Reviewing the API Scanning score calculation

The API Scanning score evaluates the implementation of the following best practices for API Scanning for up to three applications added by the customer in Forcepoint ONE SSE.

The following applications support API scanning:
  • Microsoft 365
  • Google Workspace
  • Dropbox
  • Box
  • AWS
  • Salesforce
  • ServiceNow
  • Atlassian
  • GitHub
  • Egnyte
  • Cisco WebEx Teams

To enable API scanning and configure API policies for each application, refer to Protecting data at rest and Configuring API policies respectively.

If no applications supporting API scanning are added or if you are not using API Scanning, the API Scanning score will be 0. In this case, consider disabling the API Scanning score from your overall security index calculation.

If one or more applications are added, each of the following configurations is evaluated for each application. Each of the scores below can be evaluated by the Number of API Applications with this configuration/Total API Apps configured.

Data Protection

Data Protection measures whether Data Protection policies are applied to your out of band managed application monitoring.

Evaluates if the following configurations are present for each application or not. The API DLP Policy contributes 50% of the overall API Scanning score with each component below representing 25%:

  • Enable out of band scanning for identifying sensitive data in managed applications. For example, the following image shows API scanning enabled (green checkmark next to API Setup Instructions) for Microsoft 365 with a data pattern to identify sensitive data.

  • Setup an API Policy to take an automated action to remediate Sensitive data exposure. The following image shows API Policy to Remove All Sharing when Sensitive data has a Public/External sharing tag.

Threat Protection

Threat Protection measures whether Malware policy is applied to your out of band managed application monitoring.

Evaluates if the following configurations are present for each application or not. The API Threat Policy contributes the remaining 50% of the overall API Scanning score with each component below representing 25%:

  • Enable out of band scanning for identifying malware in managed applications. For example, the following image shows API scanning enabled (green checkmark next to API Setup Instructions) for Microsoft 365 with Malware Data Pattern selected.

  • Setup an API Policy to Quarantine any Malware identified in managed applications as per the example below.

Note:

If a customer has more than one application configured, the above score components are evaluated for each application and then averaged across applications.

For example:
  • If a customer has a total of two API applications configured, Salesforce and Microsoft 365, all configurations implemented for Microsoft 365 and none are implemented for Salesforce. Then, they will get an API score of 50%
  • If the same customer, then proceeds to Setup API for Salesforce for a Sensitive Data Pattern and setup an Alerting policy for sensitive data, their API score would increase to 75% since they now have 50% of the recommended practices implemented on the second application as well.