Data isolation is the practice of separating backup copies from production systems and networks so that a threat actor who compromises the primary environment cannot reach, modify, or destroy backup data. It is the last line of defense in a ransomware attack -- when every other control has failed, an isolated, immutable copy is what prevents catastrophic data loss.
Physical Air-Gap vs. Logical Air-Gap
Physical air gap means zero network connections between the backup environment and production systems. Data is stored miles away behind security boundaries. Recovery is slow and requires manual intervention such as physically transporting tapes or storage media.
Logical air gap keeps systems within the same network but uses encryption, role-based access control (RBAC), and multi-person authorization (quorum approval) to isolate data logically. The data remains accessible over the network, but layered security controls prevent unauthorized access.
flowchart LR
subgraph Physical["Physical Air Gap"]
direction TB
P1["Production Systems"]
P2["No Network Connection"]
P3["Isolated Backup Media\n(Tape / Portable Storage)"]
P1 -.->|"Manual Transport\n(Sneakernet)"| P2
P2 -.-> P3
end
subgraph Logical["Logical Air Gap"]
direction TB
L1["Production Systems"]
L2["Encryption + RBAC +\nQuorum Approval"]
L3["Backup Storage\n(Network-Accessible)"]
L1 -->|"Secured Network\nConnection"| L2
L2 --> L3
end
style Physical fill:#f9e2e2,stroke:#c0392b,color:#000
style Logical fill:#e2f0f9,stroke:#2980b9,color:#000
| Aspect | Physical Air Gap | Virtual Air Gap |
|---|
| Cost | Higher (dedicated infrastructure, media handling) | Lower (shared infrastructure, automated) |
| Recovery Speed | Slow (manual retrieval required) | Fast (automated, network-based) |
| Management | Manual intervention required | Automated with temporary connectivity |
| Vulnerabilities | Human error, insider threats during transport | Network compromise risk (mitigated by encryption) |
| Best For | Maximum-security environments, regulatory mandates | Balancing security with recovery speed |
Network-Isolated Copies and Virtual Air Gaps
A virtual air gap simulates the protection of a physical air gap while maintaining the ability to recover data quickly over a network. It uses several technical layers:
- Network Segmentation: VLANs, SDNs, and data diodes (one-way communication gateways) ensure data flows in only one direction.
- Access Control: Firewalls enforce default-deny rules. MFA protects access points. RBAC and ABAC limit permissions to the minimum required.
- Data Protection: Data remains encrypted and immutable. Continuous AI/ML-powered monitoring detects anomalies in real time.
- Operational Isolation: Separate key management systems ensure compromise of one key hierarchy does not expose all data.
flowchart TB
Attacker["Threat Actor"] -->|"Blocked"| Layer1
subgraph VirtualAirGap["Virtual Air Gap - Layered Defenses"]
direction TB
Layer1["Network Segmentation\nVLANs / SDN / Data Diodes"]
Layer2["Access Controls\nFirewalls / MFA / RBAC / ABAC"]
Layer3["Data Protection\nEncryption / Immutability /\nAI-ML Anomaly Detection"]
Layer4["Operational Isolation\nSeparate Key Management Systems"]
Layer1 --> Layer2
Layer2 --> Layer3
Layer3 --> Layer4
end
Layer4 --> ProtectedData["Protected Backup Data"]
style Attacker fill:#e74c3c,stroke:#c0392b,color:#fff
style ProtectedData fill:#27ae60,stroke:#1e8449,color:#fff
style VirtualAirGap fill:#eaf2f8,stroke:#2c3e50,color:#000
🛡
Animation: FortKnox temporary connection cycle -- secure tunnel opens, data vaults, tunnel disconnects, air gap restores
Cohesity FortKnox as Managed Isolation
Cohesity FortKnox is a SaaS-based data isolation and recovery service that represents a modern approach to cyber vaulting. It maintains an immutable copy of data in a Cohesity-managed cloud vault behind a virtual air gap. A secure network connection is established for vaulting, then cut off once data has been transferred, creating a virtual air gap. The vault is unreachable from the network during the vast majority of its operational life.
| Protection Layer | Mechanisms |
|---|
| Tamper Resistance | Immutability, WORM, data-at-rest and data-in-flight encryption, AWS Object Lock |
| Access Controls | RBAC, MFA, quorum requiring at least two authorized personnel |
| Anomaly Detection | Cohesity Helios ML intelligence detects possible ransomware attacks |
| Operational Isolation | Separate workflows for vaulting and recovering data |
| Network Isolation | Temporary secure connections that disconnect after data transfer |
sequenceDiagram
participant Source as Cohesity Cluster (Source)
participant Net as Secure Network Connection
participant Vault as FortKnox Cyber Vault
Note over Source,Vault: Normal State: Connection CLOSED (Air Gap Active)
Source->>Net: 1. Initiate vault session
Net->>Vault: 2. Establish secure TLS tunnel
Note over Net: Connection OPEN
Source->>Vault: 3. Transfer encrypted immutable snapshot
Vault->>Vault: 4. Apply WORM + AWS Object Lock
Vault->>Net: 5. Confirm receipt
Net--xSource: 6. Disconnect tunnel
Note over Source,Vault: Connection CLOSED (Air Gap Restored)
Isolation Tiers: Local, Remote, Cloud-Vaulted
A mature data protection strategy uses multiple isolation tiers to balance recovery speed against attack resistance:
| Tier | Location | Isolation Level | Recovery Speed | Use Case |
|---|
| Tier 1: Local | On-cluster snapshots | Logical (RBAC, immutability) | Minutes | Operational recovery, accidental deletion |
| Tier 2: Remote | Replicated secondary cluster | Network segmentation, separate admin domain | Minutes to hours | Site-level disaster, localized ransomware |
| Tier 3: Cloud-Vaulted | CloudArchive to AWS/Azure/GCP | Encryption, separate credentials | Hours | Long-term retention, compliance archival |
| Tier 4: Cyber Vault | FortKnox managed vault | Virtual air gap, temporary connections, quorum | Hours to days | Ransomware recovery, catastrophic breach |
flowchart LR
Prod["Production\nSystems"] --> T1
T1 --> T2
T2 --> T3
T3 --> T4
T1["Tier 1: Local\nOn-Cluster Snapshots\nRTO: Minutes"]
T2["Tier 2: Remote\nReplicated Cluster\nRTO: Min-Hours"]
T3["Tier 3: Cloud-Vaulted\nCloudArchive\nRTO: Hours"]
T4["Tier 4: Cyber Vault\nFortKnox\nRTO: Hours-Days"]
style Prod fill:#e74c3c,stroke:#c0392b,color:#fff
style T1 fill:#f39c12,stroke:#e67e22,color:#000
style T2 fill:#f1c40f,stroke:#d4ac0f,color:#000
style T3 fill:#2ecc71,stroke:#27ae60,color:#000
style T4 fill:#27ae60,stroke:#1e8449,color:#fff
Key Points: Data Isolation Methods
- Physical air gaps offer maximum isolation but slow recovery; logical/virtual air gaps balance security with speed
- Virtual air gaps use network segmentation, encryption, MFA, RBAC, and data diodes
- FortKnox uses temporary connections -- the vault is unreachable from the network most of the time
- Four isolation tiers (local, remote, cloud-vaulted, cyber vault) provide increasing distance from production
Secure Replication Between Cohesity Clusters
Replication copies backup snapshots from a source Cohesity cluster to a target cluster, typically at a remote site. Key security considerations include:
- Encryption in transit: All replication traffic uses TLS encryption
- Separate administrative domains: Source and target clusters should be managed by different administrator accounts
- Network segmentation: Replication traffic should traverse dedicated network segments or encrypted VPN tunnels
- Independent RBAC: The target cluster enforces its own RBAC policies independently of the source
CloudArchive to AWS, Azure, and GCP
CloudArchive simplifies long-term data retention by enabling organizations to archive older local snapshots to cloud storage. Data is first backed up onto a Cohesity cluster, then copied to an External Target -- an abstraction of the cloud storage service registered within the cluster. Archival workflows operate through data protection policies that specify retention periods, RPO schedules, and target destinations.
flowchart LR
Sources["Data Sources\n(VMs, DBs, Files)"]
Cluster["Cohesity Cluster\n(Local Snapshots)"]
Policy["Data Protection\nPolicy\n(RPO / Retention)"]
ET["External Target\n(Abstraction Layer)"]
Sources --> Cluster
Cluster --> Policy
Policy --> ET
ET --> AWS["AWS S3 /\nS3-IA / Glacier"]
ET --> Azure["Azure Standard\nStorage"]
ET --> GCP["GCP Nearline\nStorage"]
ET --> S3C["S3-Compatible\nObject Store"]
subgraph Cloud["Cloud Storage Targets"]
AWS
Azure
GCP
S3C
end
style Cluster fill:#3498db,stroke:#2980b9,color:#fff
style Policy fill:#9b59b6,stroke:#8e44ad,color:#fff
style ET fill:#e67e22,stroke:#d35400,color:#fff
style Cloud fill:#eaf2f8,stroke:#2c3e50,color:#000
| Cloud Provider | Supported Storage Tiers |
|---|
| Amazon Web Services | S3, S3 Infrequent Access (S3-IA), Glacier |
| Google Cloud Platform | Nearline Storage |
| Microsoft Azure | Standard Storage |
| Private/S3-Compatible | Cleversafe, OpenStack Swift, Caringo Swarm, any S3-compliant store |
Replication Encryption and Access Controls
- AES 256-bit encryption for data-at-rest and data-in-flight, compliant with FIPS 140-2 Level-1
- HTTPS transport for all data-in-motion to cloud targets
- Different encryption keys across different cloud vaults, with key rotation that does not require full re-encryption
- Index metadata stored alongside archived datasets, enabling full cluster recovery even when the source cluster is lost
☁ 🔒 ☁
Animation: Data flowing from Cohesity cluster through encryption layer into multi-cloud archive targets
RPO and RTO Considerations
RPO (Recovery Point Objective) defines maximum acceptable data loss in time. RTO (Recovery Time Objective) defines maximum acceptable time to restore operations. These metrics directly influence isolation tier selection:
| Isolation Tier | Typical RPO | Typical RTO | Trade-off |
|---|
| Local snapshots | Minutes to hours | Minutes | Fast but vulnerable to site-level events |
| Replicated cluster | Hours | Minutes to hours | Good balance of protection and speed |
| CloudArchive (S3/Azure) | Daily to weekly | Hours | Cost-effective for compliance data |
| CloudArchive (Glacier) | Weekly to monthly | Hours to days | Lowest cost, longest retrieval |
| FortKnox cyber vault | Daily to weekly | Hours | Maximum isolation, moderate recovery time |
Worked Example: Healthcare Organization
A hospital protecting EHR systems under HIPAA might use: hourly immutable local snapshots (RPO: 1h, RTO: 15min), 4-hour replication to a DR site (RPO: 4h, RTO: 1h), daily CloudArchive to AWS S3 with 7-year retention (RPO: 24h, RTO: 4-8h), and weekly FortKnox vaulting with quorum access (RPO: 7d, RTO: 8-24h) solely for catastrophic ransomware recovery.
Key Points: Replication & CloudArchive
- Replication requires TLS encryption, separate admin domains, network segmentation, and independent RBAC
- CloudArchive uses External Targets as an abstraction layer supporting AWS, Azure, GCP, and S3-compatible stores
- All archive data uses AES-256 encryption with FIPS 140-2 compliance and per-vault encryption keys
- RPO/RTO requirements determine the right mix of isolation tiers
The 3-2-1-1 Backup Rule
The classic 3-2-1 rule mandates three copies of data, on two different media types, with one copy offsite. The 3-2-1-1 rule extends this by adding a critical fourth element for ransomware defense:
- 3 -- At least three copies of data
- 2 -- Stored on two different media types
- 1 -- One copy kept offsite or in the cloud
- 1 -- One copy that is air-gapped or immutable
Some organizations adopt 3-2-1-1-0, where the 0 represents zero errors via continuous monitoring and regular testing.
flowchart TB
Rule["3-2-1-1 Backup Rule"]
Rule --> Three["3 Copies of Data"]
Rule --> Two["2 Different Media Types"]
Rule --> OneOff["1 Copy Offsite"]
Rule --> OneAir["1 Copy Air-Gapped\nor Immutable"]
Three --> C1["Copy 1:\nProduction Data"]
Three --> C2["Copy 2:\nLocal Backup\n(Cohesity Cluster)"]
Three --> C3["Copy 3:\nOffsite Copy\n(Replicated / Archived)"]
Two --> M1["Media A:\nDisk-Based Storage"]
Two --> M2["Media B:\nCloud Object Storage"]
OneOff --> Off["CloudArchive to\nAWS / Azure / GCP"]
OneAir --> Air["FortKnox Cyber Vault\n(Immutable + Quorum)"]
style Rule fill:#2c3e50,stroke:#1a252f,color:#fff
style OneAir fill:#27ae60,stroke:#1e8449,color:#fff
style Air fill:#27ae60,stroke:#1e8449,color:#fff
Cohesity's implementation rests on three pillars:
- Immutability: Backup data cannot be modified or deleted. Cohesity provides immutable snapshots as a "gold copy."
- Platform Hardening: The backup platform itself is hardened so settings cannot be altered by unauthorized actors.
- Multi-Person Approval (Quorum): Critical changes require approval from multiple authorized personnel.
Tiered Protection Policies Based on Data Criticality
| Data Tier | Examples | Protection Policy | Isolation Level |
|---|
| Mission-Critical | Financial DBs, EHR, Active Directory | Hourly local + 4h replication + daily CloudArchive + weekly FortKnox | All four tiers |
| Business-Important | Email servers, file shares, CRM | Daily local + daily replication + weekly CloudArchive | Tiers 1-3 |
| Standard | Dev environments, test data | Daily local + weekly CloudArchive | Tiers 1, 3 |
| Archive | Historical records, completed projects | Weekly local + monthly CloudArchive to Glacier | Tiers 1, 3 (cold) |
Testing Isolated Recovery Capabilities
A backup that cannot be restored is not a backup. Organizations must regularly test:
- Scheduled recovery drills: Quarterly or semi-annual restore tests from each tier, verifying data integrity and RTO targets
- FortKnox recovery validation: Test the full workflow including quorum approval under time pressure
- CloudArchive retrieval testing: Verify cold-tier retrieval (e.g., Glacier) meets acceptable timeframes
- Runbook documentation: Maintain step-by-step recovery procedures for each isolation tier
- Zero-error validation: Continuous monitoring to detect backup failures, incomplete snapshots, or replication lag
Key Points: Data Protection Strategy
- The 3-2-1-1 rule adds an air-gapped or immutable copy to the classic 3-2-1 model
- Cohesity's three pillars: immutability, platform hardening, and quorum approval
- Tiered policies match data criticality to appropriate isolation levels
- Regular testing (recovery drills, runbooks, zero-error monitoring) validates that backups actually work
Cross-Domain Security Scenarios
The COH350 exam tests your ability to connect concepts across domains. Questions present scenarios requiring integrated knowledge. Example integration patterns:
- Ransomware Response: Combines monitoring/threat detection (DataHawk anomaly detection), incident response (clean room recovery), data isolation (FortKnox vault recovery), and access control (quorum approval for vault access)
- Compliance Audit: Spans system hardening (WORM, encryption), compliance (HIPAA/GDPR mapping), authentication (MFA/SSO evidence), and audit logging (compliance-grade trails)
- Secure Architecture Design: Involves network security (VLAN segmentation, TLS, firewalls), data isolation (tiered isolation, CloudArchive), and access control (multi-tenancy, RBAC)
Lab Recommendations
| Lab Exercise | Domains Covered | Key Skills |
|---|
| Configure protection policy with local, replication, and archival targets | Data Isolation, Replication | Policy creation, External Target setup, RPO/RTO alignment |
| Set up FortKnox vaulting and test recovery | Data Isolation, Incident Response | Vault config, quorum approval, recovery validation |
| Enable and test MFA for cluster access | Authentication | MFA configuration, emergency access procedures |
| Create custom RBAC roles with least-privilege | Access Control | Role creation, permission scoping, tenant isolation |
| Run Security Advisor and remediate findings | System Hardening, Compliance | Security posture scoring, CIS benchmark alignment |
Per-Domain Study Priorities
| Domain | Critical Topics | Priority |
|---|
| Network Security (Ch. 2) | TLS encryption, VLAN segmentation, firewall ports, IP allowlisting | Medium-High |
| System Hardening (Ch. 3-4) | WORM/DataLock, AES-256, KMS/KMIP, SSH restriction, Security Advisor | High |
| Security Assessment (Ch. 5) | GDPR/HIPAA mapping, legal holds, Zero Trust, SIEM/SOAR | Medium |
| Authentication (Ch. 6) | MFA (TOTP, push), SAML 2.0/OIDC SSO, AD/LDAP integration | Medium-High |
| Access Control (Ch. 7) | RBAC roles, multi-tenancy (Organizations), quorum groups | High |
| Monitoring (Ch. 8) | Audit logging, syslog, DataHawk, anomaly detection, IOC scanning | Medium-High |
| IR & Data Mgmt (Ch. 9-10) | Clean room recovery, FortKnox, 3-2-1-1, CloudArchive, isolation tiers | High |
Certification Maintenance
- Stay current with Cohesity platform updates (e.g., FortKnox expanding to Google Cloud)
- Monitor evolving ransomware techniques and their impact on data protection strategies
- Participate in Cohesity community forums and partner training
- Review updated security white papers and best practice guides
- Consider complementary certifications (AWS Security Specialty, Azure Security Engineer)
Key Points: Exam Preparation
- COH350 tests scenario-based reasoning across all seven domains, not isolated facts
- Focus on high-weight domains: System Hardening, Access Control, IR & Data Management
- Practice hands-on labs and develop cross-domain thinking for each concept
- Know Cohesity defaults -- what is enabled vs. requires explicit configuration
1. What is the defining characteristic of a physical air gap?
Data is encrypted with AES-256 at rest
Backup copies require quorum approval to access
There is zero network connectivity between production and backup systems
VLANs segment traffic between production and backup
2. Which Cohesity service provides SaaS-based data isolation with a temporary connection model?
CloudArchive
DataHawk
FortKnox
Helios
3. In the 3-2-1-1 backup rule, what does the final "1" represent?
One copy stored in the cloud
One copy that is air-gapped or immutable
One copy tested quarterly
One copy encrypted with a customer-managed key
4. What encryption standard does Cohesity use for CloudArchive data at rest and in flight?
AES-128 with FIPS 140-1
RSA-2048 with TLS 1.2
AES-256 with FIPS 140-2 Level-1
ChaCha20 with FIPS 140-3
5. Which isolation tier provides the fastest RTO but the least attack resistance?
FortKnox cyber vault
CloudArchive to Glacier
Replicated secondary cluster
Local on-cluster immutable snapshots
6. What mechanism does FortKnox use to prevent a single administrator from accessing vault data?
Data diodes that enforce one-way communication
Quorum approval requiring at least two authorized personnel
Physical key cards stored in separate locations
Time-delayed access with 72-hour waiting period
7. In Cohesity's CloudArchive architecture, what is an "External Target"?
A physical tape library connected to the cluster
An abstraction of a cloud storage service registered within the Cohesity cluster
A secondary Cohesity cluster used for replication
A firewall rule allowing outbound archive traffic
8. Why should source and target Cohesity clusters use different administrator accounts for replication?
To reduce licensing costs for multi-cluster deployments
To improve replication throughput by reducing authentication overhead
So that compromise of one cluster's credentials does not automatically grant access to the other
To comply with Cohesity's multi-tenancy requirements
9. Which three pillars form Cohesity's implementation of the 3-2-1-1 strategy?
Encryption, compression, and deduplication
Immutability, platform hardening, and multi-person approval (quorum)
Replication, archival, and instant recovery
RBAC, MFA, and SAML SSO
10. A hospital needs to protect EHR data with an RPO of 1 hour for operational recovery and a 7-day RPO for catastrophic ransomware recovery. Which tier combination is most appropriate?
Daily CloudArchive only
Hourly local snapshots (Tier 1) combined with weekly FortKnox vaulting (Tier 4)
Physical air gap with tape rotation
Replicated cluster with 24-hour RPO
11. What is the primary advantage of CloudArchive's External Target abstraction layer?
It eliminates the need for encryption during archival
It enables flexible multi-cloud deployments with different RPO and retention per vault
It converts cloud storage into block-level storage for faster recovery
It replaces the need for data protection policies
12. During a COH350 exam scenario about ransomware response, which combination of domains would you need to integrate?
Network Security and Compliance only
Authentication and System Hardening only
Monitoring/threat detection, incident response, data isolation, and access control
CloudArchive and replication configuration only
13. What does the "0" represent in the extended 3-2-1-1-0 backup rule?
Zero copies stored on-premises
Zero network connections to the backup vault
Zero errors achieved through continuous monitoring and regular testing
Zero retention period for temporary snapshots
14. How does FortKnox maintain its virtual air gap during normal operations?
By encrypting all data with customer-managed keys
By using data diodes that block all inbound traffic
By establishing temporary secure connections that disconnect after data transfer completes
By requiring physical access to a dedicated hardware appliance
15. Which COH350 exam domains are rated "High" priority for study time allocation?
Network Security, Authentication, and Compliance
System Hardening, Access Control, and Incident Response/Data Management
Monitoring, Authentication, and Network Security
Compliance, Monitoring, and CloudArchive