Cloud Security (CASB) on ForcePoint

The cloud security service, or Cloud Access Security Broker (CASB), secures all monitored cloud usage. It analyses the risks and enforces appropriate controls through a wealth of constantly updated controls. With Forcepoint CASB, users get the apps they want and IT staff gets the control they need.


  • Cloud Security based comprehensive application discovery
  • Governance, analytics and protection in one integrated solution
  • Deployment options for offline (API mode) and/or inline (proxy mode)
  • Granular policies for mobile and fixed endpoint devices
  • Built-in integration with enterprise directories, SIEM and MDM
  • Deep support for Office 365, AWS, Salesforce, Google Apps, Box
  • IP reputation data enables the enforcement of risk-mitigation policies
  • Cloud security based Real-time traffic scanning, blocking zero-day threats
  • Cloud security based advanced protection using government-grade Threat-intelligence
  • Cloud security enforced URL control against client policy


  • Discover Shadow IT & Risk eliminating the IT blindspot
  • Prevent leaks of sensitive data to cloud applications
  • Block cyber attacks by the rapid detection of anomalies
  • Cloud Governance, through Cloud App Discover, Data Governance
  • Reduce risk of downloading or distributing malware
  • Spot data leakage from inside staff or malware
  • Apply consistent security on all types of end-points
  • Patching and security updates from threat intelligence built-in
  • Always on security for all traffic to your cloud applications
  • Mobile Security: secure users in any location, any device


£30 to £100 per person per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10



Simon Moore


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No
System requirements
  • Cloud applications to be secured
  • End-points, mobile, fixed, need to be pointed at the service

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Within 1 working day, and response levels can be raised to cover weekends if required.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Yes, at an extra cost
Web chat support availability 9 to 5 (UK time), 7 days a week
Web chat support accessibility standard WCAG 2.0 AA or EN 301 549 9: Web
Web chat accessibility testing Vendor Defined capability
Onsite support Yes, at extra cost
Support levels NBD, 8x5, 24x7.

On site support not ever needed as service is on cloud. Limited complexity in configuring end-points to talk to the cloud.

A client engaged technical account manager can be provided, but required when multiple services are engaged to ensure interoperability and cost benefits. Once configured the service is stable and only needs client based support knowledge on major changes - this will be addressed through documentation.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Initial consultation on configuration of the Software included. Additionally, 1. If the customer chooses to install with their own resources, we can provide HiveLOGIC support through HiveLOGIC consultancy services 2. Provide support for: - SOC Services, including Monitoring and Reporting - Rapid Response service to events and observations 3. Training Workshops 4. Direct, side-by-side support 5. Issue and problem resolution
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Only data held in service are security logs and configuration details. Both can be exported if necessary
End-of-contract process No additional services required, service simply stops and user redirects their end points to send traffic to other destinations.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Nil
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing N/A
What users can and can't do using the API Allow the security tools to understand the information flows that need inspecting in custom applications. Equivalent to signatures and content correlation rules in firewalls and SIEM systems.
API documentation Yes
API documentation formats PDF
API sandbox or test environment No
Customisation available Yes
Description of customisation 1) Look and feel of GUI.
2) policy based security rules that enforced by the broker. Ie can users use Facebook for example


Independence of resources System is scaled on a cloud and resources are increased linearly with demand


Service usage metrics Yes
Metrics types Details are provided on traffic flows and hits on security rules
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Reseller providing extra features and support
Organisation whose services are being resold ForcePoint

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Via the web based management console, and download of data
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks IPsec or TLS VPN gateway
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability 99.999% Up time
Approach to resilience Multiple Instances, hardware and datacentres
Outage reporting API, dashboard and email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Management interfaces may only be accessed from known addresses and via privilege account management based authentication.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 22/05/2015
CSA STAR certification level Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover None
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We work as a network of SMEs supported by larger businesses where scale, and costs make this sensible. Design and service ownership always resides with the Hd of Operations within HiveLOGIC (HL). We then outsource the day to day manning of our service desk to Westcon/ Comstor owing to the economies of scale they can achieve.

HL assesses service levels, SLAs, policies and procedures provided by Westcon on a regular basis :6 monthly or less and on demand.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Other than patching and software levels, Any change is limited to configuration of the software controls. All such changes are assessed for security impact, as this a security based service

All configuration details are also recorded and changes are documented to enable auditing.
Vulnerability management type Undisclosed
Vulnerability management approach Threats to the system are constantly assessed by the vendor (ForcePoint) and changes made to the software base.

The infrastructure which hosts the cloud broker is constantly updated against threat intelligence and internal recommendations.
Protective monitoring type Supplier-defined controls
Protective monitoring approach The vendor provided cloud service, sold as a licence per end user is constantly monitored for breaches and attacks. As a security enforcement point it is assumed attack is inevitable and every measure is taken to continually tighten security and monitor for potential of breach.
Incident management type Supplier-defined controls
Incident management approach Incidents in the cloud service are actively driven out.

Incidents on client devices or against client applications are reported and acted upon as per policy. Any known attacks are instantly stopped. non-malicious, unauthorised accesses are blocked and then investigated as potential false positives.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £30 to £100 per person per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Key users are directed to their applications through the broker to test usabilty and reporting

Normal configuration is to only accept traffic into a protected application via the broker which can't be demonstrated appropriately

User can cancel the service within the first month if they are not satisfied.


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑