Granular access control, DLP and malware protection for private web apps are primary use cases for zero trust network access (ZTNA). Supporting these use cases in a way that preserves user experience, while extending all of the capabilities of the Forcepoint ONE CASB reverse proxy for public SaaS to private web apps, is a key benefit of the Forcepoint ONE ZTNA gateway.
Key features demonstrated:
- User experience: Once logged in to Forcepoint ONE, the user clicks on the tile corresponding to their private web app and automatically logs in to that app.
- User experience: The user navigates to a file in the private app and attempts to download it. Since the user has a managed connection to this app, downloads pass through the Forcepoint ONE reverse proxy and can be scanned for sensitive data. In this case, sensitive data is detected, and a message is displayed that the download is denied. The file that normally would contain the sensitive data is created on the user’s device, but it is blank.
- User experience: An attempt to upload a file containing malware is blocked and a block message is displayed showing which malware scanning engine detected the malware.
- Administrator experience: ZTNA for private web apps uses the same type of policy policies used by the CASB for managing access to SaaS apps. A private web app connection can be unmanaged (no data in motion is scanned for sensitive data or malware), denied, or managed. Managed access lets the administrator specify multiple upload and download policies within the same proxy policy using match patterns from a dropdown list of predefined and custom patterns. When a pattern is matched, the upload or download can be blocked, reported, or both. These match patterns can include the reserved patterns for invoking malware scanning from CrowdStrike or Bitdefender.
- Forcepoint ONE ZTNA provides one click access to any web app hosted behind a firewall without the need for the user to establish a VPN connection and without the need for any on-device agent. This requires the Forcepoint ONE ZTNA connector software to be installed in the same data center as the private app being accessed.
- User experience is simplified by allowing tiles for private web apps to coexist with tiles for managed SaaS apps in the same user portal: either the Forcepoint ONE user portal or the user portal of any SAML-compliant IdP integrated with your Forcepoint ONE tenant.
- The same type of proxy polices used for managing access to managed SaaS with the CASB can be used to manage access to private web apps with ZTNA, simplifying the administrator experience. This includes access to the same library of match patterns for detecting sensitive data and malware on upload or download and blocking it with the same type of user notification messages.
If you find this video useful, it’s part of a longer Forcepoint ONE demo. Register to watch the full platform demo.