trails record every retention event
Animation Slot 1: Data lifecycle flow showing a snapshot moving through creation, tiering, legal hold override, and eventual expiration with audit trail logging at each stage.
flowchart LR CREATE["1. Creation\nSnapshot taken\nper policy"] --> TIER["2. Tiering\nAge-based move to\narchival storage"] TIER --> CHECK{"Legal Hold\nActive?"} CHECK -- No --> EXPIRE["3. Expiration\nAuto-delete at\nretention end"] CHECK -- Yes --> HOLD["Hold: Expiration\nSuspended"] HOLD --> RELEASE["Hold Released\nby Legal Team"] RELEASE --> EXPIRE EXPIRE --> VERIFY["4. Compliance\nVerification\nAudit trail logged"] style HOLD fill:#e8710a,color:#fff

Key Takeaway

Section 3: Zero Trust Design Principles

Zero Trust is a security model based on "never trust, always verify." Unlike perimeter-based security that assumes everything inside the network is safe, Zero Trust treats every access request as potentially hostile.

Analogy: Traditional security is like a castle with a moat -- once you cross the drawbridge, you are trusted everywhere. Zero Trust is like a modern high-security building where every door requires a badge scan, every floor requires separate authorization, and cameras monitor continuously.

Four Pillars of Cohesity's Threat Defense Architecture

PillarZero Trust PrincipleCohesity Implementation
Data ResiliencyAssume breach; protect integrityImmutable snapshots (SpanFS), AES-256, fault-tolerant auto-healing
Access ControlVerify explicitly; least privilegeMFA, granular RBAC, Quorum multi-person auth
Detection & AnalyticsContinuous monitoringAI anomaly detection, ML classification, YARA rules
ExtensibilityIntegrate across ecosystemSIEM/SOAR with Cisco, CrowdStrike, Splunk, Sentinel, Palo Alto, ServiceNow
graph TB ZT["Zero Trust Principle\nNever Trust, Always Verify"] ZT --> P1["Data Resiliency"] ZT --> P2["Access Control"] ZT --> P3["Detection &\nAnalytics"] ZT --> P4["Extensibility"] P1 --> P1A["Immutable Snapshots\n(SpanFS)"] P1 --> P1B["AES-256 Encryption\n(FIPS-validated)"] P1 --> P1C["FortKnox\nVirtual Air Gap"] P2 --> P2A["MFA"] P2 --> P2B["Granular RBAC"] P2 --> P2C["Quorum\nMulti-Person Auth"] P3 --> P3A["AI Anomaly\nDetection"] P3 --> P3B["ML Data\nClassification"] P3 --> P3C["YARA Rules\nThreat Hunting"] P4 --> P4A["SIEM\nSentinel / Splunk"] P4 --> P4B["SOAR\nXSOAR / ServiceNow"] P4 --> P4C["Endpoint / Network\nCrowdStrike / Cisco"] style ZT fill:#1a73e8,color:#fff style P1 fill:#34a853,color:#fff style P2 fill:#ea4335,color:#fff style P3 fill:#fbbc04,color:#000 style P4 fill:#9334e6,color:#fff

FortKnox adds SaaS-based data isolation functioning as a "virtual air gap." Even if an attacker compromises the primary cluster, FortKnox-isolated copies remain safe in a separate Cohesity-managed environment.

Microsegmentation and Least-Privilege Access

Microsegmentation in Cohesity means access is compartmentalized so compromising one credential does not grant access to all data:

Example RBAC Segmentation

RolePermissionsUse Case
Backup OperatorRun/monitor backup jobs, view statusDay-to-day operations
Recovery SpecialistRestore data, browse snapshotsIncident response
Security OfficerView audit logs, manage security, run scansCompliance monitoring
Cluster AdminFull config (quorum-controlled)Infrastructure management
Data Privacy OfficerView classification, manage legal holdsGDPR/HIPAA compliance
graph TB ATTACKER["Attacker Compromises\nBackup Operator Credentials"] subgraph Accessible A1["Run/Monitor\nBackup Jobs"] A2["View Job\nStatus"] end subgraph Blocked_by_RBAC B1["Modify Security\nSettings"] B2["Delete Backups"] B3["Access Classification\nReports"] B4["Manage Legal\nHolds"] B5["Cluster Admin\nOperations"] end ATTACKER -->|granted| A1 ATTACKER -->|granted| A2 ATTACKER -.->|DENIED| B1 ATTACKER -.->|DENIED| B2 ATTACKER -.->|DENIED| B3 ATTACKER -.->|DENIED| B4 ATTACKER -.->|DENIED| B5 B5 -->|requires| QUORUM["Quorum:\nMulti-Person\nApproval"] style ATTACKER fill:#d93025,color:#fff style QUORUM fill:#e8710a,color:#fff

Continuous Verification

Key Takeaway

Section 4: Third-Party Security Integration

Modern SOCs aggregate alerts from dozens of sources. Cohesity's Extensibility pillar ensures backup intelligence flows into the broader security ecosystem.

SIEM Integration

A SIEM (Security Information and Event Management) platform collects, correlates, and analyzes security events. Integrating Cohesity means backup anomalies and ransomware alerts appear alongside firewall logs and endpoint alerts.

Microsoft Sentinel Integration

The architecture uses an Azure Function App as the data connector between Cohesity Helios and Microsoft Sentinel's Log Analytics Workspace.

Alert categories: ransomware detection, unauthorized access, policy violations, anomalous behavior, data exfiltration indicators.

Configuration steps:

  1. Deploy the Cohesity Data Connector from Azure Marketplace
  2. Configure Cohesity cluster credentials in the Function App
  3. Set Function App authentication parameters
  4. Establish Log Analytics workspace connectivity
  5. Customize alert routing rules

SOAR Integration for Automated Response

SOAR (Security Orchestration, Automation, and Response) automates incident response through playbooks triggered by security alerts.

Analogy: SIEM is a building's security camera system -- it records and alerts. SOAR is the automated response that triggers sprinklers, sounds alarms, unlocks exits, and calls the fire department -- all within seconds.

Cortex XSOAR Integration Pipeline

  1. Detection -- Cohesity Helios monitors with AI; detects encryption spikes or unusual change rates
  2. Automated Triage -- XSOAR initiates playbooks to assess scope and severity
  3. Response Orchestration -- isolate affected systems, notify teams, collect forensic evidence
  4. Recovery -- locate and restore clean data from immutable backups
sequenceDiagram participant C as Cohesity Helios participant X as Cortex XSOAR participant T as Security Team participant R as Recovery C->>C: AI monitors backup data C->>C: Detects anomaly C->>X: Sends alert with context X->>X: Initiates triage playbook X->>T: Notifies incident response team X->>X: Isolates affected systems T->>R: Confirms attack, authorizes recovery R->>C: Locates clean immutable backup C->>R: Restores from pre-attack snapshot R->>T: Recovery complete
Animation Slot 2: SOAR automated response pipeline showing the timeline from anomaly detection through automated triage, team notification, and recovery with time indicators at each stage.

Antivirus and Malware Scanning

Cohesity Marketplace Security Ecosystem

CategoryPartnersCapability
SIEMMicrosoft Sentinel, SplunkCentralized event monitoring
SOARCortex XSOAR, ServiceNowAutomated incident response
EndpointCrowdStrikeEndpoint detection correlation
NetworkCisco SecureX, Palo AltoNetwork threat intelligence
VulnerabilityTenableVulnerability assessment
MalwareSophosNext-gen malware detection

Key Takeaway

Post-Quiz: Test What You Learned

Answer the same questions again now that you have studied the material. Click "Complete Session" when finished to compare your scores.

Post-Quiz — Section 1: Compliance and Regulatory Frameworks

1. Which Cohesity feature helps enforce GDPR's data minimization principle by ensuring data is not kept longer than necessary?

A. YARA rules B. Automated retention policies C. FortKnox virtual air gap D. Cortex XSOAR playbooks

2. What does a SOC 2 Type II audit evaluate that a Type I audit does not?

A. Whether cryptographic modules meet FIPS standards B. Whether controls existed at a single point in time C. Whether controls operated effectively over a sustained period D. Whether the platform is authorized for federal cloud adoption

3. When preparing evidence for a HIPAA audit on Cohesity, which step involves using ML-based data classification?

A. Exporting RBAC configuration B. Running a scan to locate where PHI resides across backup environments C. Documenting AES-256 encryption settings D. Pulling user audit trail logs for the review period
Post-Quiz — Section 2: Data Retention and Legal Holds

4. What happens to backup snapshots when a legal hold is applied in Cohesity?

A. Snapshots are immediately moved to FortKnox B. Normal retention expiration is suspended and data is preserved C. Snapshots are encrypted with an additional key layer D. Snapshots are replicated to a secondary cluster

5. How does DataLock differ from a standard retention policy?

A. DataLock applies only to archived data, not local snapshots B. DataLock prevents deletion or modification even by administrators C. DataLock automatically classifies data using ML D. DataLock replaces the need for Quorum authorization
Post-Quiz — Section 3: Zero Trust Design Principles

6. Which of the four pillars of Cohesity's Threat Defense architecture addresses SIEM and SOAR integrations?

A. Data Resiliency B. Access Control C. Detection & Analytics D. Extensibility

7. What is the purpose of Quorum authorization in Cohesity's Zero Trust model?

A. It encrypts data using multiple keys simultaneously B. It requires multiple authorized individuals to approve critical operations C. It distributes backup data across multiple geographic regions D. It scans backup data for malware using multiple engines

8. Why is source-side anomaly detection significant compared to backup-cycle detection?

A. It uses less storage space B. It provides earlier identification of threats rather than waiting for the next backup C. It replaces the need for YARA rules D. It only works with cloud-based workloads
Post-Quiz — Section 4: Third-Party Security Integration

9. In the Cohesity-Microsoft Sentinel integration, what component serves as the data connector between Helios and Sentinel?

A. A Cortex XSOAR playbook B. An Azure Function App C. A Cohesity SpanFS View D. A CrowdStrike Falcon sensor

10. What is the primary difference between SIEM and SOAR platforms in a security operations workflow?

A. SIEM handles encryption while SOAR handles access control B. SIEM focuses on detection and analysis while SOAR automates the response C. SIEM is cloud-only while SOAR is on-premises only D. SIEM replaces SOAR in modern security architectures

11. Which tool does Cohesity support for creating custom threat detection rules to hunt for specific indicators of compromise in backup data?

A. Sigma rules B. Snort signatures C. YARA rules D. Suricata patterns

12. Which Cohesity feature provides a "virtual air gap" by isolating backup copies in a separate Cohesity-managed environment?

A. DataLock WORM B. Security Advisor C. FortKnox D. Quorum

Your Progress

Answer Explanations