Cloud Access Security Broker—

Request for Proposal Questions

1
Table of Contents
SECTION A: VENDOR PROFILE ........................................................................................... 4
Company ..........................................................................................................................................................5
Product and Customers ...................................................................................................................................4
SECTION B: VISIBILITY ........................................................................................................ 7
Cloud Registry..................................................................................................................................................7
Cloud Discovery ...............................................................................................................................................9
Risk and Vendor Assessment ........................................................................................................................11
Cloud Governance .........................................................................................................................................12
SECTION C: COMPLIANCE ................................................................................................ 14
Data Loss Prevention (DLP) ..........................................................................................................................14
DLP Remediation and Reporting ...................................................................................................................21
Collaboration Policies (Sanctioned Cloud Services) .....................................................................................23
SECTION D: THREAT PROTECTION.................................................................................. 24
Activity Monitoring ..........................................................................................................................................24
Anomalies and Threats ..................................................................................................................................26
Incident Workflow ...........................................................................................................................................30
Malware Controls ...........................................................................................................................................31
SECTION E: DATA SECURITY ............................................................................................ 32
Contextual Access Controls ...........................................................................................................................32
Encryption ......................................................................................................................................................34
Unsanctioned Cloud Services Control ...........................................................................................................36
SECTION F: OFFICE 365 SECURITY .................................................................................. 37
SECTION G: IAAS AND CUSTOM APPS SECURITY ......................................................... 39
Infrastructure-as-a-Service (IaaS) Security ...................................................................................................39
Custom Apps Security ...................................................................................................................................42

2
SECTION H: PLATFORM & INTEGRATION ....................................................................... 44
Reporting ........................................................................................................................................................44
Deployment ....................................................................................................................................................45
Integration ......................................................................................................................................................47
User Experience.............................................................................................................................................50
SECTION I: ADMINISTRATION ........................................................................................... 51
SECTION J: VENDOR OPERATIONS AND SECURITY INFRASTRUCTURE ................... 52
SECTION K: CUSTOMER SUCCESS & SUPPORT ............................................................ 55
SECTION L: PRICING .......................................................................................................... 57
SECTION M: CUSTOMER REFERENCES .......................................................................... 58
SECTION N: TERMS AND CONDITIONS ............................................................................ 62

3
SECTION A: VENDOR PROFILE
Company

Ref No. Requirement Vendor Response

A-1-1 Please provide name and version of your

CASB? Please include all products whose
functionality is included in the responses below.

A-1-2 Describe the vision and direction for your CASB.

A-1-3 Provide CASB information:

Number of engineers dedicated to CASB?
Number of paying CASB customers?

A-1-4 Provide company ownership and funding

information.

A-1-5 Do you maintain alliances with other information

technology vendors? If so, which ones?

A-1-6 Do you sell your solution through partners? If

yes, please list your top 5 reseller partners.

4
Product and Customers

Ref No. Requirement Vendor Response

A-2-1 Please describe your product differentiators versus

other CASB products.

A-2-2 Please list the products you provide to cover the

following:
• Shadow SaaS/PaaS/IaaS cloud visibility and
control
• Sanctioned SaaS (e.g. Office 365, Salesforce)
visibility and control
• Sanctioned IaaS/PaaS (e.g. AWS, Azure)
visibility and control
• Custom apps (deployed on IaaS platforms)
visibility and control
A-2-3 Does your solution offer all capabilities within a
single product or does it require purchase of
multiple products?

A-2-4 Does your solution secure multiple instances of a

cloud service within SaaS, PaaS, and IaaS?

A-2-5 Please provide list of customers in our vertical.

5
A-2-6 What is your largest deployment for the following:
• Office 365 security solution
• Box security solution
• Salesforce security solution
• IaaS
• Shadow IT solution
A-2-7 Has your product been a part of a product
evaluation by a leading analyst firm (e.g. Gartner,
Forrester)? Please provide details and a link to the
report.

6
SECTION B: VISIBILITY
Cloud Registry

Ref No. Requirement Priority Vendor Response

B-1-1 Does your cloud solution have a registry of H

cloud services along with their risk
assessment? How many cloud services are
tracked in the 'registry/knowledge base'?
B-1-2 How many attributes are tracked for each H
service? Provide the number of attributes
and sub-attributes. For example,
‘Compliance certifications’ is counted as 1
attribute, and each certification counts as a
sub-attribute.
B-1-3 Can it summarize cloud usage by H
categories such as CRM, file-sharing,
marketing, collaboration? How many
categories are available?

B-1-4 How is the cloud registry kept up to date for H

new cloud services?

B-1-5 Does the solution provide a ‘Last Verified’ H

date for each cloud service in the registry,
so users know how current the information
is when assessing of new cloud services?

7
B-1-6 What compliance certifications are being H
tracked for cloud services within the
registry? Can it assess a cloud service
against GDPR, PCI, ISO, CSA, HIPAA, and
other industry regulations?

B-1-7 Can your registry audit exposure of cloud M

services to vulnerabilities such as
Cloudbleed, Heartbleed, Poodle, Freak,
Ghostwriter, etc.?

B-1-8 Does the solution provide the ability to M

customize the risk scoring criteria based on
individual company’s priorities?

B-1-9 M
Does the solution allow customers to add
new cloud services to registry, making it
available to all customers?

B-1-10 Does the solution allow customers to M

search the registry by cloud service
category (CRM, ERP, Legal), risk
type/level, and individual risk attributes and
sub-attributes?

8
Cloud Discovery

Ref No. Requirement Priority Vendor Response

B-2-1 Does your solution provide a summarized H

view of cloud usage including number of
services in use, traffic patterns, access
count etc.?
B-2-2 Can your solution provide visibility into all H
users and departments using a particular
cloud service by leveraging the Active
Directory integration?
B-2-3 Can your solution provide visibility into H
enterprise usage of SaaS and IaaS?
Provide examples of each.

B-2-4 What sources (proxies, firewalls, SIEMs) M

are supported to identify the use and risk of
cloud services?

B-2-5 Does your solution allow drill down to M

provide visibility into a single user’s action
(upload/download) to support forensic
investigation? Does this action require a
third party dashboard, such as Splunk?
B-2-6 Are usage logs sent off-premises for H
analysis? If so, how do you protect
sensitive data (usernames and IP
addresses etc.) within the logs?

9
B-2-7 Are usage logs automatically ingested from M
their source (proxies, firewalls, SIEMS)?

B-2-8 Can your solution detect data exfiltration H

attempts? If yes, please describe how?

B-2-9 What historical duration do you hold log H

data to provide visibility and analysis?

B-2-10 Do you quantify organizational risk from H

cloud usage?

10
Risk and Vendor Assessment

Ref No. Requirement Priority Vendor Response

B-3-1 Can your solution assess the risk of a cloud H

service by providing a consolidated risk
score representing its enterprise-readiness?

B-3-2 Can the customer see the scores for H

individual attributes (encryption, certification,
breaches etc.) that go into calculating the
risk score for a cloud service?

B-3-3 If the risk score of a cloud service used by a M

company changes, can the solution issue an
alert?

B-3-4 Does your company have a program to M

inspect and publicly certify the enterprise-
readiness of cloud services? If so, please
provide details.

B-3-5 Can the solution create a watch list to M

monitor selected users who are showing
suspicious behaviors?

B-3-6 Can the solution allow side-by-side M

comparisons of cloud services across any/all
security risk attributes?

11
Cloud Governance

Ref No. Requirement Priority Vendor Response

B-4-1 Can the solution automatically group H

services based on individual risk attributes
(e.g. data encryption at rest, ISO 27001
certification, etc.)?
B-4-2 Can your solution enforce policies in-line H
(e.g. block services by leveraging your
own proxy?

B-4-3 Can your solution integrate with existing H

proxies or firewalls to enforce governance
policies for individual services and service
groups?

B-4-4 Can your solution limit service functionality M

based on policy (e.g. allow downloads,
block uploads)

B-4-5 Can your solution identify inconsistencies M

in your existing policy enforcement setup?
For example, risky cloud services are
blocked for certain offices or groups, but
not for others.

12
B-4-6 Please provide 5 customer references who H
have integrated your CASB with other
firewalls/proxies in production.

B-4-7 In the event of a security breach at a cloud H

service provider, does your solution
provide a report with breach details and
information on employees’ usage of the
cloud service?

13
SECTION C: COMPLIANCE
Data Loss Prevention (DLP)

Ref No. Requirement Priority Vendor Response

C-1-1 Does your solution require an agent to H

perform DLP inspection? If an agent is
offered/optional, which features are not
available without an agent installed?
C-1-2 Does your solution require licenses for H
multiple DLP engines or modules to perform
its cloud DLP functionality?

C-1-3 Can your cloud solution enforce policies on H

cloud data based on:
• Data identifiers (predefined data
patterns/signatures)
• Keywords
• Regular expressions
• Data fingerprints
• Dictionaries
• File metadata (file name, size, type)
C-1-4 Does your solution allow administrators to M
add custom keywords to augment data
identifiers?

14
C-1-5 Does your DLP solution support fingerprinting H
of structured data (aka exact data matching)?

C-1-6 Does your DLP solution support fingerprinting H

of unstructured data? For example,
confidential language such contract or source
code detected while leaving the organization
in whole or in part.
C-1-7 Does your solution provide DLP support for H
unstructured data stored in non-file formats?
(e.g. Slack or Microsoft Teams messages)

C-1-8 Does your solution offer pre-built policy H

templates to detect selected personally
identifiable information (driver’s license, credit
cards, SSN) and personal health information?
How many templates do you provide out-of-
the-box?
C-1-9 Does your solution provide pre-built H
templates for IT teams to enforce policies
required for compliance with GDPR, PCI
DSS, HIPAA, HITECH, GLBA, SOX, CIPA,
FISMA, and FERPA?

15
C-1-10 Does your solution provide DLP for data H
stored in IaaS object storage services such
as AWS S3 buckets or Azure blob storage?
Can scanning be refined to specific buckets
or blobs? Please list the supported storage
platforms.
C-1-11 Does your solution provide the option to M
optimize scanning of object storage by
omitting IaaS logs from scanning, such as
AWS CloudTrail?

C-1-12 Does your solution enforce DLP on data in H

fields within structure applications such as
Salesforce?

C-1-13 Do your solution’s data H

identifiers/fingerprints/smart data identifiers
go beyond what can be defined using a
simple regular expression? E.g.
distinguishing SSN’s in the pre-2010 and
post-2010 standard; performing LUHN check
to detect credit card numbers.
C-1-14 Does your solution include ability to do M
proximity check for multiple data identifiers or
keywords? E.g., Patient ID and RX ID within
10 words?

16
C-1-15 Can your solution enforce DLP policies in the H
following modes:
• Data uploaded to the cloud
• Data shared from cloud services
• Data downloaded from the cloud
• Data created in the cloud (e.g. Excel
online, Google Docs)
C-1-16 Can your solution target specific cloud folders M
for DLP scanning, and/or exclude folders
from scanning?

C-1-17 If a policy is violated, can your solution H

support the following remediation actions?
• Alert administrator
• Block
• Quarantine
• Encrypt
• Wrap with EDRM
• Tombstone
• Delete
• Apply classification
• Other?
C-1-18 Can your solution enforce DLP policies based H
on keywords or tags present in the following:
• Document content
• Document metadata
• Email subject
• Email content/body
• Email header
• Email attachment

17
C-1-16 Can your solution target specific cloud folders M
for DLP scanning, and/or exclude folders from
scanning?

C-1-17 If a policy is violated, can your solution H

support the following remediation actions?
• Alert administrator
• Block
• Quarantine
• Encrypt
• Wrap with EDRM
• Tombstone
• Delete
• Apply classification
• Other?
C-1-18 Can your solution enforce DLP policies based H
on keywords or tags present in the following:
• Document content
• Document metadata
• Email subject
• Email content/body
• Email header
• Email attachment
C-1-19 Can your solution integrate with data M
classification and tagging solutions such as
Titus, Boldon James and other natively
available tagging features in cloud services
such as Box and Office 365?

18
C-1-20 Can the administrator define roles that allow H
only selected users to perform the following
actions:
• Define and activate data loss prevention or
compliance policies
• Access and remediate policy violations
• Manage (access/restore/delete) the
quarantine files
C-1-21 Can your product integrate with existing on- H
premises DLP solution(s) to extend policies
and remediation workflows to the cloud?
Provide a list of on-premises DLP providers
you integrate with and the extent of their
ability to integrate the following:
• Data classifications
• DLP policies
• Incident management
C-1-22 Before pushing the file to the on-premises H
DLP for evaluation and reporting, does your
solution provide the option to perform a first
pass DLP assessment in the cloud for better
performance and efficacy?

C-1-23 Does your solution enforce DLP policies in- M

line via Proxy? Please specify the capabilities
for each of the following:
• Forward proxy
• Reverse proxy

19
C-1-24 Does your solution enforce DLP policies in H
near real-time via cloud service APIs? If yes,
provide a list of supported cloud services?

C-1-25 What’s the time to enforcement SLA for near

real-time DLP policy enforcement via API?
Specify the SLA you are willing to agree to H
contractually.

C-1-26 Can the solution scan content already H

available in the cloud service (data at rest)
based on selected DLP policies to detect
violations? Can both structured and
unstructured data be scanned?
C-1-27 Can you invoke a DLP response action for a H
misconfigured IaaS/PaaS service? For
example, an AWS S3 bucket discovered with
open read access will be scanned with DLP.

C-1-28 Can you enforce DLP policies in real time as H

data is uploaded or shared without impacting
end-user experience?

C-1-29 Please describe how you control endpoint H

data at rest and/or in transit. Please list
examples that cover Windows, iOS and
Android.

20
DLP Remediation and Reporting

Ref No. Requirement Priority Vendor Response

C-2-1 Does the solution show an excerpt with the H

content that triggered the DLP violation, so the
administrator does not have to search the
entire file for sensitive content?
C-2-2 If the solution shows excerpt of content that H
matched a DLP violation, where are excerpts
stored?

C-2-3 Does your solution support bulk update and H

remediation of policy incidents to save time for
IT teams?

C-2-4 Can you set policies based on Active H

Directory attributes? For example, enforce
policies on a specific team or department
within the company.

C-2-5 Can an administrator rollback a quarantine H

action to restore a file and its permissions?

C-2-6 Does the solution allow tiered response to a H

violation based on its severity (e.g. number of
matches found in a file), such as alerting on
low severity, but blocking on high severity?

21
C-2-7 When inspecting data using DLP policies, is H
information such as user name or file name
where the violation occurred stored in your
solution?

C-2-8 Does your CASB allow end users to H

remediate violations on their own, reducing
the need for security personnel to intervene?

22
Collaboration Policies (Sanctioned Cloud Services)

Ref No. Requirement Priority Vendor Response

C-3-1 Can your solution enforce policies on which H

users or groups can be collaborated with?

C-3-2 Can your solution enforce collaboration H

policies that are content aware? E.g.
sensitive data cannot be shared externally.

C-3-3 Can your solution remediate violations in H

sharing policies by:
• Removing sharing permissions
• Modify sharing permissions
• Quarantining the file(s)
C-3-4 Can the solution provide a collaboration H
summary which includes sharing with
business partners, personal emails, and
internal users?

C-3-5 Does your solution provide real-time H

collaboration control that can enforce a
sharing policy before the file/folder recipients
are able to view the data?

23
SECTION D: THREAT PROTECTION
Activity Monitoring

Ref No. Requirement Priority Vendor Response

D-1-1 Does the solution provide an audit trail of all H

user and administrator activities within the
cloud service?
D-1-2 Does the solution expose activity metadata M
such as IP Trust, geolocation details (city,
region, country) and user agent, which
companies can use to perform advanced
investigative workflows?
D-1-3 Can the solution filter user activity by – H
• Cloud service
• Device type
• Date range
• Activity name
• Activity category
• User name
• IP Trust
• Activities via TOR or anonymizing
proxies
D-1-4 Can the solution feed activity logs to a SIEM H
via automated syslog feed?

24
D-1-5 Does the product allow investigating teams M
to deep dive into anomalies/threats through
an activity dashboard?

D-1-6 Does the product automatically categorize H

new activity types received from the cloud
service providers and include them in threat
protection analytics?

D-1-7 Does your solution provide a list of all H

activities monitored for each cloud service
provider? Please attach.

25
Anomalies and Threats

Ref No. Requirement Priority Vendor Response

D-2-1 Do you have a team dedicated to cloud H

security threat research? If so, how many
people are on the team?

D-2-2 Describe up to 3 recent threats discovered H

by your research team in the past 18
months. Provide links to the full research
(blogs, press release, etc.)

D-2-3 Has your research team detected threats H

impacting multiple CASB customers? If
yes, please provide publicly available
examples of such discoveries.

D-2-4 How does your solution identify and control H

cloud-native man-in-the-middle (MITM)
attacks?

26
D-2-5 Can the solution detect anomalies within H
cloud services and raise alerts based on:
• User behavior (insider threats)
• Location based information
• Privileged user activity
• Data exfiltration
• Compromised accounts
• Malware
• IP Trust

What other anomalies can be detected?

D-2-6 Does the solution require any setup (i.e. H
creating policies or rules) before it can start
detecting anomalies?

D-2-7 Can your solution detect threats arising H

from malicious or negligent users based on
a behavioral model?

D-2-8 Can your solution detect compromised H

credentials based on information such as
multiple login attempts, impossible cross-
region access, and untrusted location
access?

27
D-2-9 Can your solution detect privileged user H
threats arising from excessive user
permissions, zombie administrator
accounts, inappropriate access to data and
unwarranted escalation of privileges and
user provisioning?
D-2-10 Is the product capable of baselining H
thresholds based on behavioral models for
each user based on time of day, week,
month, quarter, user role, department,
behavior of other users in the department?

D-2-11 Is the product capable of building context M

around geography-based anomalies by
indicating a user’s trusted locations such as
home, office etc.?

D-2-12 Does your solution correlate anomalies H

across multiple cloud services to detect
threats?

D-2-13 Does the solution use a threat model to H

narrow potentially anomalous activity to a
smaller subset of likely threats? If so, what
is the ratio of anomalous events to likely
threats detected by the solution?

28
D-2-14 Does the product allow you to tune H
thresholds based on your organization’s
threat detection requirements?

D-2-15 What advanced data science/machine M

learning techniques, if any, are utilized in
analyzing user activity to detect anomalies
and threats?

D-2-16 Can the solution impose additional H

authentication when it detects high risk
behaviors such as unmanaged devices,
sensitive data downloads etc.?

D-2-17 Please provide 5 customer references H

where your threat protection solution has
been deployed at scale in production.

29
Incident Workflow

Ref No. Requirement Priority Vendor Response

D-3-1 Does your solution provide a dashboard to H

provide threat information and manage
incident workflow?

D-3-2 Can your solution natively record an M

incident workflow action (Resolve, False
Positive)?

D-3-3 Can your solution take input on false H

positives or negatives and use this
information to tune the threat protection
engine?

D-3-4 Does your solution integrate with SIEMs for H

incident workflow? Please describe the
integration.

30
Malware Controls

Ref No. Requirement Priority Vendor Response

D-4-1 Can your solution detect malware hosted in H

cloud services?

D-4-3 Can your solution scan existing data stores M

(data at rest) for new signatures / variants
of malware?

D-4-4 Can your solution detect zero-day threats? M

D-4-5 Does your malware solution integrate with M

third-party intelligence feeds?

31
SECTION E: DATA SECURITY
Contextual Access Controls

Ref No. Requirement Priority Vendor Response

E-1-1 What context is used to control access to H

cloud services (e.g. based on user, device,
location)?

E-1-2 Can your solution enforce policies based H

on the following parameters:
• Service or service group (Salesforce, all
file-sharing services)
• User groups
• Specific user
• User attributes (role, department)
• Activity types (download, upload)
• SAML expression (e.g. variable passed
from IDaaS provider)
• IP address range
• Geography
• File Type and/or Data Identifiers
• Device type (managed, unmanaged)
• Device OS (e.g Android)
• User domain (e.g corporate vs
personal)
• Agent (e.g. presence of agent)

32
E-1-3 Can the solution enforce controls on both H
mobile and desktop access? Is an agent
required?

E-1-4 What methods does your solution support H

to detect managed vs unmanaged devices?

E-1-5 Can your solution enforce policies to H

restrict access from only managed
devices?

E-1-6 Can your solution enforce granular device- H

based controls such as restricting read-only
access to unmanaged or personal devices?

33
Encryption

Ref No. Requirement Priority Vendor Response

E-2-1 Does your solution support encryption of H

cloud data using customer owned keys?

E-2-2 Does your solution allow encryption of H

selected cloud data meeting specific
criteria?

E-2-3 Can your solution integrate with an existing H

Key Management Solution to support
management of encryption keys?

E-2-4 Can your solution encrypt existing data in H

the cloud as well as data uploaded on an
ongoing basis?

34
E-2-5 Can the solution encrypt selected fields H
within cloud providers such as Salesforce
and ServiceNow?

E-2-6 What functions are supported (e.g. search, H

sort, filter) for encrypted structured data
fields?

E-2-7 How much latency does your solution add H

for encryption?

E-2-8 Does your solution support search for M

encrypted files. If so, is the search index
encrypted as well? Does the search index
require on-premises infrastructure?

E-2-9 Which ciphers does your company use for M

order and function preserving encryption?

E-2-10 Has your structured encryption been H

deployed in production at scale? Please
provide 5 customer references.

35
Unsanctioned Cloud Services Control

Ref No. Requirement Priority Vendor Response

E-3-1 Can your solution enforce DLP policies M

within unsanctioned cloud services such as
GitHub, Evernote? For example, block all
PII uploaded to Evernote.

E-3-2 Can your solution enforce DLP policies on H

native apps of unsanctioned services on
managed devices?

36
SECTION F: OFFICE 365 SECURITY
Ref No. Requirement Priority Vendor Response

F-1-1 Can the solution support the scanning and H

inspection (on-demand, ongoing) of files in
the following Office 365 services:
• SharePoint
• OneDrive
• Mail
• Yammer
• Teams
• Other?

F-1-3 How long does the solution take to enforce H

DLP policies via inline proxy and/or APIs?

F-1-4 Can the solution support inline DLP for H

Exchange Online? Does this require agents
to be installed at endpoints?

37
F-1-5 Can the solution discover all sites within H
SharePoint based on author and other
metadata parameters?

F-1-6 Can the solution monitor activity across the H

following Office 365 applications for audit
trail and forensic investigations?
• SharePoint
• OneDrive
• Exchange
• Azure AD
• Yammer
• Teams

How many types of activities can the

solution parse/recognize from these cloud
services providers?
F-1-7 Which Microsoft APIs does your solution H
rely on for CASB functionality?

F-1-8 Can the solution provide real-time support H

for collaboration policies (e.g. prevent
sharing of confidential data with external
parties)? Please explain how?

38
SECTION G: IAAS AND CUSTOM APPS SECURITY
Infrastructure-as-a-Service (IaaS) Security

Ref No. Requirement Priority Vendor Response

G-1-1 Can your solution discover usage across IaaS H

platforms such as AWS, Azure, Google Cloud?
List all the IaaS platforms supported.

G-1-2 Can your solution discover and manage H

unsanctioned IaaS accounts?

G-1-3 Does your solution audit service configurations H

for IaaS platforms against best practices and
common misconfiguration issues?

G-1-4 Does the solution automatically identify security M

configuration incidents and flag them as
‘Resolved’ when IT or Operations teams have
fixed them?

39
G-1-5 Can the solution update the settings of the H
IaaS provider to auto-remediate
misconfigurations found in an audit?

G-1-6 Does your solution identify inactive IaaS admin H

accounts?

G-1-7 Can your solution analyze IaaS activities to H

identify threats associated with insiders,
compromised accounts, and privileged users?

G-1-8 Does your solution capture an audit trail of all H

user and administrator activities on IaaS
services? Is the activity monitoring process
real-time/near real-time? And for what duration
is the data retained?

40
G-1-9 Can your solution capture the audit trails of M
multiple accounts from one IaaS provider (e.g.
multiple AWS CloudTrail buckets)? Can these
audit trails be assessed separately or together?

G-1-10 Does your solution automatically categorize H

IaaS activities across commonly understood
categories?

G-1-11 For AWS, how many sub-accounts does your M

solution support for activity monitoring?

G-1-12 Does your solution provide incident response H

workflow to triage and remediate violations?

G-1-13 Can all of your solution’s capabilities be applied M

for more than one AWS (or IaaS) account?
How many accounts can be covered?

G-1-14 How does your solution detect/prevent publicly H

readable/writeable IaaS data stores such as
AWS S3 Buckets?

41
Custom Apps Security

Ref No. Requirement Priority Vendor Response

G-2-1 Can your solution provide a reverse proxy H

deployment to secure custom applications?
Describe the method your solution uses to get
in-line.

G-2-2 Can your solution enforce DLP policies on data H

in custom apps built on IaaS platforms such as
AWS, Azure? Can these policies be applied on
files as well as form fills, XML, and data
entered within individual fields?

G-2-3 Does your solution allow customers to use H

existing DLP policies created for SaaS
applications (e.g. Office 365) to custom
applications?

G-2-4 Can your solution capture an audit trail of H

activities performed within custom apps
deployed on public IaaS platforms? Please
describe.

42
G-2-5 How does your solution detect threats in H
custom apps associated with insiders,
compromised accounts, and privileged users?

G-2-6 Can your solution enforce access controls on M

custom apps based on contextual parameters
such as device, location, user, activity?

43
SECTION H: PLATFORM & INTEGRATION
Reporting

Ref No. Requirement Priority Vendor Response

H-1-1 Does the solution allow users to customize M

views and create new reports based on the
information they want to see?

H-1-2 Does the solution allow users to schedule M

reports to be periodically sent by email in
selected formats (PDF, CSV, XLS)?

H-1-3 Does your solution provide out of the box H

reports? Please provide a list?

H-1-4 Does your solution provide cloud service M

specific dashboards?

44
Deployment

Ref No. Requirement Priority Vendor Response

H-2-1 Is your solution a multi-mode CASB as H

defined by Gartner? Does it offer multiple
deployment options:
• API
• Reverse Proxy
• Forward Proxy
• Log collection
H-2-2 What modes do you support to steer traffic M
to your proxy?

H-2-3 Can you deploy an agent-based model if M

required?

H-2-4 How many cloud services do you secure via H

API deployment mode?

H-2-5 Does your solution support real-time API H

controls?

45
H-2-6 Does your product enable cloud service H
providers, partners, or customers to build
API integration between a cloud service and
your CASB in a self-serve model?

H-2-7 How do you handle conflict with existing H

agents in our security infrastructure?

H-2-8 Does your CASB endpoint agent split traffic H

and bypass the coverage of existing proxies
and firewalls?

H-2-9 Please provide 5 customer references H

where your agent has been successfully
deployed in production in a company with
more than 10,000 users.

H-2-10 Does your solution require any of the H

following on unmanaged devices (PC's,
iPads, Mobile phones) or 3rd party
contractors, customers, alliance partners:
• Agents
• VPN Backhaul
• PAC Files

46
Integration

Ref No. Requirement Priority Vendor Response

H-3-1 Does your product integrate with Identity H

Management solutions to authenticate access
through the reverse proxy to sanctioned cloud
services? Please list the solutions that are
supported today.

H-3-2 Does the product provide log analysis H

capabilities for the following firewalls:
• Palo Alto Networks
• Juniper
• Cisco
• Barracuda Networks
• Check Point
• Fortinet

Include other supported products.

H-3-3 Does the product provide log analysis H
capabilities for the following proxies:
• Blue Coat
• Websense
• Zscaler
• McAfee

Include other supported products.

47
H-3-4 Does the product allow automatic push of cloud H
service information to third party
firewalls/proxies, so that the necessary controls
(block, warn, justify, etc.) can be enforced.
• Blue Coat
• Websense
• McAfee
• Palo Alto Panorama

Include other supported products.

H-3-5 Does the product provide log analysis H
capabilities for the following SIEMs –
• ArcSight
• Splunk
• McAfee
• LogRhythm
• Qradar
• Dell Secureworks

Include other supported products.

H-3-6 Can your solution integrate with Enterprise M
Mobility Management (EMM) or Mobile Device
Management (MDM) solutions to enforce
access controls for managed vs unmanaged
devices?
• VMware AirWatch
• MobileIron

48
H-3-7 Can your solution integrate with Electronic M
Digital Rights Management (EDRM) solutions?
Please specify the EDRM solutions that are
supported.

H-3-8 Does the product support on-network and off- M

network (remote employees) access? Please
describe how?

H-3-9 How do you manage customer encryption keys M

H-3-10 Do you identify noncompliant perimeter policies H

related to cloud?

49
User Experience

Ref No. Requirement Priority Vendor Response

H-4-1 Does the product provide different levels of H

access (Role Based Access Control) to the
data and product capabilities based on the
role assigned to the user by the admin:
• Administrator
• Executive
• Governance/risk manager
• Policy manager
• Incident responder
H-4-2 Does the solution provide a streamlined and M
persona-based navigation for multiple roles?
Can read-only access be set for specific
users or roles?
H-4-3 Can the solution limit admin access to a M
defined list of IP addresses?

H-4-4 Can the solution integrate with the identity H

management solution for single sign-on
access to the user interface?

H-4-5 Does the CASB offer a mobile optimized user M

interface, so users can be productive across
all device-types and screen sizes?

50
SECTION I: ADMINISTRATION
Ref No. Requirement Priority Vendor Response

I-1-1 If your solution is hosted, is it multi-tenant? H

I-1-2 Are there any onsite hardware or software M

requirements for any aspect of your solution?
If so, please describe.

I-1-3 How are customers notified of scheduled M

maintenance?

I-1-4 Identify all other supporting software from M

other vendors that would be required for the
product to work. Example: Need for a
database for tokenization. If so, identify other
software required.
I-1-5 Does your solution allow us to specify which H
geographical locations our data traverses in
and out of, so we can address legal and
jurisdictional considerations based on where
data is stored vs. accessed?
I-1-6 Are there any additional location(s) where M
target (regulated) data is stored? If so,
provide locations (address, city, state,
country).

51
SECTION J: VENDOR OPERATIONS AND SECURITY INFRASTRUCTURE
Ref No. Requirement Priority Vendor Response

J-1-1 Which third-party and industry standard H

certifications have been performed on both your
product and the underlying infrastructure?
Comment specifically on ISO 27001, ISO 27018,
FIPS 140-2, CSA STAR, and FedRAMP.
J-1-2 Describe how your APIs are secured. H

J-1-3 Describe your corporate security policy. Attach a H

copy.

J-1-4 What areas are covered in your security policy? H

(E.g. Physical access, Encryption, etc.)

J-1-5 Is the identity and background of all your staff M

known based on security background checks? If
yes, describe the screening activities performed
on job applicants (e.g., credit, drug screening,
references, and criminal background checks)

52
J-1-6 Are your systems subjected to penetration H
testing? Is testing performed by internal
personnel or outsourced? When was the last
penetration test?
J-1-7 What is your SLA for the various deployment M
modes you support?
• Proxy
• API
• Log Collection
J-1-8 Describe your High Availability Architecture. M

J-1-9 Are documented backup and recovery policies in H

place? If so, please describe.

J-1-10 Where are backups stored? M

J-1-11 How long are backups kept? M

53
J-1-12 Describe your disaster recovery strategy and H
frequency of testing.

J-1-13 What is your data ownership and retention M

policy?

J-1-14 Is the service located in multiple, fully-redundant M

global data centers (for cloud based solutions)?

J-1-15 What are your data retention policies for H

customer data?

54
SECTION K: CUSTOMER SUCCESS & SUPPORT
Ref No. Requirement Vendor Response

K-1-1 Do you provide pre-project planning support as

part of enterprise engagements?

K-1-2 What is your implementation methodology in an

organization with 5,000+ employees?

K-1-3 Is Customer Support included in the pricing?

K-1-4 Provide Customer Support days and hours of

operation.

55
K-1-5 Do I have access to my local account team as an
escalation path?

K-1-6 Is there a proven methodology defined for

deployment, ongoing risk reduction, and
measurement of customer success?

K-1-7 Is there 24x7 customer support available via

email, web, and phone?

56
SECTION L: PRICING
Ref No. Requirement Vendor Response

L-1-1 Provide licensing and pricing details for your

solution.

L-1-2 What is the cost for maintenance and support?

Please detail available support packages.

L-1-3 Are professional services available? Please list

available services and cost.

57
SECTION M: CUSTOMER REFERENCES
Please provide four customer references that [COMPANY NAME] may contact that have used the solution you are
proposing for at least 6 months:

Reference 1

Company Name

Contact Name

Contact Phone

Contact Email

Company Address

Description of Solution Provided

Benefits of Solution Provided

58
Reference 2

Company Name

Contact Name

Contact Phone

Contact Email

Company Address

Description of Solution Provided

Benefits of Solution Provided

59
Reference 3

Company Name

Contact Name

Contact Phone

Contact Email

Company Address

Description of Solution Provided

Benefits of Solution Provided

60
Reference 4

Company Name

Contact Name

Contact Phone

Contact Email

Company Address

Description of Solution Provided

Benefits of Solution Provided

61
SECTION N: TERMS AND CONDITIONS
Please describe the appropriate terms and conditions the vendor must agree to for this project including confidentiality,
insurance, compliance with applicable laws and indemnity clauses.

62