CASB Request For Proposal Questions PDF

Cloud Access Security Broker—
Request for Proposal Questions
1
Table of Contents
SECTION A: VENDOR PROFILE ........................................................................................... 4
Company ..........................................................................................................................................................5
Product and Customers ...................................................................................................................................4
SECTION B: VISIBILITY ........................................................................................................ 7
Cloud Registry..................................................................................................................................................7
Cloud Discovery ...............................................................................................................................................9
Risk and Vendor Assessment ........................................................................................................................11
Cloud Governance .........................................................................................................................................12
SECTION C: COMPLIANCE ................................................................................................ 14
Data Loss Prevention (DLP) ..........................................................................................................................14
DLP Remediation and Reporting ...................................................................................................................21
Collaboration Policies (Sanctioned Cloud Services) .....................................................................................23
SECTION D: THREAT PROTECTION.................................................................................. 24
Activity Monitoring ..........................................................................................................................................24
Anomalies and Threats ..................................................................................................................................26
Incident Workflow ...........................................................................................................................................30
Malware Controls ...........................................................................................................................................31
SECTION E: DATA SECURITY ............................................................................................ 32
Contextual Access Controls ...........................................................................................................................32
Encryption ......................................................................................................................................................34
Unsanctioned Cloud Services Control ...........................................................................................................36
SECTION F: OFFICE 365 SECURITY .................................................................................. 37
SECTION G: IAAS AND CUSTOM APPS SECURITY ......................................................... 39
Infrastructure-as-a-Service (IaaS) Security ...................................................................................................39
Custom Apps Security ...................................................................................................................................42
2
SECTION H: PLATFORM & INTEGRATION ....................................................................... 44
Reporting ........................................................................................................................................................44
Deployment ....................................................................................................................................................45
Integration ......................................................................................................................................................47
User Experience.............................................................................................................................................50
SECTION I: ADMINISTRATION ........................................................................................... 51
SECTION J: VENDOR OPERATIONS AND SECURITY INFRASTRUCTURE ................... 52
SECTION K: CUSTOMER SUCCESS & SUPPORT ............................................................ 55
SECTION L: PRICING .......................................................................................................... 57
SECTION M: CUSTOMER REFERENCES .......................................................................... 58
SECTION N: TERMS AND CONDITIONS ............................................................................ 62
3
SECTION A: VENDOR PROFILE
Company
Ref No. Requirement Vendor Response
A-1-1 Please provide name and version of your

CASB? Please include all products whose
functionality is included in the responses below.
A-1-2 Describe the vision and direction for your CASB.
A-1-3 Provide CASB information:

Number of engineers dedicated to CASB?
Number of paying CASB customers?
A-1-4 Provide company ownership and funding

information.
A-1-5 Do you maintain alliances with other information

technology vendors? If so, which ones?
A-1-6 Do you sell your solution through partners? If

yes, please list your top 5 reseller partners.
4
Product and Customers
A-2-1 Please describe your product differentiators versus

other CASB products.
A-2-2 Please list the products you provide to cover the

following:
• Shadow SaaS/PaaS/IaaS cloud visibility and
control
• Sanctioned SaaS (e.g. Office 365, Salesforce)
visibility and control
• Sanctioned IaaS/PaaS (e.g. AWS, Azure)
• Custom apps (deployed on IaaS platforms)
A-2-3 Does your solution offer all capabilities within a
single product or does it require purchase of
multiple products?
A-2-4 Does your solution secure multiple instances of a

cloud service within SaaS, PaaS, and IaaS?
A-2-5 Please provide list of customers in our vertical.
5
A-2-6 What is your largest deployment for the following:
• Office 365 security solution
• Box security solution
• Salesforce security solution
• IaaS
• Shadow IT solution
A-2-7 Has your product been a part of a product
evaluation by a leading analyst firm (e.g. Gartner,
Forrester)? Please provide details and a link to the
report.
6
SECTION B: VISIBILITY
Cloud Registry
Ref No. Requirement Priority Vendor Response
B-1-1 Does your cloud solution have a registry of H

cloud services along with their risk
assessment? How many cloud services are
tracked in the 'registry/knowledge base'?
B-1-2 How many attributes are tracked for each H
service? Provide the number of attributes
and sub-attributes. For example,
‘Compliance certifications’ is counted as 1
attribute, and each certification counts as a
sub-attribute.
B-1-3 Can it summarize cloud usage by H
categories such as CRM, file-sharing,
marketing, collaboration? How many
categories are available?
B-1-4 How is the cloud registry kept up to date for H

new cloud services?
B-1-5 Does the solution provide a ‘Last Verified’ H

date for each cloud service in the registry,
so users know how current the information
is when assessing of new cloud services?
7
B-1-6 What compliance certifications are being H
tracked for cloud services within the
registry? Can it assess a cloud service
against GDPR, PCI, ISO, CSA, HIPAA, and
other industry regulations?
B-1-7 Can your registry audit exposure of cloud M

services to vulnerabilities such as
Cloudbleed, Heartbleed, Poodle, Freak,
Ghostwriter, etc.?
B-1-8 Does the solution provide the ability to M

customize the risk scoring criteria based on
individual company’s priorities?
B-1-9 M
Does the solution allow customers to add
new cloud services to registry, making it
available to all customers?
B-1-10 Does the solution allow customers to M

search the registry by cloud service
category (CRM, ERP, Legal), risk
type/level, and individual risk attributes and
sub-attributes?
8
Cloud Discovery
B-2-1 Does your solution provide a summarized H

view of cloud usage including number of
services in use, traffic patterns, access
count etc.?
B-2-2 Can your solution provide visibility into all H
users and departments using a particular
cloud service by leveraging the Active
Directory integration?
B-2-3 Can your solution provide visibility into H
enterprise usage of SaaS and IaaS?
Provide examples of each.
B-2-4 What sources (proxies, firewalls, SIEMs) M

are supported to identify the use and risk of
cloud services?
B-2-5 Does your solution allow drill down to M

provide visibility into a single user’s action
(upload/download) to support forensic
investigation? Does this action require a
third party dashboard, such as Splunk?
B-2-6 Are usage logs sent off-premises for H
analysis? If so, how do you protect
sensitive data (usernames and IP
addresses etc.) within the logs?
9
B-2-7 Are usage logs automatically ingested from M
their source (proxies, firewalls, SIEMS)?
B-2-8 Can your solution detect data exfiltration H

attempts? If yes, please describe how?
B-2-9 What historical duration do you hold log H

data to provide visibility and analysis?
B-2-10 Do you quantify organizational risk from H

cloud usage?
10
Risk and Vendor Assessment
B-3-1 Can your solution assess the risk of a cloud H

service by providing a consolidated risk
score representing its enterprise-readiness?
B-3-2 Can the customer see the scores for H

individual attributes (encryption, certification,
breaches etc.) that go into calculating the
risk score for a cloud service?
B-3-3 If the risk score of a cloud service used by a M

company changes, can the solution issue an
alert?
B-3-4 Does your company have a program to M

inspect and publicly certify the enterprise-
readiness of cloud services? If so, please
provide details.
B-3-5 Can the solution create a watch list to M

monitor selected users who are showing
suspicious behaviors?
B-3-6 Can the solution allow side-by-side M

comparisons of cloud services across any/all
security risk attributes?
11
Cloud Governance
B-4-1 Can the solution automatically group H

services based on individual risk attributes
(e.g. data encryption at rest, ISO 27001
certification, etc.)?
B-4-2 Can your solution enforce policies in-line H
(e.g. block services by leveraging your
own proxy?
B-4-3 Can your solution integrate with existing H

proxies or firewalls to enforce governance
policies for individual services and service
groups?
B-4-4 Can your solution limit service functionality M

based on policy (e.g. allow downloads,
block uploads)
B-4-5 Can your solution identify inconsistencies M

in your existing policy enforcement setup?
For example, risky cloud services are
blocked for certain offices or groups, but
not for others.
12
B-4-6 Please provide 5 customer references who H
have integrated your CASB with other
firewalls/proxies in production.
B-4-7 In the event of a security breach at a cloud H

service provider, does your solution
provide a report with breach details and
information on employees’ usage of the
cloud service?
13
SECTION C: COMPLIANCE
Data Loss Prevention (DLP)
C-1-1 Does your solution require an agent to H

perform DLP inspection? If an agent is
offered/optional, which features are not
available without an agent installed?
C-1-2 Does your solution require licenses for H
multiple DLP engines or modules to perform
its cloud DLP functionality?
C-1-3 Can your cloud solution enforce policies on H

cloud data based on:
• Data identifiers (predefined data
patterns/signatures)
• Keywords
• Regular expressions
• Data fingerprints
• Dictionaries
• File metadata (file name, size, type)
C-1-4 Does your solution allow administrators to M
add custom keywords to augment data
identifiers?
14
C-1-5 Does your DLP solution support fingerprinting H
of structured data (aka exact data matching)?
C-1-6 Does your DLP solution support fingerprinting H

of unstructured data? For example,
confidential language such contract or source
code detected while leaving the organization
in whole or in part.
C-1-7 Does your solution provide DLP support for H
unstructured data stored in non-file formats?
(e.g. Slack or Microsoft Teams messages)
C-1-8 Does your solution offer pre-built policy H

templates to detect selected personally
identifiable information (driver’s license, credit
cards, SSN) and personal health information?
How many templates do you provide out-of-
the-box?
C-1-9 Does your solution provide pre-built H
templates for IT teams to enforce policies
required for compliance with GDPR, PCI
DSS, HIPAA, HITECH, GLBA, SOX, CIPA,
FISMA, and FERPA?
15
C-1-10 Does your solution provide DLP for data H
stored in IaaS object storage services such
as AWS S3 buckets or Azure blob storage?
Can scanning be refined to specific buckets
or blobs? Please list the supported storage
platforms.
C-1-11 Does your solution provide the option to M
optimize scanning of object storage by
omitting IaaS logs from scanning, such as
AWS CloudTrail?
C-1-12 Does your solution enforce DLP on data in H

fields within structure applications such as
Salesforce?
C-1-13 Do your solution’s data H

identifiers/fingerprints/smart data identifiers
go beyond what can be defined using a
simple regular expression? E.g.
distinguishing SSN’s in the pre-2010 and
post-2010 standard; performing LUHN check
to detect credit card numbers.
C-1-14 Does your solution include ability to do M
proximity check for multiple data identifiers or
keywords? E.g., Patient ID and RX ID within
10 words?
16
C-1-15 Can your solution enforce DLP policies in the H
following modes:
• Data uploaded to the cloud
• Data shared from cloud services
• Data downloaded from the cloud
• Data created in the cloud (e.g. Excel
online, Google Docs)
C-1-16 Can your solution target specific cloud folders M
for DLP scanning, and/or exclude folders
from scanning?
C-1-17 If a policy is violated, can your solution H

support the following remediation actions?
• Alert administrator
• Block
• Quarantine
• Encrypt
• Wrap with EDRM
• Tombstone
• Delete
• Apply classification
• Other?
C-1-18 Can your solution enforce DLP policies based H
on keywords or tags present in the following:
• Document content
• Document metadata
• Email subject
• Email content/body
• Email header
• Email attachment
17
C-1-16 Can your solution target specific cloud folders M
for DLP scanning, and/or exclude folders from
scanning?
C-1-17 If a policy is violated, can your solution H

support the following remediation actions?
• Alert administrator
• Block
• Quarantine
• Encrypt
• Wrap with EDRM
• Tombstone
• Delete
• Apply classification
• Other?
C-1-18 Can your solution enforce DLP policies based H
on keywords or tags present in the following:
• Document content
• Document metadata
• Email subject
• Email content/body
• Email header
• Email attachment
C-1-19 Can your solution integrate with data M
classification and tagging solutions such as
Titus, Boldon James and other natively
available tagging features in cloud services
such as Box and Office 365?
18
C-1-20 Can the administrator define roles that allow H
only selected users to perform the following
actions:
• Define and activate data loss prevention or
compliance policies
• Access and remediate policy violations
• Manage (access/restore/delete) the
quarantine files
C-1-21 Can your product integrate with existing on- H
premises DLP solution(s) to extend policies
and remediation workflows to the cloud?
Provide a list of on-premises DLP providers
you integrate with and the extent of their
ability to integrate the following:
• Data classifications
• DLP policies
• Incident management
C-1-22 Before pushing the file to the on-premises H
DLP for evaluation and reporting, does your
solution provide the option to perform a first
pass DLP assessment in the cloud for better
performance and efficacy?
C-1-23 Does your solution enforce DLP policies in- M

line via Proxy? Please specify the capabilities
for each of the following:
• Forward proxy
• Reverse proxy
19
C-1-24 Does your solution enforce DLP policies in H
near real-time via cloud service APIs? If yes,
provide a list of supported cloud services?
C-1-25 What’s the time to enforcement SLA for near

real-time DLP policy enforcement via API?
Specify the SLA you are willing to agree to H
contractually.
C-1-26 Can the solution scan content already H

available in the cloud service (data at rest)
based on selected DLP policies to detect
violations? Can both structured and
unstructured data be scanned?
C-1-27 Can you invoke a DLP response action for a H
misconfigured IaaS/PaaS service? For
example, an AWS S3 bucket discovered with
open read access will be scanned with DLP.
C-1-28 Can you enforce DLP policies in real time as H

data is uploaded or shared without impacting
end-user experience?
C-1-29 Please describe how you control endpoint H

data at rest and/or in transit. Please list
examples that cover Windows, iOS and
Android.
20
DLP Remediation and Reporting
C-2-1 Does the solution show an excerpt with the H

content that triggered the DLP violation, so the
administrator does not have to search the
entire file for sensitive content?
C-2-2 If the solution shows excerpt of content that H
matched a DLP violation, where are excerpts
stored?
C-2-3 Does your solution support bulk update and H

remediation of policy incidents to save time for
IT teams?
C-2-4 Can you set policies based on Active H

Directory attributes? For example, enforce
policies on a specific team or department
within the company.
C-2-5 Can an administrator rollback a quarantine H

action to restore a file and its permissions?
C-2-6 Does the solution allow tiered response to a H

violation based on its severity (e.g. number of
matches found in a file), such as alerting on
low severity, but blocking on high severity?
21
C-2-7 When inspecting data using DLP policies, is H
information such as user name or file name
where the violation occurred stored in your
solution?
C-2-8 Does your CASB allow end users to H

remediate violations on their own, reducing
the need for security personnel to intervene?
22
Collaboration Policies (Sanctioned Cloud Services)
C-3-1 Can your solution enforce policies on which H

users or groups can be collaborated with?
C-3-2 Can your solution enforce collaboration H

policies that are content aware? E.g.
sensitive data cannot be shared externally.
C-3-3 Can your solution remediate violations in H

sharing policies by:
• Removing sharing permissions
• Modify sharing permissions
• Quarantining the file(s)
C-3-4 Can the solution provide a collaboration H
summary which includes sharing with
business partners, personal emails, and
internal users?
C-3-5 Does your solution provide real-time H

collaboration control that can enforce a
sharing policy before the file/folder recipients
are able to view the data?
23
SECTION D: THREAT PROTECTION
Activity Monitoring
D-1-1 Does the solution provide an audit trail of all H

user and administrator activities within the
cloud service?
D-1-2 Does the solution expose activity metadata M
such as IP Trust, geolocation details (city,
region, country) and user agent, which
companies can use to perform advanced
investigative workflows?
D-1-3 Can the solution filter user activity by – H
• Cloud service
• Device type
• Date range
• Activity name
• Activity category
• User name
• IP Trust
• Activities via TOR or anonymizing
proxies
D-1-4 Can the solution feed activity logs to a SIEM H
via automated syslog feed?
24
D-1-5 Does the product allow investigating teams M
to deep dive into anomalies/threats through
an activity dashboard?
D-1-6 Does the product automatically categorize H

new activity types received from the cloud
service providers and include them in threat
protection analytics?
D-1-7 Does your solution provide a list of all H

activities monitored for each cloud service
provider? Please attach.
25
Anomalies and Threats
D-2-1 Do you have a team dedicated to cloud H

security threat research? If so, how many
people are on the team?
D-2-2 Describe up to 3 recent threats discovered H

by your research team in the past 18
months. Provide links to the full research
(blogs, press release, etc.)
D-2-3 Has your research team detected threats H

impacting multiple CASB customers? If
yes, please provide publicly available
examples of such discoveries.
D-2-4 How does your solution identify and control H

cloud-native man-in-the-middle (MITM)
attacks?
26
D-2-5 Can the solution detect anomalies within H
cloud services and raise alerts based on:
• User behavior (insider threats)
• Location based information
• Privileged user activity
• Data exfiltration
• Compromised accounts
• Malware
• IP Trust
What other anomalies can be detected?

D-2-6 Does the solution require any setup (i.e. H
creating policies or rules) before it can start
detecting anomalies?
D-2-7 Can your solution detect threats arising H

from malicious or negligent users based on
a behavioral model?
D-2-8 Can your solution detect compromised H

credentials based on information such as
multiple login attempts, impossible cross-
region access, and untrusted location
access?
27
D-2-9 Can your solution detect privileged user H
threats arising from excessive user
permissions, zombie administrator
accounts, inappropriate access to data and
unwarranted escalation of privileges and
user provisioning?
D-2-10 Is the product capable of baselining H
thresholds based on behavioral models for
each user based on time of day, week,
month, quarter, user role, department,
behavior of other users in the department?
D-2-11 Is the product capable of building context M

around geography-based anomalies by
indicating a user’s trusted locations such as
home, office etc.?
D-2-12 Does your solution correlate anomalies H

across multiple cloud services to detect
threats?
D-2-13 Does the solution use a threat model to H

narrow potentially anomalous activity to a
smaller subset of likely threats? If so, what
is the ratio of anomalous events to likely
threats detected by the solution?
28
D-2-14 Does the product allow you to tune H
thresholds based on your organization’s
threat detection requirements?
D-2-15 What advanced data science/machine M

learning techniques, if any, are utilized in
analyzing user activity to detect anomalies
and threats?
D-2-16 Can the solution impose additional H

authentication when it detects high risk
behaviors such as unmanaged devices,
sensitive data downloads etc.?
D-2-17 Please provide 5 customer references H

where your threat protection solution has
been deployed at scale in production.
29
Incident Workflow
D-3-1 Does your solution provide a dashboard to H

provide threat information and manage
incident workflow?
D-3-2 Can your solution natively record an M

incident workflow action (Resolve, False
Positive)?
D-3-3 Can your solution take input on false H

positives or negatives and use this
information to tune the threat protection
engine?
D-3-4 Does your solution integrate with SIEMs for H

incident workflow? Please describe the
integration.
30
Malware Controls
D-4-1 Can your solution detect malware hosted in H

cloud services?
D-4-3 Can your solution scan existing data stores M

(data at rest) for new signatures / variants
of malware?
D-4-4 Can your solution detect zero-day threats? M
D-4-5 Does your malware solution integrate with M

third-party intelligence feeds?
31
SECTION E: DATA SECURITY
Contextual Access Controls
E-1-1 What context is used to control access to H

cloud services (e.g. based on user, device,
location)?
E-1-2 Can your solution enforce policies based H

on the following parameters:
• Service or service group (Salesforce, all
file-sharing services)
• User groups
• Specific user
• User attributes (role, department)
• Activity types (download, upload)
• SAML expression (e.g. variable passed
from IDaaS provider)
• IP address range
• Geography
• File Type and/or Data Identifiers
• Device type (managed, unmanaged)
• Device OS (e.g Android)
• User domain (e.g corporate vs
personal)
• Agent (e.g. presence of agent)
32
E-1-3 Can the solution enforce controls on both H
mobile and desktop access? Is an agent
required?
E-1-4 What methods does your solution support H

to detect managed vs unmanaged devices?
E-1-5 Can your solution enforce policies to H

restrict access from only managed
devices?
E-1-6 Can your solution enforce granular device- H

based controls such as restricting read-only
access to unmanaged or personal devices?
33
Encryption
E-2-1 Does your solution support encryption of H

cloud data using customer owned keys?
E-2-2 Does your solution allow encryption of H

selected cloud data meeting specific
criteria?
E-2-3 Can your solution integrate with an existing H

Key Management Solution to support
management of encryption keys?
E-2-4 Can your solution encrypt existing data in H

the cloud as well as data uploaded on an
ongoing basis?
34
E-2-5 Can the solution encrypt selected fields H
within cloud providers such as Salesforce
and ServiceNow?
E-2-6 What functions are supported (e.g. search, H

sort, filter) for encrypted structured data
fields?
E-2-7 How much latency does your solution add H

for encryption?
E-2-8 Does your solution support search for M

encrypted files. If so, is the search index
encrypted as well? Does the search index
require on-premises infrastructure?
E-2-9 Which ciphers does your company use for M

order and function preserving encryption?
E-2-10 Has your structured encryption been H

deployed in production at scale? Please
provide 5 customer references.
35
Unsanctioned Cloud Services Control
E-3-1 Can your solution enforce DLP policies M

within unsanctioned cloud services such as
GitHub, Evernote? For example, block all
PII uploaded to Evernote.
E-3-2 Can your solution enforce DLP policies on H

native apps of unsanctioned services on
managed devices?
36
SECTION F: OFFICE 365 SECURITY
F-1-1 Can the solution support the scanning and H

inspection (on-demand, ongoing) of files in
the following Office 365 services:
• SharePoint
• OneDrive
• Mail
• Yammer
• Teams
• Other?
F-1-3 How long does the solution take to enforce H

DLP policies via inline proxy and/or APIs?
F-1-4 Can the solution support inline DLP for H

Exchange Online? Does this require agents
to be installed at endpoints?
37
F-1-5 Can the solution discover all sites within H
SharePoint based on author and other
metadata parameters?
F-1-6 Can the solution monitor activity across the H

following Office 365 applications for audit
trail and forensic investigations?
• SharePoint
• OneDrive
• Exchange
• Azure AD
• Yammer
• Teams
How many types of activities can the

solution parse/recognize from these cloud
services providers?
F-1-7 Which Microsoft APIs does your solution H
rely on for CASB functionality?
F-1-8 Can the solution provide real-time support H

for collaboration policies (e.g. prevent
sharing of confidential data with external
parties)? Please explain how?
38
SECTION G: IAAS AND CUSTOM APPS SECURITY
Infrastructure-as-a-Service (IaaS) Security
G-1-1 Can your solution discover usage across IaaS H

platforms such as AWS, Azure, Google Cloud?
List all the IaaS platforms supported.
G-1-2 Can your solution discover and manage H

unsanctioned IaaS accounts?
G-1-3 Does your solution audit service configurations H

for IaaS platforms against best practices and
common misconfiguration issues?
G-1-4 Does the solution automatically identify security M

configuration incidents and flag them as
‘Resolved’ when IT or Operations teams have
fixed them?
39
G-1-5 Can the solution update the settings of the H
IaaS provider to auto-remediate
misconfigurations found in an audit?
G-1-6 Does your solution identify inactive IaaS admin H

accounts?
G-1-7 Can your solution analyze IaaS activities to H

identify threats associated with insiders,
compromised accounts, and privileged users?
G-1-8 Does your solution capture an audit trail of all H

user and administrator activities on IaaS
services? Is the activity monitoring process
real-time/near real-time? And for what duration
is the data retained?
40
G-1-9 Can your solution capture the audit trails of M
multiple accounts from one IaaS provider (e.g.
multiple AWS CloudTrail buckets)? Can these
audit trails be assessed separately or together?
G-1-10 Does your solution automatically categorize H

IaaS activities across commonly understood
categories?
G-1-11 For AWS, how many sub-accounts does your M

solution support for activity monitoring?
G-1-12 Does your solution provide incident response H

workflow to triage and remediate violations?
G-1-13 Can all of your solution’s capabilities be applied M

for more than one AWS (or IaaS) account?
How many accounts can be covered?
G-1-14 How does your solution detect/prevent publicly H

readable/writeable IaaS data stores such as
AWS S3 Buckets?
41
Custom Apps Security
G-2-1 Can your solution provide a reverse proxy H

deployment to secure custom applications?
Describe the method your solution uses to get
in-line.
G-2-2 Can your solution enforce DLP policies on data H

in custom apps built on IaaS platforms such as
AWS, Azure? Can these policies be applied on
files as well as form fills, XML, and data
entered within individual fields?
G-2-3 Does your solution allow customers to use H

existing DLP policies created for SaaS
applications (e.g. Office 365) to custom
applications?
G-2-4 Can your solution capture an audit trail of H

activities performed within custom apps
deployed on public IaaS platforms? Please
describe.
42
G-2-5 How does your solution detect threats in H
custom apps associated with insiders,
compromised accounts, and privileged users?
G-2-6 Can your solution enforce access controls on M

custom apps based on contextual parameters
such as device, location, user, activity?
43
SECTION H: PLATFORM & INTEGRATION
Reporting
H-1-1 Does the solution allow users to customize M

views and create new reports based on the
information they want to see?
H-1-2 Does the solution allow users to schedule M

reports to be periodically sent by email in
selected formats (PDF, CSV, XLS)?
H-1-3 Does your solution provide out of the box H

reports? Please provide a list?
H-1-4 Does your solution provide cloud service M

specific dashboards?
44
Deployment
H-2-1 Is your solution a multi-mode CASB as H

defined by Gartner? Does it offer multiple
deployment options:
• API
• Reverse Proxy
• Forward Proxy
• Log collection
H-2-2 What modes do you support to steer traffic M
to your proxy?
H-2-3 Can you deploy an agent-based model if M

required?
H-2-4 How many cloud services do you secure via H

API deployment mode?
H-2-5 Does your solution support real-time API H

controls?
45
H-2-6 Does your product enable cloud service H
providers, partners, or customers to build
API integration between a cloud service and
your CASB in a self-serve model?
H-2-7 How do you handle conflict with existing H

agents in our security infrastructure?
H-2-8 Does your CASB endpoint agent split traffic H

and bypass the coverage of existing proxies
and firewalls?
H-2-9 Please provide 5 customer references H

where your agent has been successfully
deployed in production in a company with
more than 10,000 users.
H-2-10 Does your solution require any of the H

following on unmanaged devices (PC's,
iPads, Mobile phones) or 3rd party
contractors, customers, alliance partners:
• Agents
• VPN Backhaul
• PAC Files
46
Integration
H-3-1 Does your product integrate with Identity H

Management solutions to authenticate access
through the reverse proxy to sanctioned cloud
services? Please list the solutions that are
supported today.
H-3-2 Does the product provide log analysis H

capabilities for the following firewalls:
• Palo Alto Networks
• Juniper
• Cisco
• Barracuda Networks
• Check Point
• Fortinet
Include other supported products.

capabilities for the following proxies:
• Blue Coat
• Websense
• Zscaler
• McAfee
47
H-3-4 Does the product allow automatic push of cloud H
service information to third party
firewalls/proxies, so that the necessary controls
(block, warn, justify, etc.) can be enforced.
• Blue Coat
• Websense
• McAfee
• Palo Alto Panorama

capabilities for the following SIEMs –
• ArcSight
• Splunk
• McAfee
• LogRhythm
• Qradar
• Dell Secureworks

H-3-6 Can your solution integrate with Enterprise M
Mobility Management (EMM) or Mobile Device
Management (MDM) solutions to enforce
access controls for managed vs unmanaged
devices?
• VMware AirWatch
• MobileIron
48
H-3-7 Can your solution integrate with Electronic M
Digital Rights Management (EDRM) solutions?
Please specify the EDRM solutions that are
supported.
H-3-8 Does the product support on-network and off- M

network (remote employees) access? Please
describe how?
H-3-9 How do you manage customer encryption keys M
H-3-10 Do you identify noncompliant perimeter policies H

related to cloud?
49
User Experience
H-4-1 Does the product provide different levels of H

access (Role Based Access Control) to the
data and product capabilities based on the
role assigned to the user by the admin:
• Administrator
• Executive
• Governance/risk manager
• Policy manager
• Incident responder
H-4-2 Does the solution provide a streamlined and M
persona-based navigation for multiple roles?
Can read-only access be set for specific
users or roles?
H-4-3 Can the solution limit admin access to a M
defined list of IP addresses?
H-4-4 Can the solution integrate with the identity H

management solution for single sign-on
access to the user interface?
H-4-5 Does the CASB offer a mobile optimized user M

interface, so users can be productive across
all device-types and screen sizes?
50
SECTION I: ADMINISTRATION
I-1-1 If your solution is hosted, is it multi-tenant? H
I-1-2 Are there any onsite hardware or software M

requirements for any aspect of your solution?
If so, please describe.
I-1-3 How are customers notified of scheduled M

maintenance?
I-1-4 Identify all other supporting software from M

other vendors that would be required for the
product to work. Example: Need for a
database for tokenization. If so, identify other
software required.
I-1-5 Does your solution allow us to specify which H
geographical locations our data traverses in
and out of, so we can address legal and
jurisdictional considerations based on where
data is stored vs. accessed?
I-1-6 Are there any additional location(s) where M
target (regulated) data is stored? If so,
provide locations (address, city, state,
country).
51
SECTION J: VENDOR OPERATIONS AND SECURITY INFRASTRUCTURE
J-1-1 Which third-party and industry standard H

certifications have been performed on both your
product and the underlying infrastructure?
Comment specifically on ISO 27001, ISO 27018,
FIPS 140-2, CSA STAR, and FedRAMP.
J-1-2 Describe how your APIs are secured. H
J-1-3 Describe your corporate security policy. Attach a H

copy.
J-1-4 What areas are covered in your security policy? H

(E.g. Physical access, Encryption, etc.)
J-1-5 Is the identity and background of all your staff M

known based on security background checks? If
yes, describe the screening activities performed
on job applicants (e.g., credit, drug screening,
references, and criminal background checks)
52
J-1-6 Are your systems subjected to penetration H
testing? Is testing performed by internal
personnel or outsourced? When was the last
penetration test?
J-1-7 What is your SLA for the various deployment M
modes you support?
• Proxy
• API
• Log Collection
J-1-8 Describe your High Availability Architecture. M
J-1-9 Are documented backup and recovery policies in H

place? If so, please describe.
J-1-10 Where are backups stored? M
J-1-11 How long are backups kept? M
53
J-1-12 Describe your disaster recovery strategy and H
frequency of testing.
J-1-13 What is your data ownership and retention M

policy?
J-1-14 Is the service located in multiple, fully-redundant M

global data centers (for cloud based solutions)?
J-1-15 What are your data retention policies for H

customer data?
54
SECTION K: CUSTOMER SUCCESS & SUPPORT
K-1-1 Do you provide pre-project planning support as

part of enterprise engagements?
K-1-2 What is your implementation methodology in an

organization with 5,000+ employees?
K-1-3 Is Customer Support included in the pricing?
K-1-4 Provide Customer Support days and hours of

operation.
55
K-1-5 Do I have access to my local account team as an
escalation path?
K-1-6 Is there a proven methodology defined for

deployment, ongoing risk reduction, and
measurement of customer success?
K-1-7 Is there 24x7 customer support available via

email, web, and phone?
56
SECTION L: PRICING
L-1-1 Provide licensing and pricing details for your

solution.
L-1-2 What is the cost for maintenance and support?

Please detail available support packages.
L-1-3 Are professional services available? Please list

available services and cost.
57
SECTION M: CUSTOMER REFERENCES
Please provide four customer references that [COMPANY NAME] may contact that have used the solution you are
proposing for at least 6 months:
Reference 1
Company Name
Contact Name
Contact Phone
Contact Email
Company Address
Description of Solution Provided
Benefits of Solution Provided
58
Reference 2
Company Name
Contact Name
Contact Phone
Contact Email
Company Address
59
Reference 3
Company Name
Contact Name
Contact Phone
Contact Email
Company Address
60
Reference 4
Company Name
Contact Name
Contact Phone
Contact Email
Company Address
61
SECTION N: TERMS AND CONDITIONS
Please describe the appropriate terms and conditions the vendor must agree to for this project including confidentiality,
insurance, compliance with applicable laws and indemnity clauses.
62

CASB Request For Proposal Questions PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CASB Request For Proposal Questions PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Cloud Access Security Broker—

Request for Proposal Questions

Ref No. Requirement Vendor Response

A-1-1 Please provide name and version of your

A-1-2 Describe the vision and direction for your CASB.

A-1-3 Provide CASB information:

A-1-4 Provide company ownership and funding

A-1-5 Do you maintain alliances with other information

A-1-6 Do you sell your solution through partners? If

Ref No. Requirement Vendor Response

A-2-1 Please describe your product differentiators versus

A-2-2 Please list the products you provide to cover the

A-2-4 Does your solution secure multiple instances of a

A-2-5 Please provide list of customers in our vertical.

Ref No. Requirement Priority Vendor Response

B-1-1 Does your cloud solution have a registry of H

B-1-4 How is the cloud registry kept up to date for H

B-1-5 Does the solution provide a ‘Last Verified’ H

B-1-7 Can your registry audit exposure of cloud M

B-1-8 Does the solution provide the ability to M

B-1-10 Does the solution allow customers to M

Ref No. Requirement Priority Vendor Response

B-2-1 Does your solution provide a summarized H

B-2-4 What sources (proxies, firewalls, SIEMs) M

B-2-5 Does your solution allow drill down to M

B-2-8 Can your solution detect data exfiltration H

B-2-9 What historical duration do you hold log H

B-2-10 Do you quantify organizational risk from H

Ref No. Requirement Priority Vendor Response

B-3-1 Can your solution assess the risk of a cloud H

B-3-2 Can the customer see the scores for H

B-3-3 If the risk score of a cloud service used by a M

B-3-4 Does your company have a program to M

B-3-5 Can the solution create a watch list to M

B-3-6 Can the solution allow side-by-side M

Ref No. Requirement Priority Vendor Response

B-4-1 Can the solution automatically group H

B-4-3 Can your solution integrate with existing H

B-4-4 Can your solution limit service functionality M

B-4-5 Can your solution identify inconsistencies M

B-4-7 In the event of a security breach at a cloud H

Ref No. Requirement Priority Vendor Response

C-1-1 Does your solution require an agent to H

C-1-3 Can your cloud solution enforce policies on H

C-1-6 Does your DLP solution support fingerprinting H

C-1-8 Does your solution offer pre-built policy H

C-1-12 Does your solution enforce DLP on data in H

C-1-13 Do your solution’s data H

C-1-17 If a policy is violated, can your solution H

C-1-17 If a policy is violated, can your solution H

C-1-23 Does your solution enforce DLP policies in- M

C-1-25 What’s the time to enforcement SLA for near

C-1-26 Can the solution scan content already H

C-1-28 Can you enforce DLP policies in real time as H

C-1-29 Please describe how you control endpoint H

Ref No. Requirement Priority Vendor Response

C-2-1 Does the solution show an excerpt with the H

C-2-3 Does your solution support bulk update and H

C-2-4 Can you set policies based on Active H

C-2-5 Can an administrator rollback a quarantine H

C-2-6 Does the solution allow tiered response to a H

C-2-8 Does your CASB allow end users to H

Ref No. Requirement Priority Vendor Response