ESG Validation

ESG Lab Validation: Forcepoint Cloud Access Security Broker (CASB)

Co-Author(s): Alex Arcilla


ESG Lab evaluated the Forcepoint Cloud Access Security Broker (CASB) to validate how it secures the use of any cloud applications across an organization’s users and endpoints. We tested how the Forcepoint CASB provides visibility into an organization’s cloud applications and its users, identifies and assesses the potential risks associated with the cloud applications, and automates threat prevention and policy enforcement.


ESG research recently uncovered that 87% of organizations are either currently using or plan to use software-as-a-service (SaaS) applications in 2018.1 Organizations continue to adopt SaaS apps such as Office 365, Salesforce, Box, and Workday to enhance collaboration and data sharing. The availability of cloud applications has also empowered business units to choose those that best suit their needs rather than corporate sanctioned apps. We anticipate the adoption rate to continue rising, as 76% of IT professionals surveyed stated that they will at least consider, if not take definitively, a cloud approach to new application deployment and upgrades this year.2

However, employees’ continued use of cloud apps exposes organizations to unforeseen security risks. Hackers can now target data and user identities/credentials residing in the cloud. Users access these apps from a variety of locations (on-premises, remote, mobile) and endpoints (mobile devices, desktops, laptops), increasing the ways that hackers can enter an organization’s network. The risk of “shadow IT” arises as business units can increasingly download and purchase applications not sanctioned by corporate IT, opening the organization to attacks while stripping IT of proper visibility and control. Cloud apps also create the potential for cross-app contamination, as ecosystems of integrated third-party apps have been developed around SaaS applications and brands that have enjoyed strong customer adoption. For example, is highly likely to be a sanctioned app, but salesforce admins in business units may have deployed apps that have access to business-critical customer data.

Obtaining a level of visibility and control over cloud app usage requires a solution that identifies and targets risky activities with the same data security and threat protection controls employed for sanctioned, on-premises IT applications. Cloud access security brokers (CASBs) must not only support a broad array of cloud apps, but also embrace the way in which knowledge workers interact with those apps while preventing the leakage of sensitive information and the introduction of inbound threats.

The Solution: Forcepoint Cloud Access Security Broker

The Forcepoint CASB is designed to help a security analyst quickly identify user risk activity of an organization’s sanctioned and unsanctioned cloud apps and take immediate action to minimize potential threats. Forcepoint utilizes user and entity behavior analytics (UEBA) to track user activity in real time and pinpoint security vulnerabilities posing the highest risk. This allows the security analyst to reduce the time to respond to potential security threats and improve data compliance, thus decreasing the chances that attacks will occur and propagate.

The Forcepoint CASB helps an organization minimize security vulnerabilities associated with cloud app usage by addressing three areas:

  • Discovery and visibility – The Forcepoint CASB employs user and entity behavior analysis to discover all user activity across cloud apps, highlighting those users that generate activity deemed the riskiest to an organization’s security. By focusing attention on high-risk users, an analyst can quickly decide on how to make the organization less vulnerable to threats and attacks.
  • Risk assessment and management – To help an analyst assess potential security risks, the Forcepoint CASB uncovers where critical data is stored and who currently has access. An analyst can determine potential data loss and compliance issues and design policies immediately that ensure only the right people can access certain data types, thus minimizing any negative impact to the organization.
  • Protection and control – As employees can access cloud apps anytime and anywhere, IT must also protect the organization against threats that can leverage these access points. The Forcepoint CASB enables an analyst to protect the organization against unauthorized cloud app access based on real-time analysis of geography, app suite component, device type, status, and other parameters. The CASB can also track and mitigate unwanted accout takeoevers and malicious access attempts.

ESG Lab Validation

ESG Lab performed hands-on evaluation and testing of the Forcepoint CASB to determine how organizations can use this solution to discover and gain visibility into all user activity across multiple cloud apps, track and monitor usage data to uncover potential data loss, and construct and enforce policies to protect different data types across various locations and interfaces. We reviewed workflows facilitated by the CASB interface to see how an analyst can protect an organization against threats posed by cloud app usage.

Discovery and Visibility

Employees that leverage multiple cloud apps—sanctioned and unsanctioned—open the organization up to security vulnerabilities unknowingly. IT’s challenge is to track all user activity from all cloud apps and identify those users and activities that pose the biggest security risks in real time. Forcepoint has designed its CASB to help an analyst identify those users that generate the riskiest behavior, determine the cloud apps that are involved, and pinpoint possible solutions.

ESG Lab Testing

ESG Lab first navigated to the Risk Summary menu to examine the User Risk Dashboard. We saw how an analyst can view users flagged for suspicious activity, called “Users at Risk,” filtered for an individual app or across all apps in the organization, as shown in Figure 2. We noted that an analyst can see flagged users (based on past activity deemed risky by the CASB’s UEBA) and their behavior via a timeline, geolocation, and business unit perspective. This can allow an analyst to obtain context on suspicious activity occurring amongst the organization’s employees.

ESG Lab then observed that an analyst can examine user logs via the categories shown on the dashboard. We navigated to one location under the “Org Geographic Risk” panel in Figure 2 to view a list of identified users at risk (as shown in Figure 3). Details included their overall risk score (calculated by the Forcepoint UEBA), their business units, and locations from which they accessed a cloud app. To examine more detail of an individual’s user activity, we highlighted the line item associated with “avargas.” A pop-up panel appeared that revealed the user activity of “Annette Vargas,” including the apps she accessed, the locations from which she accessed those apps, and the devices used.

ESG Lab then navigated to the timeline of Annette Vargas’ activity (see Figure 4). The screen detailed her user behavior daily, summarizing her activities, security-related incidents, and overall risk level, and displayed an incident timeline. We noted that an analyst can track user activity over time to identify trends or spurious activity that warrant further investigation.

ESG Lab then observed how the analyst can drill down to an individual incident to determine what actions to take. We clicked on a single incident from the timeline and revealed the detail shown in Figure 5. The analyst could determine what exactly happened to trigger the incident and learn the recommendations that Forcepoint offers to remediate.

Why This Matters

As organizations continue to leverage cloud apps, the security threat becomes much greater. No longer can IT only rely on solutions in which analysts examine logs to uncover potential threats. The variety of locations, interfaces, and devices that users leverage to access cloud apps anytime and anywhere exacerbates IT’s issue of maintaining visibility into real-time usage.

Forcepoint designed its CASB to help an analyst to quickly gain complete visibility into user activity at any given time. Forcepoint leverages its UEBA to surface data about all users’ activities into a summarized view. This summarized view enables the analyst to pinpoint activity that can potentially cause the most harm to an organization more quickly than searching through event logs. Thus, the analyst can decrease the overall time to respond to threats.

ESG Lab verified that a security analyst can determine those users posing the most risk to the organization via the User Risk Dashboard. Whether viewing user activity of a single cloud app or across all cloud apps, ESG Lab noted how the user risk summaries allow an analyst to focus attention on the anomalies and drill down into those anomalies to uncover more detail. By highlighting the anomalies that can pose the biggest threats to the organization’s security, the Forcepoint CASB helps to decrease the time it takes the analyst to identify risks and potential causes, and decide on the appropriate remediation actions.

Risk Assessment and Management

Ensuring the secure use of cloud apps requires an analyst to monitor how data is shared between users and stored within the cloud. By doing so, IT can enforce policies that restrict who accesses specific data at any given time and ensure regulatory compliance. The Forcepoint CASB helps an analyst inspect files and content in real time to uncover sensitive data amongst the cloud apps in use, assess the organization’s risk in managing that data, and design policies that protect against such risk. The analyst can use the CASB to perform malware scans, reducing the risk of sharing infected files. To perform further analysis, Forcepoint enables connections to third-party file analysis service via Internet Content Adaptation Protocol (ICAP).

ESG Lab Testing

ESG Lab first clicked on the Compliance menu to reveal the Data Classification Dashboard (see Figure 6). The CASB provided an up-to-date count of documents containing what it considers sensitive data and a summary of the data types and categories. While the summary focused on the sensitive data present in Office365, the analyst can also generate this summary across all cloud apps in use. ESG Lab noted that the dashboard provided the first look into how much data used within the cloud apps is not within compliance (e.g., HIPAA, PCI-DSS, Sarbanes-Oxley).

We then added a new data classification policy. After navigating to the list of existing policies, we clicked on the Add Policy button and found a myriad of options that an analyst can include when constructing a new policy, shown in Figure 7, such as data types to be monitored, filters to be applied, and actions to take when encountering the specified data type. We noted also that data types covered those found in commonly used cloud apps, such as AWS Keys.

ESG Lab then viewed the sensitive data captured by the classification policies in place (see Figure 8). We saw how an analyst can learn the specific data types potentially at risk (e.g., credit card numbers, access credentials) and the number of files affected. We also prompted the CASB to perform analytics on those files associated with the “Pay Slips” data type. The analytics revealed the filenames in which the “Pay Slips” data type appeared. After clicking on the first filename, we noted that the analyst can inspect additional details to decide on any further action to take. The example in Figure 8 shows that the first file could be shared with anyone, including those outside of the organization, without requiring user authentication. The analyst could remove permissions, if deemed necessary, and apply rules for automatic mitigation. ESG Lab noted that this analysis can be especially helpful when protecting information such as intellectual property.

Why This Matters

Assessing the risk profile of data associated with cloud apps is essential for an analyst to minimize data loss and ensure compliance. What is needed is a solution that enables the analyst to identify and protect sensitive data stored in cloud apps.

ESG Lab observed that the Forcepoint CASB provides a summary of the various sensitive data types that currently exist within the organization’s cloud apps. We saw how an analyst can create or modify policies to decrease the organization’s risk profile by restricting data access to specific users or preventing the exposure of specific data types within the organization’s cloud apps.

Providing a real-time view into sensitive data that exists within the organization’s cloud apps decreases the time and resources usually spent on constructing such a view. The analyst can spend more time in setting up the proper controls to prevent unnecessary data loss and improve compliance, thus improving the organization’s security posture.

Protection and Control

After gaining the proper visibility into cloud app usage and assessing an organization’s risk exposure, an analyst must now use that information to set up the proper controls to prevent unauthorized access and data loss. Forcepoint has designed its CASB to help the analyst implement these controls easily for situations such as accessing individual components of cloud apps, accessing apps via endpoints such as mobile devices, and blocking access to specific websites. The analyst can also use the CASB to restrict user activity based upon information gathered by the Forcepoint UEBA.

ESG Lab Testing

ESG Lab began by navigating to the User Activity Control screen under the Audit and Protect menu. We observed that all components associated with Office365 were listed (see Figure 9). We then chose one component of SharePoint, the “SharePoint Admin Center,” and examined the ways that the analyst can establish control over its usage. To establish usage control for this SharePoint component, we first chose the data objects to be protected. Then we clicked on the Add Rule button to specify actions that will be taken by the CASB when users attempt to access specific data objects. We observed that the analyst can define rules based on how the CASB is deployed (via proxy or API), the user activity triggering the rule, and the action taken when the rule is triggered.

ESG Lab then observed how an analyst can manage user access across a variety of endpoints, such as mobile devices, per individual cloud app. We first navigated to the Endpoint Management screen under the Risk Summary menu (see Figure 10). We looked at the “Automatic Enrollment” section that enables an analyst to specify endpoints based on IP addresses or certification authority (CA) certificates. The analyst can also set up manual enrollment for device users. We then saw the message that users receive when they want to enable access for mobile devices.

ESG Lab finally examined how an analyst can block access to cloud apps based on specified conditions. The analyst can set specific policies based on any user activity and/or context in which cloud access is attempted. We began by navigating to the Custom Policy Editor option and viewed a list of policies created specifically for Office365. We then tested the “If Not Corporate Block” policy, which prevents users with non-corporate email addresses from accessing Office365. When we attempted to access Office365 with the email address, the message shown in Figure 11 flashed onto the screen.

Why This Matters

An organization must implement proper controls to prevent unauthorized access and data loss. The solution should not only address access to all components associated with a cloud app (e.g., Word, Excel, PowerPoint, and SharePoint in Office365) but also allow the analyst to define policies that cover how and where users access these cloud apps.

ESG Lab validated that an analyst can use the Forcepoint CASB to easily establish rules that minimize unauthorized user access. The analyst can also control how users attempt to access cloud apps from different locations and devices, as well as how an organization allows users to register their personal devices to access cloud apps.

Empowering the analyst to easily implement these controls ultimately protects the organization against vulnerabilities. ESG Lab saw that the Forcepoint CASB helps an analyst to prevent potential attacks using less time and effort, lowering overall costs while improving overall organizational security.

The Bigger Truth

In the current IT environment, where organizations leverage more cloud apps than on-premises apps, IT must maintain a high level of visibility and control over sanctioned and unsanctioned cloud apps to maintain organizational security. The nature of cloud app access and usage challenges IT as users employ a variety of devices and locations. Traditional security solutions are not designed to deal with an undefined and fluid security perimeter.

An organization must protect itself against the potential vulnerabilities presented by cloud app usage. IT needs a solution that provides near real-time visibility of the cloud apps associated with user activity, assesses the status of sensitive data shared amongst users via the cloud apps, and enables easy design and deployment of rules and polices to govern cloud app access and data loss prevention.

In ESG testing, the Forcepoint CASB helps a security analyst quickly identify risky user activity of an organization’s cloud apps and take immediate action to minimize potential threats. Forcepoint leverages UEBA to track user activity in real time and pinpoint security vulnerabilities posing the highest risk. This allows IT to reduce the time to respond to potential security threats and improve data compliance, thus decreasing the chances that attacks will occur and propagate.

The Forcepoint solution can enable comprehensive discovery and visibility into cloud app usage, assess and summarize the organization’s risk profile by inventorying sensitive data types shared amongst cloud app users, and empower the analyst to enact protections and controls over access to cloud apps and data loss. If your organization has deployed or is planning to deploy any cloud app, your organization would do well to take a close look at the Forcepoint CASB to secure its usage.

1. Source: ESG Master Survey Results, 2018 IT Spending Intentions Survey, December 2017.
2. ibid.
This ESG Lab Report was commissioned by Forcepoint and is distributed under license from ESG.

ESG Validation Reports

The goal of ESG Validation reports is to educate IT professionals about information technology solutions for companies of all types and sizes. ESG Validation reports are not meant to replace the evaluation process that should be conducted before making purchasing decisions, but rather to provide insight into these emerging technologies. Our objectives are to explore some of the more valuable features and functions of IT solutions, show how they can be used to solve real customer problems, and identify any areas needing improvement. The ESG Validation Team’s expert third-party perspective is based on our own hands-on testing as well as on interviews with customers who use these products in production environments.

Topics: Cybersecurity Cloud Services & Orchestration