Security Backup Security Cohesity

Architecture Overview

Cohesity uses a scale-out hyperconverged architecture combining compute, storage, and networking in a single platform.

Core components (see references/architecture.md for detail):

• Cohesity cluster: Physical or virtual nodes running SpanFS
• SpanFS: Distributed filesystem for backup data
• DataLock: WORM policy for immutable snapshots
• FortKnox: SaaS-based cyber vault
• DataHawk: Threat intelligence, classification, and anomaly detection module
• Helios: SaaS management plane (like Rubrik Security Cloud)

SpanFS and Immutability

SpanFS is Cohesity's distributed filesystem, purpose-built for backup data.

SpanFS characteristics:

• Distributed across all cluster nodes
• Erasure coding (no single point of failure)
• Built-in inline deduplication and compression
• No external NFS/SMB access to raw backup data (operations go through Cohesity API)

DataLock WORM

DataLock provides snapshot-level immutability for protection policies.

Configuration: Data Management > Protection Policies > [Policy] > DataLock Settings

• Compliance mode: No one (including cluster admin) can delete snapshots before retention expires. Cluster firmware enforces immutability.
• Enterprise mode: Cluster admin can override (use only for testing environments)

Setting DataLock in a protection policy:

1. Create or edit a protection policy
2. Enable DataLock for the relevant retention tier (daily, weekly, monthly, yearly)
3. Set retention period
4. Apply policy to protection groups

Immutability scope:

• DataLock applies to individual snapshots within the policy
• Once DataLock period is set and snapshot is created, the retention cannot be shortened
• Even a factory reset of the cluster hardware does not bypass DataLock in compliance mode

Key consideration: Plan retention periods carefully. DataLock compliance mode means you cannot shorten retention even for legitimate reasons (e.g., GDPR deletion requests). Use DataLock only for tiers where fixed retention is acceptable.

Protection Policies and Groups

Protection Policies

A protection policy defines:

• Backup frequency (every X hours/days)
• Retention per tier (daily/weekly/monthly/yearly)
• DataLock settings per tier
• Replication target and retention
• Archival target and retention
• Quiesce options (VMware snapshot, VSS for Windows)

Protection Groups

Protection groups are collections of sources (VMs, databases, file shares) assigned to a protection policy.

Supported source types:

• VMware vSphere VMs
• Nutanix AHV VMs
• Physical Windows/Linux servers
• NAS (SMB, NFS)
• SQL Server
• Oracle
• Pure Storage, NetApp (snapshot integration)
• Microsoft 365
• Kubernetes
• AWS, Azure (cloud-native)

Intelligent assignment:

• Assign at vSphere datacenter/cluster level (new VMs auto-protected)
• Auto-discovery and auto-protection based on VM tags
• Policy inheritance from vSphere container objects

FortKnox Cyber Vault

FortKnox is Cohesity's SaaS-based cyber vault -- a geographically and logically isolated copy of backup data managed by Cohesity.

How FortKnox Works

1. Customer Cohesity cluster replicates data to FortKnox over HTTPS
2. FortKnox stores data in Cohesity-managed cloud infrastructure (AWS)
3. Vault data is isolated: production credentials cannot access FortKnox directly
4. DataLock (WORM) immutability enforced in FortKnox automatically
5. In a recovery scenario, data can be recovered from FortKnox to any target (on-premises or cloud)

FortKnox vs. Simple Cloud Archival

FortKnox Configuration

Data Management > Vaults > Create Vault > FortKnox

1. Connect Helios to FortKnox service
2. Define replication schedule (how often to replicate to FortKnox)
3. Set retention period (DataLock enforced automatically)
4. Assign protection groups or specific policies to replicate to FortKnox

Recovery from FortKnox

• Recover to original on-premises Cohesity cluster
• Recover to a different Cohesity cluster (DR site)
• Recover directly to cloud (AWS/Azure compute)
• Recover to isolated cleanroom environment (FortKnox Isolated Recovery Environment -- IRE)

FortKnox Isolated Recovery Environment (IRE):

• Cohesity provisions an isolated AWS VPC
• Restored VMs run in complete isolation from production
• Used for ransomware forensics, recovery testing, clean restoration before reconnecting to production

DataHawk

DataHawk is Cohesity's security intelligence module, combining threat detection, data classification, and ransomware scanning.

DataHawk Components

1. Anomaly Detection:

• Analyzes snapshot-over-snapshot changes
• Detects: file entropy spikes, deletion bursts, extension changes, compression ratio changes (encrypted files have low compression)
• Alerts: Email, Syslog, SIEM webhook, Helios dashboard

2. Data Classification:

• Scans backup data for sensitive information
• Built-in policies: PII, PHI, PCI, financial data, credentials
• Custom regex patterns
• Results: Which VMs/shares contain classified data, trend over time

3. CyberScan:

• Scans backup snapshots for vulnerabilities and malware
• Vulnerability scanning: Detects known CVEs in OS and application packages within backups
• Malware scanning: File-level signature-based detection
• YARA rules: Custom pattern matching

DataHawk Workflow

Ransomware scenario:

1. Anomaly detection fires on VM "fileserver01" -- high entropy delta in last snapshot
2. Navigate to Security > DataHawk > Anomalies > [Alert]
3. Review: 40% of files changed extension, entropy increased significantly
4. Use DataHawk "Find Clean Snapshot" to identify last snapshot before anomaly began
5. Launch CyberScan on the identified clean snapshot to confirm no malware
6. Initiate recovery from verified clean snapshot

Instant Mass Restore

Cohesity can restore hundreds of VMs simultaneously -- a critical capability for large-scale ransomware recovery.

How Instant Mass Restore Works

1. Select multiple VMs (hundreds supported) for simultaneous recovery
2. Cohesity uses SpanFS instant recovery (VMs boot directly from Cohesity storage -- no data movement required initially)
3. VMs run on Cohesity cluster storage while background migration transfers to production storage
4. Background migration prioritizes VMs in use; completes without downtime

Performance:

• Time to first VM boot: seconds per VM (limited by VMware registration, not data transfer)
• Concurrent VM boots: Limited by vSphere/compute capacity, not Cohesity
• Throughput to production storage: Limited by network and target storage bandwidth

Recovery Targeting

Recovery options:

• Original location: Overwrite production (use for confirmed-clean data)
• New location: Different cluster, different datastore, different network (use for testing)
• Cloud: AWS/Azure (requires cloud connector)
• Isolated environment: FortKnox IRE for cleanroom recovery

Helios SaaS Management Plane

Helios is Cohesity's cloud-based management platform (equivalent to Rubrik Security Cloud).

Capabilities:

• Multi-cluster visibility and management
• DataHawk dashboards (anomalies, classification results, scan history)
• Global protection policy management
• Compliance reporting across all clusters
• FortKnox vault management
• API access (Helios REST API + GraphQL)

Security:

• SSO via SAML 2.0 (Azure AD, Okta, etc.)
• MFA required
• Role-based access control
• Audit log with immutable history

SmartFiles

SmartFiles turns Cohesity backup storage into a file services platform (NAS on top of SpanFS).

Relevance to backup security:

• Store compliance archives, reports, and security logs on Cohesity infrastructure
• DataLock available for SmartFiles shares (WORM file services)
• Classification scans can run against SmartFiles data (not just backups)

Reference Files

• references/architecture.md -- Cohesity cluster hardware and software architecture, SpanFS internals, DataLock mechanics, FortKnox technical architecture, DataHawk components, Helios management plane, instant mass restore mechanics, and cloud integration.