Cohesity named a Leader again! 2023 Gartner® Magic Quadrant™ for Enterprise Backup and Recovery Software Solutions
Many of the largest enterprises in the world trust Cohesity for next-gen data management. With Cohesity, you can rest assured that your data is protected and secure.
Cohesity’s next-gen data management platform supports intelligent IT operations to unlock data value for operational efficiency and innovation. The Cohesity threat defense architecture provides extensive safeguards to detect and thwart cyberattacks.
Cohesity maintains rigorous product security standards and inspects adoption across every phase of its product lifecycle. Cohesity follows industry best practices and through these security practices as well as the inclusion of security features and functionality, Cohesity delivers secure, highly functional products and services to its customers.
Cohesity follows fundamental security principles including but not limited to: secure by default, secure failure, and secure implementations of cryptographic algorithms. To ensure the targeted security posture, compliance, and certification of its products as new features are developed, Cohesity aligns the product design with current security best practices.
Development teams at Cohesity engage with a dedicated Product Security team during the design and planning stages of the development lifecycle. Cohesity's Product Security team makes recommendations for the adoption of secure design patterns, performs threat modeling, defines applicable security standards, and sets security requirements.
Expand AllCohesity has adopted the STRIDE framework in its design practices to meet security objectives in design and reduce risk, including the identification of threats, attacks, vulnerabilities, and countermeasures that could affect an application or system. Cohesity regularly updates the product threat model based on new features and changes in threats.
Cohesity’s Product Security, Information Security, and product management teams define applicable security standards and mandate security requirements across Cohesity’s entire product and service portfolio.
Cohesity’s platform and infrastructure are regularly subjected to security testing and hardening to enhance security. The OS and components are specifically configured to meet security hardening requirements including Center for Internet Security (CIS) benchmarks and US Department of Defense Security Technical Implementation Guide (STIG) configuration standards.
Expand AllCohesity conducts static and binary source code analysis to ensure security hygiene in the application.
Dynamic application security testing scanners are integrated into the Cohesity development pipeline to scan all significant development branches. Any vulnerabilities found are mitigated per the vulnerability management policy.
Cohesity performs regular scanning of Cohesity-developed and third-party code and binaries in its repositories to identify usage of open source software (OSS). Both identified security vulnerabilities as well as incorrect usage of OSS are remediated as per Cohesity’s policies.
Cohesity conducts internal penetration testing continuously using various automated techniques integrated into the release cycle. Cohesity also conducts regular external third-party penetration testing. Vulnerabilities found in penetration testing are mitigated per Cohesity’s vulnerability management policy.
Cohesity performs regular vulnerability assessments across its products and internal operations environments. Vulnerability discovery is conducted regularly and results are fed back into the development and deployment to remediate risks. Cohesity remediates vulnerabilities per its vulnerability management policy.
All third-party components integrated into the Cohesity code base, including (but not limited to) open source and commercially licensed packages, source code, binaries, libraries, as well as OEM firmware, are tested regularly for vulnerabilities and other security risks. Risk mitigation practices and third-party vulnerability patching follows Cohesity’s vulnerability management policy.
Engineering infrastructure tools are kept up-to-date with security protections configured. Security checks and options for the compilers and linkers are enforced.
Cohesity employs multiple controls and practices to ensure the integrity of customer data and the security of apps within the Cohesity Marketplace. These controls include:
Cohesity aligns to industry-standard frameworks for vulnerability management, secure product development lifecycle management, and incident response.
Expand AllCohesity rates and prioritizes confirmed vulnerabilities using Common Vulnerability Scoring System (CVSS) version 3. Cohesity will assign a Common Vulnerabilities and Exposures (CVE) identifier to confirmed security vulnerabilities.
Cohesity follows a secure product development lifecycle to deliver and maintain security throughout each product’s lifecycle. Cohesity follows the following six practices:
Cohesity implements a security incident response program designed to quickly and effectively detect, respond to, and recover from security incidents and events. Security events are reported to the Information Security office where issues are tracked and monitored until resolved. On-call response teams manage security and availability events through regularly tested response playbooks and procedures.
Cohesity employs a product incident response plan that supports analysis, mitigation, and remediation of vulnerabilities in its products. The plan also covers responsible disclosure from third-party researchers and customers.
Cohesity provides its developers, architects, development managers, release managers, QA engineers, and product managers with security training and resources to incorporate security practices throughout the product development lifecycle. Cohesity conducts quarterly secure coding training covering security best practices in product development that is mandatory for all engineers.
Cohesity follows industry best practices to discover, investigate, and address vulnerabilities through the product lifecycle using a risk-based approach. Cohesity's dedicated Product Security team promptly investigates and responds to all reports of potential security vulnerabilities, and Cohesity's product incident response plan supports analysis, mitigation, and remediation of vulnerabilities in its products. The plan also covers responsible disclosure processes when issues are reported by third-party researchers, customers, or partners.
Expand AllCohesity rates and prioritizes confirmed vulnerabilities using Common Vulnerability Scoring System (CVSS) version 3 and maintains a response SLAs for each severity class.
Cohesity’s remediation of identified vulnerabilities are resolved on a timeframe based on their criticality and impact (as per Cohesity’s vulnerability management policy).
Cohesity will assign a Common Vulnerabilities and Exposures (CVE) identifier to confirmed security vulnerabilities.
Vulnerabilities identified in all supported product versions will be resolved as per Cohesity’s vulnerability management policy.
At a minimum, major, minor, and long-term support (LTS) releases of Cohesity products will incorporate cumulative vulnerability fixes from previous releases.
Cohesity may periodically expedite maintenance releases or patches of supported versions of its products faster than the established SLA in Cohesity’s vulnerability management policy for critical risk, high-impact vulnerabilities.
Cohesity will proactively inform customers of vulnerabilities via Support Portal alerts, emails, and/or Field Notices. Knowledgebase articles are published to document the impact of specific vulnerabilities and outline any required actions.
Customers, partners, and third-party researchers may report vulnerabilities in Cohesity products and services by contacting Cohesity Security.
Cohesity maintains rigorous security, privacy, and resiliency standards for its Cohesity-managed cloud services and software as a service (SaaS) offerings. Learn about the key practices that Cohesity follows to keep the Helios platform, services, and customer data secure and available at all times.
Customers may administer the cloud-based Helios platform that provides centralized management and analytics for customers’ self-managed products and services (Helios management service).
Depending on the Cohesity product or service deployed, usage of the Helios management service will be either mandatory or optional for the customer.
Expand AllThe Helios management service, operated by Cohesity, provides customers with centralized management and analytics of their self-managed Cohesity products and Cohesity-managed data management services. It is not mandatory for customers to register self-managed products with the Helios management service
If customers do opt to register, the customer’s products will communicate with the Helios management service to provide product telemetry necessary to provide service as well as provide cloud-based centralized management and analytics. For more details about the Helios management service, please refer to the Helios SaaS Security Brief found on the Cohesity documentation portal.
Cohesity-managed data management services are a family of SaaS offerings that allows customers to store, manage, and secure their data in Cohesity’s cloud-based infrastructure. Customers must manage these services through the Helios management service. Cohesity’s data management services are available to customers on a subscription basis.
As part of some Cohesity data management services, Cohesity may require customers to deploy the Helios SaaS connector. This SaaS connector is an on-premises VM deployed in the customer data center and establishes a secure channel for connecting on-premises data sources with Cohesity’s data management services.
The Helios data management environments are logically segregated with the management and data services from one another.
The Cohesity-managed Helios services are natively multitenant, where each tenant is implemented as a unique organization. Organizations are logically segregated and the organization’s resources, such as data, policies, administrators, etc. are restricted to the organization to which they belong.
Dedicated tenant data repositories ensure customer data is isolated from other customers.
Cohesity ensures logical security by deploying access control based on Zero Trust principles to prevent unauthorized access or compromise of its cloud infrastructure, including the Helios management service and Cohesity-managed data management services.
The Helios management service provides customers a broad set of controls to manage user accounts and their assigned access in accordance with strong security standards and their own security policy. In every tenant organization, an admin user manages the other users in that organization. Organization admins can add and manage users through role-based access controls (RBAC). Applying principles of least privilege and separation of duties can be achieved with fine-grained control over standard and custom defined roles. Tenant admins can also integrate the Helios management service with existing identity providers. This enables each organization to apply its specific authentication controls for password policy, multifactor authentication (MFA), and more.
Cohesity maintains a highly restrictive approach to internal access to Helios management services. Access is based on a strict need-to-know basis related to the job responsibility for managing and maintaining the system. Cohesity adheres to the principles of least privilege and separation of duties, and applies internal access and authorization controls. Before a user can log in to a particular role, they must meet established qualification criteria and obtain documented management approval beforehand in every case. A unique user ID and multifactor authentication are required for all Cohesity users.
For the Helios management service, each tenant's data and metadata are logically segregated and isolated from that belonging to other tenants. For the Cohesity-managed data management services, unique storage repositories are allocated to each tenant, ensuring that content from one tenant is never shareable with or accessible by other tenants.
The Helios management service maintains an availability rate of 99.9% (three 9s), not inclusive of scheduled or emergency maintenance windows. Helios data management services rely on Amazon Web Services (AWS) S3 service in customer-defined regions spanning across a minimum of three availability zones, each separated by many miles within the same AWS region. The AWS S3 service guarantees 99.999999999% (eleven 9s) of data durability. In the event of a disaster scenario, the Helios management service can recreate data stored in the data management service using just the data stored in S3.
All customer data—both metadata in the Helios management service and data in the data management services themselves—is encrypted at rest and in flight using strong, industry-standard encryption algorithms, and protocols.
Expand AllAll customer data flowing to and from the Helios management service and data management services is encrypted in flight to ensure utmost confidentiality as well as prevent authorized disclosure or modification. Cohesity utilizes the TLS 1.2 and mTLS protocols for transport layer security with only FIPS-approved cipher suites with Perfect Forward Secrecy (PFS) protection.
All customer data in the Helios management service and data management services is encrypted at rest using AES-256 encryption. All encryption keys are securely stored in an external key management system (KMS). Additionally, customers using a Cohesity-managed data management service have multiple options for securely managing their encryption keys—either relying on Cohesity’s managed Key Management Service (KMS) or managing their own keys via Amazon Web Services KMS.
Cohesity has several measures in place to address distributed denial of service (DDOS), intrusions, and malware attacks. These safeguards are built into the monitoring infrastructure that we have implemented to manage the Helios environment. Cohesity uses firewalls to monitor connections constantly and detect anomalies. As anomalies are detected, Cohesity blocks and evaluates the connection into the Helios control plane environment. The servers, containers, and infrastructure within the Helios control plane environment are monitored for vulnerabilities with remediation occurring on a regular basis.
Cohesity’s Helios management service and data management services are hosted in Amazon Web Services (AWS). For more information about AWS data center security controls, please visit https://aws.amazon.com/compliance/data-center/controls/.
Cohesity maintains a business continuity plan covering business operations and disaster recovery response. We regularly assess risks to the business and apply appropriate treatment plans to bring risks within acceptable levels. The plan identifies critical business processes, documents threats that could cause business disruption, and addresses recovering connectivity and supporting systems to ensure Cohesity’s obligations to its customers can be met.
Cohesity has a threat and vulnerability management program to continuously monitor for vulnerabilities that are acknowledged by vendors, reported by researchers or discovered internally through vulnerability scans, penetration testing or identification by Cohesity personnel. Threats are ranked based on severity level and assigned for remediation as needed.
Helios implements continuous monitoring for both the security and availability of the service.
Monitoring is a function of every service, with key performance indicators and metrics built in from the start. Dashboards and metrics are tracked by the monitoring and response teams. Alerts are designed in the development process. Alerts are reviewed by the cloud operations team and the development teams to ensure that thresholds are set and monitored while deploying to production.
Cohesity's corporate security practices demonstrate our commitment to ensuring the security, safety, and compliance of Cohesity and customer assets. Cohesity takes the security of our customers’ information very seriously and the execution of the controls outlined here demonstrate how we establish trust with our customers, partners, and others.
Led by Cohesity's CISO and overseen by the Cohesity Security Council, Cohesity Information Security is a dedicated team of professionals with the mission of ensuring the security, safety, and compliance of Cohesity systems, processes, data, and personnel as well as the assets entrusted to us by our customers.
Cohesity's Information Security policy suite covers the organization, its personnel, and information assets. The policies are aligned with industry standards and include domains such as security organization, acceptable use of assets, access controls, and information classification and handling. Policies are reviewed regularly by Cohesity Information Security and updated as appropriate.
Cohesity Information Security is responsible for establishing information security training requirements and ensuring that all personnel complete training and understand their responsibilities. Information security training is built into our new-hire onboarding experience and annual retraining is required. Training is augmented with regular presentations, communications, and learning sessions on particular topics. Where appropriate, business units will receive specialized training for their roles and job responsibilities, such as members of the engineering team receiving regular training covering security principles and secure development practices.
Cohesity leverages a Cyber Risk Management Program to identify, prioritize, and manage risks to its IT assets, including system infrastructure, networks, endpoints, data, and intellectual property. Through its Cyber Risk Management Program, Cohesity identifies internal and external cyber risks, the likelihood of them occurring, and their potential impact. Cohesity collaborates with risk owners to mitigate and remediate risks, in accordance with Cohesity’s risk appetite.
Cohesity’s Vendor Risk Management Program reviews and validates the security posture of its third-party vendors prior to onboarding and conducts follow-up assessments in accordance with the established vendor tier. Cohesity manages and monitors vendor security risks through its risk management program in alignment with Cohesity’s security posture, customer commitments, and applicable regulatory requirements.
Cohesity Information Security maintains a Vulnerability Management Program which identifies and partners with control owners to remediate vulnerabilities to help reduce threats to Cohesity’s products and infrastructure. In addition, penetration testing is conducted against applicable Cohesity assets, and remediation is prioritized to optimize Cohesity’s security posture.
Cohesity Information Security maintains an Incident Management Policy with procedures that provide the structure and guidance for our response operations. The incident response procedures of this policy provide the steps to be followed by Cohesity personnel to ensure the quick detection of security events and vulnerabilities as well as to promote rapid response to security incidents, including identifying, assessing, containing, mitigating, and recovering from incidents.
Upon employment, background checks are conducted. Personnel also receive and acknowledge the company Code of Conduct, policies, and non-disclosure agreements.
Cohesity office locations are physically secured with guards or lobby personnel. Badged access controls are centrally managed and maintained. Access to secured areas requires escalated privileges. Camera systems are in place. All locations have 24x7x365 gated and guarded entry, employ camera and lighting systems, and require badged access for named individuals. Cohesity is SOC 2 certified and can be provided upon request.
Cohesity follows personal data confidentiality guidelines and processes personal data in accordance with applicable data protection laws and regulations. All personal data remains the property of the customer. Information on Cohesity’s security compliance and certifications can be found here. Moreover, our Data Processing Addendum (available at www.cohesity.com/agreements) specifies numerous legal, technical, and organizational protections which apply to our customers where applicable.
Our privacy policy is available at www.cohesity.com/agreements.
Cohesity may process personal data outside of the European Economic Area (EEA). An example of this processing may be the provision of 24/7 support services if the customer chooses to share personal data with Cohesity. The legal mechanisms used to allow for such data transfers are the standard contractual clauses (SCC), as further detailed in Cohesity’s Data Processing Addendum available at www.cohesity.com/agreements.
Cohesity currently has support centers in the USA, Ireland, India, Canada, and Japan.
Cross-border data transfers are addressed in detail in our Data Processing Addendum available at www.cohesity.com/agreements.
Cohesity processes personal data in accordance with all applicable data protection laws and regulations, including laws and regulations of the European Union (GDPR), the European Economic Area and their member states, Switzerland and the United Kingdom, the California Consumer Privacy Act (CCPA), and the Personal Information Protection and Electronic Documents Act (Canada) in each case as and to the extent applicable to Cohesity as a matter of law with respect to the processing of personal data. More information may be found in our Data Processing Addendum available at www.cohesity.com/agreements.
Expand AllUnder applicable data protection laws and regulations, such as the GDPR, when a customer uses Cohesity’s products and services and shares personal data with Cohesity, the customer is generally considered the data controller and appoints Cohesity to act as a data processor.
California Consumer Privacy Act (CCPA) compliance is addressed in detail in our Data Processing Addendum available at www.cohesity.com/agreements.
Cohesity’s Data Processing Addendum is available at www.cohesity.com/agreements. It applies automatically to all customers using Helios SaaS and is incorporated into Cohesity’s Helios SaaS Terms of Service (also available at www.cohesity.com/agreements). If a customer believes that the Data Processing Addendum should apply to other activities, please contact Cohesity Legal.
Cohesity maintains a comprehensive security certification program designed to protect our customers’ data confidentiality, integrity, and availability in accordance with industry, US government, and international standards. Cohesity's products and services have also been certified by independent third-party auditors to meet various security standards.
The Cohesity Helios SaaS platform undergoes annual Service Organization Controls 2 (SOC 2) Type II audits to evaluate its information security system controls as they relate to the security, availability, and confidentiality of the Trust Services Criteria.
Cohesity's products and services adhere to the security benchmarks and requirements that are aligned with Health Insurance Portability and Accountability Act (HIPAA) guidelines.
Cohesity complies with the Trade Agreements Act (TAA) and hardware ships from San Jose, California. Cohesity white label systems are manufactured and assembled in designated countries that are TAA-compliant.
Cohesity complies with Section 889 of the National Defense Authorization Act of 2019.
The Cohesity platform has been certified by the Defense Information Systems Agency (DISA), an agency within the US Department of Defense (DoD), for inclusion on the DoD Information Network (DoDIN) Approved Products List (APL). The DoDIN APL is a single, consolidated list of products that have met stringent cybersecurity and interoperation certification requirements for deployment on DoD networks.
FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies.
Cohesity is FedRAMP Moderate Authorized.
StateRAMP is a registered 501(c)(6) nonprofit membership organization comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third-party assessment organizations, and government officials. Founded in 2020, StateRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.
Cohesity is StateRAMP Authorized.
Cohesity maintains ATOs for its products to operate within highly classified US Department of Defense (DoD) agency networks, US Department of Energy (DoE) networks, and US intelligence community networks. Security Technical Information Guides (STIG) are available for Cohesity products for deployment on DoD Top Secret networks.
The Cohesity platform is Common Criteria certified at EAL2+ ALC_FLR.1. Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria) is an international standard (ISO/IEC 15408) for computer security certification.
More details can be found here.
The cryptographic module employed within Cohesity's products has been validated by the United States National Institute of Standards and Technology (NIST) at the Federal Information Processing Standards (FIPS) 140-2 Level 1 standard. FIPS 140-2 is a US government standard for cryptographic modules providing assurances that the module design and implementation of cryptographic algorithms are secure and correct.
More details can be found here.
The Cohesity platform has been certified by the University of New Hampshire-InterOperability Lab (UNH-IOL) as USGv6 compliant as part of the USGv6 test program.
More details can be found at https://www.iol.unh.edu/registry/usgv6-2008?name=cohesity.
The Cohesity platform has in-built support for write-once, read-many (WORM) functionality. Its WORM implementation has been assessed as compliant with SEC 17a‐4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d) rules by Cohasset Associates.
More details can be found here.
The following resources provide Cohesity customers and partners with more details about Cohesity's security and privacy practices across its products and services.
Cohesity offers a Data Processing Addendum (DPA) for customer GDPR or CCPA compliance needs.
Cohesity may use third-parties as (sub)processors of personal data in order to provide our services.
The Cohesity documentation portal may be accessed from MyCohesity.
The Helios SaaS Security Brief may be found on the Cohesity documentation portal.
The DataPlatform Security white paper may be found on the Cohesity documentation portal.
The DataPlatform Security Hardening Guide may be found on the Cohesity documentation portal.
The Cohesity Ransomware Protection – Prepare and Recover white paper may be found on the Cohesity documentation portal.
You are now leaving the German section of www.cohesity.com/de/ and come to an English section of the site. Please click if you want to continue.
Don't show this warning again
You are now leaving the German section of www.cohesity.com/de/ and come to an English section of the site. Please click if you want to continue.
Don't show this warning again