The modern workplace has transformed. Now it’s anywhere and everywhere. Employees want the freedom to use the endpoint, application, or network of their choosing. Companies that can meet these expectations have a competitive advantage over the others, especially in the area of productivity and efficiency. But meeting those expectations is no easy task. Organizations would have to support the growing number of personal devices and applications, secure the network and those endpoints to protect their proprietary data, and provide a consistently great employee experience.
One of the main weaknesses of the traditional approach to security is that it assumes that everything inside an organization’s network can be trusted. One implication of this assumption is that it keeps us blind to threats that get inside the network, which are then left to freely roam and attack the network wherever they choose. To overcome this deficiency, organizations must adopt a new approach to protect the modern network infrastructure and fluid network perimeter that extends to the cloud, and the increasing number of mobile or dispersed users. This new approach is called Security Service Edge (SSE).
SSE is a term coined by Gartner to describe the convergence of key security capabilities into a single, cloud-based solution. SSE is the security aspect of the secure access service edge (SASE) framework with its architecture squarely focused on security services.
Choosing the Right SSE Solution
With a variety of SSE vendors out there, choosing the right one for your business and budget can be challenging. You need to consider a variety of factors, some of which include: What deployment model best suits your environment—cloud, on-premises, or hybrid? How simple is the SSE policy management? Does the SSE solution require an endpoint agent to be installed? Is vendor support available in your region, and to what extent? How geographically diverse are the vendor’s edge locations worldwide? What is the total cost of ownership?
With the right SSE solution, organizations can secure their “everywhere workplace”. In this article, we’re going to review the Forcepoint ONE SSE solution and possible alternatives. Hopefully, this will guide you in the process of choosing the right solution for your business.
Overview of Forcepoint ONE SSE Solution
Forcepoint ONE is one of the leading SSE platforms that simplifies security for both traditional and the “everywhere workplace”, allowing users to gain secure access to the organization’s network, business applications, and data on-premises and in the cloud. Forcepoint ONE SSE simplifies security operations with fewer products and helps customers reduce the management burden of traditional point product approaches.
With Forcepoint ONE, security teams can now manage a single set of policies across all applications, from one cloud-based console, through one endpoint agent, with agentless support for unmanaged devices. This allows you to gain visibility, control access, and protect data on managed and unmanaged apps and devices, from one set of security policies.
Key features and capabilities include:
- Gain visibility and control of hybrid workers’ interactions with data in web, cloud, and private apps.
- Prevent misuse of sensitive data accessed from managed or unmanaged devices.
- Provide secure remote access to business resources and private apps without the complexity of VPNs.
- Control and manage access to high-risk web content.
Forcepoint ONE product editions comprise an all-in-one edition for web/cloud and private app security; and a web-security edition that allows customers to add support for cloud and private apps later. The pricing model is based on an annual per-user subscription. All subscriptions include centralized cloud management, unified policies with data loss prevention, automated access via a unified endpoint agent, and comprehensive reporting. A customized demo is available on request.
Forcepoint ONE Key Components
Forcepoint ONE SSE platform unifies three key security services: Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA) into a single security solution.
Secure Web Gateway (SWG)
Just as the name implies, Secure Web Gateway (SWG) is the service that monitors and controls interaction with websites. It protects from malware and enforces company security policies including blocking access to websites based on category and risk score, blocking the download of malware, blocking upload of sensitive data to personal file sharing accounts, and detecting shadow IT. It uses application controls, and content inspection filters to protect user-generated traffic and also prevents data leakage.
The Forcepoint ONE SWG features a unified agent that runs locally on Windows and macOS devices to enable smart routing of web traffic. It enforces acceptable use policies on managed devices located anywhere.
Cloud Access Security Broker (CASB)
A Cloud Access Security Broker (CASB) provides data and threat protection in the cloud through policy enforcement which allows protection for any device, any time, anywhere. CASB enforces granular access to corporate cloud applications and data from any device. CASB also prevents the unauthorized download of sensitive data and unauthorized upload of malicious files in real-time. It does this by actively scanning data at rest in popular SaaS and IaaS platforms for malware and sensitive data and remediates as needed.
Forcepoint ONE leverages its leading agentless CASB solution called Bitglass to control shadow IT applications and manage access to cloud applications from any managed device. It also provides Data Loss Prevention (DLP), custom application support, zero-day threat protection, and other malware protection services in real-time. The Forcepoint ONE CASB architecture includes API, SAML proxy, forward proxy, active-sync proxy, and reverse proxy.
Forcepoint ONE supports integration with any Security Information and Event Management (SIEM) tool that supports syslog, any on-premises DLP systems that support Internet Content Adaptation Protocol (ICAP), and some Security Orchestration Automation and Response (SOAR) platforms. For the most effective SSE configuration, Forcepoint recommends a multi-mode next-gen CASB architecture, because it provides dynamic adaptability with agentless, agent-based, and API-based modes.
Zero Trust Network Access (ZTNA)
Zero Trust Network Access (ZTNA) provides secure access to internal applications for a user based on their specific access context, embodying the principle of least privilege. ZTNA reduces insider threat by checking the identity and integrity of devices irrespective of location and providing access to applications and services based on the confidence of device identity and health in combination with user authentication.
The Forcepoint ONE ZTNA is a cloud-native component that focuses on Identity and Access Management (IAM), using modern authentication technologies such as Multi-Factor Authentication (MFA) and Single Sign-On (SSO). This allows it to control access to private applications hosted behind a firewall without the need for VPN access. ZTNA also provides DLP and malware protection for private web-based applications.
Forcepoint ONE ZTNA supports both agent and agentless deployment models. For the most effective SSE configuration, Forcepoint recommends that the ZTNA should provide both agent and agentless deployment, which allows for remote access and BYOD devices.
Key features and capabilities include:
- Unified gateways for web, cloud, and private app access, including agentless BYOD security for public and private cloud applications.
- Identity-based access control to business apps managed in one place for SWG, CASB, and ZTNA.
- Integrated advanced threat protection and data security across all gateways prevent data exfiltration and malicious actors.
- Geographically diverse edge locations worldwide including 300 points of presence (PoP) built on AWS provide fast, low-latency connectivity regardless of where you work.
Additional Capabilities
Forcepoint also provides additional SSE capabilities such as Remote Browser Isolation (RBI), Cloud Security Posture Management (CSPM), SaaS Security Posture Management (SSPM), as well as Zero Trust Content Disarm and Reconstruction (CDR) which strips a document of embedded malware and recreates the file before the user opens it.
Forcepoint ONE Alternatives
If you figure out that Forcepoint ONE is not best suited for your environment and you’re considering a suitable alternative, you’ll find lots of them out there. To help you decide between the countless options out there, we’ve put together a list of the ten best Forcepoint ONE alternatives.
- Zscaler Cloud Security Platform The Zscaler Cloud Security Platform is a purpose-built fully cloud-delivered SSE solution designed for risk reduction, performance, and scalability. As a globally distributed platform, Zscaler ensures security is delivered across all users and locations for a fast user experience. Zscaler was named a Leader in the 2022 Gartner Magic Quadrant for Security Service Edge. An online demo is available on request.
- Netskope Intelligent SSE Netskope Security Service Edge (SSE) is a data-centric, cloud-native, and fast security solution with adaptive access, advanced data, and threat protection for users anywhere, on any device. Netskope SSE protects against advanced and cloud-enabled threats and safeguards data across all vectors (any cloud, any app, any user). Netskope was named a Leader in the 2022 Gartner Magic Quadrant for Security Service Edge. An online demo is available on request.
- Skyhigh Security SSE (formerly known as McAfee Enterprise SSE) Offers comprehensive data and threat protection to facilitate secure, direct internet access across distributed workforce environments. As a cloud-native platform, it integrates seamlessly with your workforce, WAN, cloud solutions, and the internet. It is recognized as a Leader in the 2022 Gartner Magic Quadrant for Security Service Edge. An online demo is available on request.
- Palo Alto Prisma Access The Palo Alto Prisma Access is the flagship SSE product that protects an organization’s hybrid workforce. All your users—at headquarters, office branches, and remote workforce—connect to Prisma Access to safely use the internet and cloud and data center applications. The Palo Alto Prisma SASE unifies SD-WAN and SSE capabilities in one product, thereby eliminating the need for multiple vendors. Palo Alto Networks was recognized as a challenger in the 2022 Gartner Magic Quadrant for SSE. A virtual test drive of the product is available on schedule.
- Cisco Umbrella Α cloud-delivered service that combines multiple security functions such as SWG, CASB, Firewall, DNS-layer security, Interactive threat intelligence, and SD‑WAN into a single cloud security service. Cisco was recognized as a challenger in the 2022 Gartner Magic Quadrant for SSE. A live demo is available on schedule.
- Lookout SSE Provides a cloud-delivered platform that converges SSE and endpoint security to protect users and data wherever they reside. Lookout SSE solution eliminates the guesswork by providing visibility into what’s happening, on both unmanaged and managed endpoints, analyzing behaviors to detect insider threats and file-less cyberattacks.
- iboss SSE An all-in-one cloud-based network security as a service platform that provides all the security you need to enable work from anywhere. It includes services such as SWG, CASB, ZTNA, firewall, DNS, DLP, Remote Browser Isolation, and more in one unified solution. iboss also provides a unified network-as-a-service and network security-as-a-service into one SASE solution, thereby eliminating the need for multiple vendors. A virtual test drive of the product is available on request.
- Perimeter 81 SASE Perimeter 81 is on a mission to transform traditional network security technology with one unified platform. Perimeter 81’s SASE platform unifies network and security functionalities into one network security service solution. A virtual test drive of the product is available on request.
- Versa SASE Versa provides all the enterprise networking and security required to support a hybrid workforce. Versa SASE integrates SWG, CASB, ZTNA, next-gen firewall, RBI, SD‑WAN, and analytics within a single software operating system delivered via the cloud, on-premises, or as a blended combination of both. A free online demo is available on request.
- Cloudflare One The Cloudflare One platform combines the key aspects of SSE (SWG, CASB, ZTNA) with other security capabilities such as firewall-as-a-service (FWaaS) and remote browser isolation (RBI) into one single cloud-delivered solution. Cloudflare One supports SASE by combining its network-as-a-service capabilities with SSE on a purpose-built global network spread across 270 locations around the world.
Conclusion
If you have implemented an SD-WAN in your organization and are considering adopting an SSE solution to provide the needed security, the best approach is to evaluate vendors that can provide the full combined capabilities of SSE (SWG, CASB, ZTNA, FWaaS, and more). Most SSE vendors also provide SD-WAN services, which is altogether called SASE solution. This approach immediately eliminates the management and integration costs associated with the multi-vendor approach. Once this is done, you can begin the gradual retirement of existing legacy on-premise security products.
Big organizations with large networks that extend to the cloud, and a growing hybrid workforce and data that need to be protected may require the full capabilities of an SSE solution. Forcepoint ONE and other SSE solutions such as Zscaler, Netskope, and McAfee Enterprise SSE possess many of the desired features large organizations look for in modern SSE solutions.
