Datasheet

Forcepoint ONE
Forcepoint ONE is an all-in-one cloud service that makes security simple for
distributed businesses and government agencies that need to adapt quickly
to changing remote and hybrid workforces. It gives employees, contractors,
and other users safe, controlled access to business information on the web, in
the cloud (Saas and IaaS), and in private applications, while keeping attackers
out and sensitive data in. As a result, Forcepoint ONE makes users more
productive, whether remote or in the office, and businesses more efficient.

Key Benefits Forcepoint ONE combines Zero Trust and SASE security technologies, including
three secure access gateways and a variety of shared threat protection and data
› 99.99% verified uptime since 2015
security services, all built on a cloud-native platform. This approach enables
› Latency minimized and throughput
organizations to manage one set of policies, in one console, communicating with
maximized with auto-scaling
one endpoint agent.
› Flexible integration with any SAML-
compatible IdP → Secure Web Gateway (SWG). Monitors and controls any interaction with
› Unified administration console any website, including blocking access to websites based on category and
reduces repetitive and redundant risk score, blocking download of malware, blocking upload of sensitive data
configuration management to personal file sharing accounts, and detecting and controlling shadow IT.
› Unified managed device agent Currently available as agent software for Windows and MacOS.
for CASB, SWG, and ZTNA
→ Cloud Access Security Broker (CASB). Agent-based or agentless solution
simplifies deployment
that enforces granular access to company SaaS based on identity, location,
› Active Directory sync agent device, and group. Blocks download of sensitive data and blocks upload of
accelerates user on-boarding malware in real time. Scans data at rest in popular SaaS and IaaS for malware
› Reverse proxy with AJAX-VM allows and sensitive data and remediates as needed. Agentless option facilitates
protection of any managed web BYOD and contractor access.
application without an on-device agent
→ Zero Trust Network Access (ZTNA). Agent-based or agentless solution
› Data-in-motion scanning blocks
that allows granular access to private applications without the use of a VPN.
malware and data exfiltration between
Agent based solution required for non-HTTP/S applications.
users and any web application
› Data-at-rest scanning quarantines
malware and controls risky data
sharing for many popular SaaS and
IaaS storage offerings
› Encryption of structured and
unstructured data in SaaS and IaaS
ensures data privacy
› Field Programmable SASE Logic
can block specific HTTP/S request
methods, resulting in granular control
of user interactions with any SaaS, web
page, or private web application forcepoint.com
Common features for all three gateways include: Forcepoint ONE also includes these
add-on capabilities:
→ Contextual access control. Access to web, cloud,
or private applications is controlled based on user → Cloud Security Posture Management (CSPM).
location, device type, device posture, user behavior, Scans AWS, Azure, and GCP tenant settings for risky
and user group. configurations and provides manual and
automated remediation.
→ Data loss prevention (DLP). Files and text are scanned
upon upload and download for sensitive data and → SaaS Security Posture Management (SSPM). Scans
blocked, tracked, encrypted, or redacted as appropriate. Salesforce, ServiceNow, and Office 365 tenant settings
for risky configurations and provides manual and
→ Malware scanning. Files are scanned upon upload and
automated remediation.
download for malware and blocked when detected.
→ Remote Browser Isolation (RBI). A user is protected
→ Unified management console for configuration,
from web-borne malware on their local device by
monitoring, and reporting.
running a browser in a cloud-hosted VM.
→ Unified on-device agent for Windows and macOS.
→ Content Disarm and Reconstruction (CDR). A
→ 99.99% service uptime. document is stripped of embedded malware and
reconstructed before being opened by a user.
→ Advanced Malware Detection (AMD). Suspected
malware is detonated in a sophisticated sandbox
environment that evades usual malware checks for
sandbox execution.

2
Forcepoint ONE Features and Benefits

SCOPE FEATURE BENEFIT

→ 99.99% uptime.
→ Minimal latency: often even faster than direct
Auto-scaling, distributed architecture on AWS with over 300
application access.
POPs worldwide.
→ Faster scanning of data at rest: hours vs days to
scan an entire application tenant’s content.

→ Flexible deployment.
Integration with any SAML compatible IdP. SAML relay or ACS
proxy mode. Optional built-in IdP using Microsoft ADFS. → Denial of service protection when using SAML
relay mode.
→ Leverage your existing Microsoft AD instance to
Active Directory Sync Agent. Synchronizes your current AD
quickly onboard users and manage the groups
users and groups with Forcepoint ONE users and groups.
they are in.

Platform-wide Contextual access control. Grants user access to Forcepoint → Detecting and blocking suspicious login
ONE based on user group, device type, location, or time of day. attempts reduces risks associated with
Optional escalation to Multi-factor Authentication based on stolen passwords.
“impossible travel,” unauthorized location, or unknown device.
Additional layer of access control for individual websites or → Granular access control allows segmentation of
applications based on user group, device type, or location. users based on risk and need to access.

→ Simplified agent deployment including

deployment through selected MDM systems.
Single unified agent for on-device SWG, CASB forward proxy,
→ Low CPU and memory.
and ZTNA for non-web applications.
→ Auto rotated, self-generated certificates ensure
security and reduce IT overhead.
→ Single unified console reduces complexity
Single administrator console for managing all system
and time to value while increasing visibility
capabilities across all applications, users, and devices.
and control.
DLP and malware scanning for data in motion. Scans file
attachments downloaded from or uploaded to any web-based
→ Reduces risk of data leakage and spread of
app or website for malware or sensitive data. Logs and takes
malware in transit between users and any web
the appropriate remediation action such as block (sole
CASB, SWG, and application or website.
option for SWG), quarantine, encrypt, apply DRM, or apply
ZTNA for web-
watermarking and file tracking.
based apps
Field Programmable SASE Logic. Monitors, logs, and optionally → More fine-grained control of app usage.
blocks any HTTP/S request method based on any portion of → Ability to block upload of sensitive data as
the request method. message posts.
→ Works with any web-based application
Agentless reverse proxy with AJAX-VM. The reverse proxy
including longtail and custom applications that
is software running in our core and edge POPs, while the
other reverse proxy solutions cannot support.
AJAX-VM is a Java Script abstraction layer running inside
CASB and ZTNA for
the end user browser. Both work together to ensure that → No agent installation necessary for BYOD
web-based apps
Forcepoint ONE can manage traffic between any device and or contractors.
any managed web application, without the need for agent
→ Works with any device supporting a
software running on the device.
modern browser.
→ Enforces acceptable use policy.
→ Monitors shadow IT usage on managed
devices.
Monitors, logs, and controls access to any website from → Controls access down to the URL directory
corporate Windows and Mac endpoints located anywhere path level.
SWG
with DLP and malware scanning using the Forcepoint ONE
→ Blocks upload of sensitive data to any website.
unified agent.
Blocks download of malware from any website.
→ No-hairpinning architecture reduces traffic
through the Forcepoint ONE backplane and
results in near wire-speed throughput.

3
SCOPE FEATURE BENEFIT

→ Scans historical data not just recently

added files.
DLP and malware scanning for data at rest in the cloud. Scans
→ Applies OCR to image files to detect sensitive
structured and unstructured data in SaaS and IaaS storage for
text data. Turns off public sharing of files
malware or sensitive data, and log and takes the appropriate
containing sensitive data. Quarantines
protective action such as quarantine, encrypt, or remove
malware stored in the cloud.
public sharing.
→ Extensive library of pre-defined data patterns
reduces set-up time.
CASB
Data Encryption. Encrypts sensitive structured and → Ensures sensitive data is only visible to
unstructured data in managed SaaS and IaaS. authorized users.

→ Use logs from corporate firewalls and proxy

servers to discover shadow IT use.

Shadow IT discovery and control → Block users from using any shadow IT
application while providing a coaching
message recommending a company
sanctioned alternative.

Cloud Security Posture Management. Scans configuration

→ Flags risky setting for remediation. Apply one-
of security settings for AWS, GCP, and Azure admin console
CSPM click remediation or automated remediation
SaaS in accordance with various industry and regional
where applicable.
baselines as well as custom baselines.

SaaS Security Posture Management. Scans configuration of

→ Flags risky setting for remediation. Apply one-
security settings for popular SaaS tenants in accordance with
SSPM click remediation or automated remediation
various industry and regional baselines as well as
where applicable.
custom baselines.

→ Web browsing experience is the same as it

has always been.
→ Capable of rendering a broad set of web
destinations—from modern cloud apps,
like the Google Workspace, to sites built on
Remote Browser Isolation. Provides a layer of abstraction by legacy technologies.
RBI running a browser in a cloud-hosted VM, separating the end
user device from the risk of web-borne malware. → Keeps sensitive web app data out of BYOD
browser caches, limits website data sharing
functions, and integrates with market
leading DLP.
→ Supports both cloud and on-premises
deployments.

Content Disarm and Reconstruction. Extracts the valid

business information from files, verifies the extracted
CDR → Reconstructed documents are malware-free.
information is well-structured, and then builds a brand-new
file to carry the information to its destination.

→ Provides visibility into the behavior of malicious

code by emulating a complete operating
Advanced Malware Detection. Uncovers zero-day threats by
system and hardware environment. Emulation
AMD executing them in a sandbox environment that most closely
eliminates the clues that malware often uses to
mimics a physical end-user device.
evade detection in more traditional, virtualized
sandboxes.

forcepoint.com/contact
© 2022 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
[FP-Forcepoint ONE-Datasheet-US-EN] 17Feb2022
4