Datasheet

Forcepoint ONE

Cloud Access Security Broker

Multimode CASB with agentless reverse proxy,
forward proxy, and API modes.

The Forcepoint ONE Cloud Access Security Broker (CASB) is one of the three
foundational gateways of the Forcepoint ONE all-in-one cloud platform. It
controls access to managed SaaS applications and shadow IT applications
while providing Data Loss Prevention (DLP) and malware protection.

Key Benefits Agentless Reverse Proxy Mode

› 99.99% verified uptime since 2015 Agentless reverse proxy mode enforces granular access with
Forcepoint ONE integrated DLP and malware scanning from any
› Auto-scaling and over 300 points of presence on
device using a modern browser. It is ideal for monitoring and
AWS minimizes latency and maximizes throughput
controlling access from BYOD and contractor devices. It leverages
› Unified administration console reduces repetitive Forcepoint ONE’s patented integration with any SAML 2.0 compliant
and redundant configuration management
IdP to redirect users to a Forcepoint ONE reverse proxy, where a
› Unified managed device agent for CASB, SWG, and complementary session with the SaaS application is established.
ZTNA simplifies deployment
› Active Directory sync agent accelerates user on-
boarding
› Data-in-motion scanning blocks malware and data
exfiltration between users on any device and any
managed SaaS application.
› Field Programmable SASE Logic can block specific
HTML JS JS HTML
HTTP/S request methods resulting in granular
control of any element in a managed SaaS
web page
› Data-at-rest scanning of selected SaaS and IaaS Figure 1: Forcepoint ONE CASB agentless reverse proxy with AJAX/VM.
identifies malware and sensitive data independent
of data-in-motion scanning
› File level encryption of managed SaaS applications Combined with Forcepoint ONE’s unique AJAX/VM technology,
ensures data privacy and data sovereignty without executing within the user’s browser, the Forcepoint ONE agentless
completely blocking access to data reverse proxy mode ensures proper URL and cookie rewriting
resulting in compatibility with any SaaS application.
› Shadow IT reporting helps identify web
usage risk
Key features that let you control and monitor app usage in reverse
› Shadow IT control stops users from accessing
proxy mode are proxy policies, field-level encryption, shadow IT
certain unmanaged applications while
reports, and reverse proxy reports.
recommending use of corporate sanctioned
alternatives or allows read-only access

forcepoint.com
Proxy Policies Within a single proxy policy, the download DLP policies let you
Access control options and associated DLP and malware control download of both sensitive data and malware, while
scanning options for data in motion to and from managed the upload DLP policies let you control upload of sensitive data
SaaS applications are set in proxy policies. These let and malware. Simply use dropdown menus to specify a data
administrators set access to managed SaaS app as direct app pattern to match, a file action, and watermark/tracking control,
access, deny, or secure app access (all traffic passes through and click the checkbox if you want people to be notified about
the reverse proxy with the option of enforcing DLP and the match.
malware scanning). Criteria for policy enforcement include
user group, access method (browser, non-browser client app, Forcepoint ONE includes over 100 predefined data patterns
or any), device OS, device profile, and location. that help you enforce regional and industry standards
regarding PII, PHI, and personal financial data. There are
also two reserved data patterns for invoking malware
scanning powered by CrowdStrike or Bitdefender. You can
also create custom data patterns that use simple regular
expression up through complex Boolean expressions, and
special data patterns for identifying records. The special match
patterns include database matching (using exact match),
similarity to a standard form (using file fingerprinting), and any
HTTP/S request method (using Field Programmable SASE
Figure 2: List of proxy policies for a managed SaaS app
Logic – FPSL).

A single app can have a list of multiple proxy policies that are For download proxy policies, file actions are encrypt, block
evaluated sequentially until a policy is found where all of the (replace contents with block message), deny (do not transfer),
match criteria in the policy match the connection request. apply DRM, and watermark and track.
Then the appropriate enforcement action is applied.
For upload proxy policies, file actions are encrypt (for Office
When secure app access is specified, a single proxy policy 365, Google Workspace, and Salesforce), block (replace
may include a list of DLP and malware scanning polices for contents with block message), deny (do not transfer), mask
upload to the SaaS app, and another list for download from the data (Salesforce Chatter, O365 Teams, and Slack), and
SaaS app. In addition, if a managed SaaS app has field level watermark and track.
encryption enabled, the proxy policy lets you specify whether
a field is displayed unencrypted based on the field security Field-Level Encryption
level or whether the user location matches the data creation Agentless reverse proxy mode lets you encrypt structured data
location. This supports data privacy and data sovereignty. in many popular SaaS apps with support for full AES 256-bit
encryption or tokenization, a built-in keystore or your own
Key Management Interoperability Protocol (KMIP) keystore,
and vaultless encryption and tokenization. You can also
specify security levels for each field to control when the field is
decrypted for the user.

Figure 3: Proxy Policy details for a secure app access connection.

Figure 4: Field-level encryption settings.

2
Shadow IT Reports The proxy dashboard includes statistics on sensitive data
The agentless reverse proxy mode supports shadow IT movement, malware events, and top upload and download
reporting. Shadow IT usage is collected from the log data DLP match patterns.
from corporate firewalls and proxy servers, either by manual
import or through a Forcepoint ONE syslog collector. Reports
show application distribution by trust rating, as calculated by
Forcepoint ONE, and top accessed applications with drill
down to individual applications and individual source IP
addresses, helping you understand your organizations, risk
posture relative to web traffic. The Forcepoint ONE CASB can
also let you control shadow IT traffic in forward proxy mode
(see below).

Figure 7: Proxy Dashboard

The proxy logs report plots application activity and watermark,

DLP and DRM activity over time, and lists recent events
grouped by summary, audit, and data leakage categories.

Figure 5: Shadow IT Discovery report.

Reverse Proxy Reports

The reverse proxy mode has three reports that give you
extensive insight into managed SaaS traffic passing through
the reverse proxy: the overview dashboard, the proxy
dashboard, and the proxy logs report.

The overview dashboard displays user locations, top managed

apps, OS usage, and application access trends.

Figure 8: Proxy Logs Report

Figure 6: Overview Dashboard

3
Forward Proxy Mode API Policies
Forward proxy mode uses the Forcepoint ONE unified agent API policies control scanning data rest in IaaS and SaaS. Like
for Windows or MacOS. All managed SaaS traffic still passes proxy policies, several API policies can be applied to a single
through the Forcepoint ONE reverse proxy but without the SaaS app and are evaluated sequentially
need for URL rewriting to connect with the user device.
Forward proxy mode supports all of the features of the
agentless reverse proxy mode, including enforcing DLP and
malware scanning through proxy policies, but it also supports
use of non-browser clients, such as the Microsoft Outlook
client and the Slack client. In addition, forward proxy mode
supports shadow IT control.

Shadow IT Control
Figure 10: List of API policies.
Shadow IT control lets you control access to any shadow IT
app using proxy policies which are evaluated in sequence
like managed SaaS proxy policies. However, proxy policies for Within a policy, you can specify match criteria based on user
shadow IT apps do not enforce DLP and malware scanning for group, DLP data pattern, file path, file name, sharing status
upload and download. Instead, they are limited to the following (external, internal, public, or any), file size, owner, shared with
connection control options: render the app in read-only mode, username, create date, and modified date. The data match
coach (display a recommendation for a company sanctioned patterns used in an API policy can be any of the custom or
alternative app and either allow or deny access to the original predefined match patterns shared across the proxy policies
shadow IT app), or deny access without a coaching message. and SWG content policies, letting you have unified control of
sensitive data and malware.

Figure 9: Shadow IT proxy policy details showing the coach options.

If you need to support DLP and malware scanning policies to

shadow IT apps, use SWG content policies instead.

API Mode Figure 11: API policy details.

In API mode, the CASB uses API calls to your SaaS or IaaS
tenant to scan data at rest for sensitive data or malware
and perform automatic remediation actions such as restrict When a match of conditions for a scanned file occurs, possible
sharing, quarantine, copy, add classification metadata, or API policy actions include modify sharing (remove public,
notify the file owner. It supports historical file scanning and remove public and external, remove all), allow, quarantine,
can apply OCR to image files and image only PDF files before create copy, and encrypt.
scanning for sensitive data. API mode is supported out-of-box
for many popular SaaS and IaaS including Google Workspace,
Office 365, Salesforce, ServiceNow, Box, Dropbox, Atlassian
Confluence, Github, Webex Teams, Slack, AWS, GCP, and
Azure. API mode ensures that even if new files or updates to
old files bypass the reverse proxy, they can be scanned for
sensitive data.

4
CASB Third-Party Integrations Forcepoint ONE Platform Features
The Forcepoint ONE CASB additionally can be configured to The Forcepoint ONE CASB additionally supports these
integrate with various other data security systems as outlined features built into to the Forcepoint ONE platform:
below.
→ Platform-level contextual access control.
→ Security Information and Event Management (SIEM). Users cannot be granted access to any of the three
Forcepoint ONE integrates with any system that supports foundational gateways unless they are authenticated
syslog. This allows third party apps to upload logs from according Forcepoint ONE login policies that factor in
Forcepoint ONE for visualization and analysis. user location, device type, device posture, user behavior,
and user group. When user login through a new device is
→ On-premises DLP Systems. Forcepoint ONE integrates
detected, or “impossible travel” travel based on client IP
with any on-premises DLP system that supports the
address is detected, the user can be presented a muti-
Internet Content Adaptation Protocol (ICAP). This
function authentication (MFA) challenge to prevent use of
provides customers the ability to send files at rest in
stolen credentials.
managed SaaS or IaaS cloud storage, that are flagged
by Forcepoint ONE as having sensitive data, to the on- → Unified management console for configuration,
premises DLP system using TLS encryption. The files are monitoring, and reporting for SWG, CASB, and ZTNA. Lets
enriched with data such as source and destination IP and administrators reuse DLP match patterns across SWG,
the email address of the file owner. CASB, and ZTNA for private web applications, and see a
→ Security Orchestration and Response (SOAR). consolidated view of all traffic and anomalies.
Forcepoint ONE supports two-way integration between → Unified on-device agent for Windows or macOS with
Forcepoint ONE and the selected SOAR platforms. In unique auto-generated and auto-rotated certificates.
these cases, the SOAR platform is used to automate
→ Active Directory Sync Agent synchronizes your
activities within Forcepoint ONE and another tool.
current AD users and groups with Forcepoint ONE
→ Data Classification. Forcepoint ONE can use users and groups.
classification metadata from any data classifier in a DLP
→ Auto-scaling, distributed architecture on AWS with
match pattern.
over 300 points of presence resulting in 99.99% verified
→ Endpoint Management. As part of the SAML login service uptime since 2014.
process, Forcepoint ONE can validate a client certificate
stored on a Windows, Mac, Android, or IOS device to
confirm it is managed by an endpoint management
system. This knowledge lets the administrator apply
different access policies for users logging in via managed
vs. unmanaged devices.

5
Forcepoint ONE CASB Features and Benefits

FEATURE BENEFIT

→ 99.99% uptime.
→ Minimal latency: often even faster than
Auto-scaling, distributed architecture on AWS with over 300 POPs worldwide. direct application access.
→ Allows in-line proxying of Slack traffic without
timeouts.

→ Flexible deployment.
Integration with any SAML compatible IdP in SAML relay or ACS proxy mode.
Optional built-in IdP using Microsoft ADFS. → Denial of service protection when using
SAML relay mode.

→ Leverages your existing Microsoft AD instance to

Active Directory Sync Agent. Synchronizes your current AD users and groups
quickly onboard users and maintain the groups
with Forcepoint ONE users and groups.
they are assigned to.

Contextual access control based on user group, device type, location, or time
→ Detects and blocks suspicious login attempts.
of day, with escalation to Multi-Factor Authentication based on “impossible
travel,” unauthorized location, or unknown device. Additional layer of access → Reduces risks associated with stolen passwords.
control for individual websites or applications based on user group, device type,
→ Segments users based on risk and need to access.
or location..

→ Simplifies agent deployment.

Single unified agent for on-device SWG, CASB forward proxy, and ZTNA for
non-web applications. Includes support for deployment through MDM systems → Enhances security.
and uses self-generated auto-rotated certificates.
→ Reduces IT overhead.

Single administrator console for managing all system capabilities across all → Reduces complexity and time to value.
applications, users, and devices. → Increases visibility and control.

DLP and malware scanning for data in motion. Scans file attachments
→ Stops data leakage and spread of malware in transit
downloaded from or uploaded to any web-based app or website for malware or
between users and any corporate SaaS application.
sensitive data and logs and blocks the transfer as appropriate.

→ More fine-grained control of app usage.

Field Programmable SASE Logic. Monitors, logs, and optionally blocks any
HTTP/S request method based on any portion of the request method. → Ability to block upload of sensitive data as
message posts.

→ Stops data leakage and spread of malware

in selected SaaS and IaaS.
DLP and malware scanning for data at rest in selected IaaS and SaaS storage.
Supports historical scanning and OCR of images files and image-only PDF files. → Ensures that even if new files or updates to old
files bypass the reverse proxy, they can be
scanned for sensitive data.

→ Ensure data privacy and data sovereignty without

File level encryption of managed SaaS.
completely blocking access to data.

→ Detect unauthorized app usage from on-prem

Agentless shadow IT reporting using logs from corporate firewalls and proxies.
devices without an agent.

→ Stop users from accessing certain unmanaged

Shadow IT control using the unified agent in forward proxy mode. apps while recommending use of corporate
sanctioned alternatives.

→ Complete visibility of access to managed SaaS apps

Detailed reporting of managed SaaS traffic.
including those accessed from unmanaged devices.

forcepoint.com/contact
© 2022 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
[FP-Forcepoint ONE CASB-Datasheet-US-EN] 18Feb2022
6