Cloud Access Security Broker (CASB) Request For Proposal ... · investigation? Does this action...

1

Cloud Access Security Broker— Request for Proposal Questions

2

Table of Contents

SECTION A: VENDOR PROFILE ........................................................................................... 4 Company .......................................................................................................................................................... 5 Product and Customers ................................................................................................................................... 4

SECTION B: VISIBILITY ........................................................................................................ 7 Cloud Registry .................................................................................................................................................. 7 Cloud Discovery ............................................................................................................................................... 9 Risk and Vendor Assessment ........................................................................................................................ 11 Cloud Governance ......................................................................................................................................... 12

SECTION C: COMPLIANCE ................................................................................................ 14 Data Loss Prevention (DLP) .......................................................................................................................... 14 DLP Remediation and Reporting ................................................................................................................... 21 Collaboration Policies (Sanctioned Cloud Services) ..................................................................................... 23

SECTION D: THREAT PROTECTION .................................................................................. 24 Activity Monitoring .......................................................................................................................................... 24 Anomalies and Threats .................................................................................................................................. 26 Incident Workflow ........................................................................................................................................... 30 Malware Controls ........................................................................................................................................... 31

SECTION E: DATA SECURITY ............................................................................................ 32 Contextual Access Controls ........................................................................................................................... 32 Encryption ...................................................................................................................................................... 34 Unsanctioned Cloud Services Control ........................................................................................................... 36

SECTION F: OFFICE 365 SECURITY .................................................................................. 37

SECTION G: IAAS AND CUSTOM APPS SECURITY ......................................................... 39 Infrastructure-as-a-Service (IaaS) Security ................................................................................................... 39 Custom Apps Security ................................................................................................................................... 42

3

SECTION H: PLATFORM & INTEGRATION ....................................................................... 44 Reporting ........................................................................................................................................................ 44 Deployment .................................................................................................................................................... 45 Integration ...................................................................................................................................................... 47 User Experience ............................................................................................................................................. 50

SECTION I: ADMINISTRATION ........................................................................................... 51

SECTION J: VENDOR OPERATIONS AND SECURITY INFRASTRUCTURE ................... 52

SECTION K: CUSTOMER SUCCESS & SUPPORT ............................................................ 55

SECTION L: PRICING .......................................................................................................... 57

SECTION M: CUSTOMER REFERENCES .......................................................................... 58

SECTION N: TERMS AND CONDITIONS ............................................................................ 62

4

SECTION A: VENDOR PROFILE

Company

Ref No. Requirement Vendor Response

A-1-1 Please provide name and version of your CASB? Please include all products whose functionality is included in the responses below.

A-1-2 Describe the vision and direction for your CASB.

A-1-3 Provide CASB information: Number of engineers dedicated to CASB? Number of paying CASB customers?

A-1-4 Provide company ownership and funding information.

A-1-5 Do you maintain alliances with other information technology vendors? If so, which ones?

A-1-6 Do you sell your solution through partners? If yes, please list your top 5 reseller partners.

5

Product and Customers


A-2-1 Please describe your product differentiators versus other CASB products.

A-2-2 Please list the products you provide to cover the following:

• Shadow SaaS/PaaS/IaaS cloud visibility and control

• Sanctioned SaaS (e.g. Office 365, Salesforce) visibility and control

• Sanctioned IaaS/PaaS (e.g. AWS, Azure) visibility and control

• Custom apps (deployed on IaaS platforms) visibility and control

A-2-3 Does your solution offer all capabilities within a single product or does it require purchase of multiple products?

A-2-4 Does your solution secure multiple instances of a cloud service within SaaS, PaaS, and IaaS?

A-2-5 Please provide list of customers in our vertical.

6

A-2-6 What is your largest deployment for the following:

• Office 365 security solution

• Box security solution

• Salesforce security solution

• IaaS

• Shadow IT solution

A-2-7 Has your product been a part of a product evaluation by a leading analyst firm (e.g. Gartner, Forrester)? Please provide details and a link to the report.

7

SECTION B: VISIBILITY

Cloud Registry

Ref No. Requirement Priority Vendor Response

B-1-1 Does your cloud solution have a registry of cloud services along with their risk assessment? How many cloud services are tracked in the 'registry/knowledge base'?

H

B-1-2 How many attributes are tracked for each service? Provide the number of attributes and sub-attributes. For example, ‘Compliance certifications’ is counted as 1 attribute, and each certification counts as a sub-attribute.

H

B-1-3 Can it summarize cloud usage by categories such as CRM, file-sharing, marketing, collaboration? How many categories are available?

H

B-1-4 How is the cloud registry kept up to date for new cloud services?

H

B-1-5 Does the solution provide a ‘Last Verified’ date for each cloud service in the registry, so users know how current the information is when assessing of new cloud services?

H

8

B-1-6 What compliance certifications are being tracked for cloud services within the registry? Can it assess a cloud service against GDPR, PCI, ISO, CSA, HIPAA, and other industry regulations?

H

B-1-7 Can your registry audit exposure of cloud services to vulnerabilities such as Cloudbleed, Heartbleed, Poodle, Freak, Ghostwriter, etc.?

M

B-1-8 Does the solution provide the ability to customize the risk scoring criteria based on individual company’s priorities?

M

B-1-9

Does the solution allow customers to add new cloud services to registry, making it available to all customers?

M

B-1-10 Does the solution allow customers to search the registry by cloud service category (CRM, ERP, Legal), risk type/level, and individual risk attributes and sub-attributes?

M

9

Cloud Discovery


B-2-1 Does your solution provide a summarized view of cloud usage including number of services in use, traffic patterns, access count etc.?

H

B-2-2 Can your solution provide visibility into all users and departments using a particular cloud service by leveraging the Active Directory integration?

H

B-2-3 Can your solution provide visibility into enterprise usage of SaaS and IaaS? Provide examples of each.

H

B-2-4 What sources (proxies, firewalls, SIEMs) are supported to identify the use and risk of cloud services?

M

B-2-5 Does your solution allow drill down to provide visibility into a single user’s action (upload/download) to support forensic investigation? Does this action require a third party dashboard, such as Splunk?

M

B-2-6 Are usage logs sent off-premises for analysis? If so, how do you protect sensitive data (usernames and IP addresses etc.) within the logs?

H

10

B-2-7 Are usage logs automatically ingested from their source (proxies, firewalls, SIEMS)?

M

B-2-8 Can your solution detect data exfiltration attempts? If yes, please describe how?

H

B-2-9 What historical duration do you hold log data to provide visibility and analysis?

H

B-2-10 Do you quantify organizational risk from cloud usage?

H

11

Risk and Vendor Assessment


B-3-1 Can your solution assess the risk of a cloud service by providing a consolidated risk score representing its enterprise-readiness?

H

B-3-2 Can the customer see the scores for individual attributes (encryption, certification, breaches etc.) that go into calculating the risk score for a cloud service?

H

B-3-3 If the risk score of a cloud service used by a company changes, can the solution issue an alert?

M

B-3-4 Does your company have a program to inspect and publicly certify the enterprise-readiness of cloud services? If so, please provide details.

M

B-3-5 Can the solution create a watch list to monitor selected users who are showing suspicious behaviors?

M

B-3-6 Can the solution allow side-by-side comparisons of cloud services across any/all security risk attributes?

M

12

Cloud Governance


B-4-1 Can the solution automatically group services based on individual risk attributes (e.g. data encryption at rest, ISO 27001 certification, etc.)?

H

B-4-2 Can your solution enforce policies in-line (e.g. block services by leveraging your own proxy?

H

B-4-3 Can your solution integrate with existing proxies or firewalls to enforce governance policies for individual services and service groups?

H

B-4-4 Can your solution limit service functionality based on policy (e.g. allow downloads, block uploads)

M

B-4-5 Can your solution identify inconsistencies in your existing policy enforcement setup? For example, risky cloud services are blocked for certain offices or groups, but not for others.

M

13

B-4-6 Please provide 5 customer references who have integrated your CASB with other firewalls/proxies in production.

H

B-4-7 In the event of a security breach at a cloud service provider, does your solution provide a report with breach details and information on employees’ usage of the cloud service?

H

14

SECTION C: COMPLIANCE

Data Loss Prevention (DLP)


C-1-1 Does your solution require an agent to perform DLP inspection? If an agent is offered/optional, which features are not available without an agent installed?

H

C-1-2 Does your solution require licenses for multiple DLP engines or modules to perform its cloud DLP functionality?

H

C-1-3 Can your cloud solution enforce policies on cloud data based on:

• Data identifiers (predefined data patterns/signatures)

• Keywords

• Regular expressions

• Data fingerprints

• Dictionaries

• File metadata (file name, size, type)

H

C-1-4 Does your solution allow administrators to add custom keywords to augment data identifiers?

M

15

C-1-5 Does your DLP solution support fingerprinting of structured data (aka exact data matching)?

H

C-1-6 Does your DLP solution support fingerprinting of unstructured data? For example, confidential language such contract or source code detected while leaving the organization in whole or in part.

H

C-1-7 Does your solution provide DLP support for unstructured data stored in non-file formats? (e.g. Slack or Microsoft Teams messages)

H

C-1-8 Does your solution offer pre-built policy templates to detect selected personally identifiable information (driver’s license, credit cards, SSN) and personal health information? How many templates do you provide out-of-the-box?

H

C-1-9 Does your solution provide pre-built templates for IT teams to enforce policies required for compliance with GDPR, PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA?

H

16

C-1-10 Does your solution provide DLP for data stored in IaaS object storage services such as AWS S3 buckets or Azure blob storage? Can scanning be refined to specific buckets or blobs? Please list the supported storage platforms.

H

C-1-11 Does your solution provide the option to optimize scanning of object storage by omitting IaaS logs from scanning, such as AWS CloudTrail?

M

C-1-12 Does your solution enforce DLP on data in fields within structure applications such as Salesforce?

H

C-1-13 Do your solution’s data identifiers/fingerprints/smart data identifiers go beyond what can be defined using a simple regular expression? E.g. distinguishing SSN’s in the pre-2010 and post-2010 standard; performing LUHN check to detect credit card numbers.

H

C-1-14 Does your solution include ability to do proximity check for multiple data identifiers or keywords? E.g., Patient ID and RX ID within 10 words?

M

17

C-1-15 Can your solution enforce DLP policies in the following modes:

• Data uploaded to the cloud

• Data shared from cloud services

• Data downloaded from the cloud

• Data created in the cloud (e.g. Excel online, Google Docs)

H

C-1-16 Can your solution target specific cloud folders for DLP scanning, and/or exclude folders from scanning?

M

C-1-17 If a policy is violated, can your solution support the following remediation actions?

• Alert administrator

• Block

• Quarantine

• Encrypt

• Wrap with EDRM

• Tombstone

• Delete

• Apply classification

• Other?

H

C-1-18 Can your solution enforce DLP policies based on keywords or tags present in the following:

• Document content

• Document metadata

• Email subject

• Email content/body

• Email header

• Email attachment

H

18

C-1-16 Can your solution target specific cloud folders for DLP scanning, and/or exclude folders from scanning?

M

C-1-17 If a policy is violated, can your solution support the following remediation actions?

• Alert administrator

• Block

• Quarantine

• Encrypt

• Wrap with EDRM

• Tombstone

• Delete

• Apply classification

• Other?

H

C-1-18 Can your solution enforce DLP policies based on keywords or tags present in the following:

• Document content

• Document metadata

• Email subject

• Email content/body

• Email header

• Email attachment

H

C-1-19 Can your solution integrate with data classification and tagging solutions such as Titus, Boldon James and other natively available tagging features in cloud services such as Box and Office 365?

M

19

C-1-20 Can the administrator define roles that allow only selected users to perform the following actions:

• Define and activate data loss prevention or compliance policies

• Access and remediate policy violations

• Manage (access/restore/delete) the quarantine files

H

C-1-21 Can your product integrate with existing on-premises DLP solution(s) to extend policies and remediation workflows to the cloud? Provide a list of on-premises DLP providers you integrate with and the extent of their ability to integrate the following:

• Data classifications

• DLP policies

• Incident management

H

C-1-22 Before pushing the file to the on-premises DLP for evaluation and reporting, does your solution provide the option to perform a first pass DLP assessment in the cloud for better performance and efficacy?

H

C-1-23 Does your solution enforce DLP policies in-line via Proxy? Please specify the capabilities for each of the following:

• Forward proxy

• Reverse proxy

M

20

C-1-24 Does your solution enforce DLP policies in near real-time via cloud service APIs? If yes, provide a list of supported cloud services?

H

C-1-25 What’s the time to enforcement SLA for near real-time DLP policy enforcement via API? Specify the SLA you are willing to agree to contractually.

H

C-1-26 Can the solution scan content already available in the cloud service (data at rest) based on selected DLP policies to detect violations? Can both structured and unstructured data be scanned?

H

C-1-27 Can you invoke a DLP response action for a misconfigured IaaS/PaaS service? For example, an AWS S3 bucket discovered with open read access will be scanned with DLP.

H

C-1-28 Can you enforce DLP policies in real time as data is uploaded or shared without impacting end-user experience?

H

C-1-29 Please describe how you control endpoint data at rest and/or in transit. Please list examples that cover Windows, iOS and Android.

H

21

DLP Remediation and Reporting


C-2-1 Does the solution show an excerpt with the content that triggered the DLP violation, so the administrator does not have to search the entire file for sensitive content?

H

C-2-2 If the solution shows excerpt of content that matched a DLP violation, where are excerpts stored?

H

C-2-3 Does your solution support bulk update and remediation of policy incidents to save time for IT teams?

H

C-2-4 Can you set policies based on Active Directory attributes? For example, enforce policies on a specific team or department within the company.

H

C-2-5 Can an administrator rollback a quarantine action to restore a file and its permissions?

H

C-2-6 Does the solution allow tiered response to a violation based on its severity (e.g. number of matches found in a file), such as alerting on low severity, but blocking on high severity?

H

22

C-2-7 When inspecting data using DLP policies, is information such as user name or file name where the violation occurred stored in your solution?

H

C-2-8 Does your CASB allow end users to remediate violations on their own, reducing the need for security personnel to intervene?

H

23

Collaboration Policies (Sanctioned Cloud Services)


C-3-1 Can your solution enforce policies on which users or groups can be collaborated with?

H

C-3-2 Can your solution enforce collaboration policies that are content aware? E.g. sensitive data cannot be shared externally.

H

C-3-3 Can your solution remediate violations in sharing policies by:

• Removing sharing permissions

• Modify sharing permissions

• Quarantining the file(s)

H

C-3-4 Can the solution provide a collaboration summary which includes sharing with business partners, personal emails, and internal users?

H

C-3-5 Does your solution provide real-time collaboration control that can enforce a sharing policy before the file/folder recipients are able to view the data?

H

24

SECTION D: THREAT PROTECTION

Activity Monitoring


D-1-1 Does the solution provide an audit trail of all user and administrator activities within the cloud service?

H

D-1-2 Does the solution expose activity metadata such as IP Trust, geolocation details (city, region, country) and user agent, which companies can use to perform advanced investigative workflows?

M

D-1-3 Can the solution filter user activity by –

• Cloud service

• Device type

• Date range

• Activity name

• Activity category

• User name

• IP Trust

• Activities via TOR or anonymizing proxies

H

D-1-4 Can the solution feed activity logs to a SIEM via automated syslog feed?

H

25

D-1-5 Does the product allow investigating teams to deep dive into anomalies/threats through an activity dashboard?

M

D-1-6 Does the product automatically categorize new activity types received from the cloud service providers and include them in threat protection analytics?

H

D-1-7 Does your solution provide a list of all activities monitored for each cloud service provider? Please attach.

H

26

Anomalies and Threats


D-2-1 Do you have a team dedicated to cloud security threat research? If so, how many people are on the team?

H

D-2-2 Describe up to 3 recent threats discovered by your research team in the past 18 months. Provide links to the full research (blogs, press release, etc.)

H

D-2-3 Has your research team detected threats impacting multiple CASB customers? If yes, please provide publicly available examples of such discoveries.

H

D-2-4 How does your solution identify and control cloud-native man-in-the-middle (MITM) attacks?

H

27

D-2-5 Can the solution detect anomalies within cloud services and raise alerts based on:

• User behavior (insider threats)

• Location based information

• Privileged user activity

• Data exfiltration

• Compromised accounts

• Malware

• IP Trust

What other anomalies can be detected?

H

D-2-6 Does the solution require any setup (i.e. creating policies or rules) before it can start detecting anomalies?

H

D-2-7 Can your solution detect threats arising from malicious or negligent users based on a behavioral model?

H

D-2-8 Can your solution detect compromised credentials based on information such as multiple login attempts, impossible cross-region access, and untrusted location access?

H

28

D-2-9 Can your solution detect privileged user threats arising from excessive user permissions, zombie administrator accounts, inappropriate access to data and unwarranted escalation of privileges and user provisioning?

H

D-2-10 Is the product capable of baselining thresholds based on behavioral models for each user based on time of day, week, month, quarter, user role, department, behavior of other users in the department?

H

D-2-11 Is the product capable of building context around geography-based anomalies by indicating a user’s trusted locations such as home, office etc.?

M

D-2-12 Does your solution correlate anomalies across multiple cloud services to detect threats?

H

D-2-13 Does the solution use a threat model to narrow potentially anomalous activity to a smaller subset of likely threats? If so, what is the ratio of anomalous events to likely threats detected by the solution?

H

29

D-2-14 Does the product allow you to tune thresholds based on your organization’s threat detection requirements?

H

D-2-15 What advanced data science/machine learning techniques, if any, are utilized in analyzing user activity to detect anomalies and threats?

M

D-2-16 Can the solution impose additional authentication when it detects high risk behaviors such as unmanaged devices, sensitive data downloads etc.?

H

D-2-17 Please provide 5 customer references where your threat protection solution has been deployed at scale in production.

H

30

Incident Workflow


D-3-1 Does your solution provide a dashboard to provide threat information and manage incident workflow?

H

D-3-2 Can your solution natively record an incident workflow action (Resolve, False Positive)?

M

D-3-3 Can your solution take input on false positives or negatives and use this information to tune the threat protection engine?

H

D-3-4 Does your solution integrate with SIEMs for incident workflow? Please describe the integration.

H

31

Malware Controls


D-4-1 Can your solution detect malware hosted in cloud services?

H

D-4-3 Can your solution scan existing data stores (data at rest) for new signatures / variants of malware?

M

D-4-4 Can your solution detect zero-day threats? M

D-4-5 Does your malware solution integrate with third-party intelligence feeds?

M

32

SECTION E: DATA SECURITY

Contextual Access Controls


E-1-1 What context is used to control access to cloud services (e.g. based on user, device, location)?

H

E-1-2 Can your solution enforce policies based on the following parameters:

• Service or service group (Salesforce, all file-sharing services)

• User groups

• Specific user

• User attributes (role, department)

• Activity types (download, upload)

• SAML expression (e.g. variable passed from IDaaS provider)

• IP address range

• Geography

• File Type and/or Data Identifiers

• Device type (managed, unmanaged)

• Device OS (e.g Android)

• User domain (e.g corporate vs personal)

• Agent (e.g. presence of agent)

H

33

E-1-3 Can the solution enforce controls on both mobile and desktop access? Is an agent required?

H

E-1-4 What methods does your solution support to detect managed vs unmanaged devices?

H

E-1-5 Can your solution enforce policies to restrict access from only managed devices?

H

E-1-6 Can your solution enforce granular device-based controls such as restricting read-only access to unmanaged or personal devices?

H

34

Encryption


E-2-1 Does your solution support encryption of cloud data using customer owned keys?

H

E-2-2 Does your solution allow encryption of selected cloud data meeting specific criteria?

H

E-2-3 Can your solution integrate with an existing Key Management Solution to support management of encryption keys?

H

E-2-4 Can your solution encrypt existing data in the cloud as well as data uploaded on an ongoing basis?

H

35

E-2-5 Can the solution encrypt selected fields within cloud providers such as Salesforce and ServiceNow?

H

E-2-6 What functions are supported (e.g. search, sort, filter) for encrypted structured data fields?

H

E-2-7 How much latency does your solution add for encryption?

H

E-2-8 Does your solution support search for encrypted files. If so, is the search index encrypted as well? Does the search index require on-premises infrastructure?

M

E-2-9 Which ciphers does your company use for order and function preserving encryption?

M

E-2-10 Has your structured encryption been deployed in production at scale? Please provide 5 customer references.

H

36

Unsanctioned Cloud Services Control


E-3-1 Can your solution enforce DLP policies within unsanctioned cloud services such as GitHub, Evernote? For example, block all PII uploaded to Evernote.

M

E-3-2 Can your solution enforce DLP policies on native apps of unsanctioned services on managed devices?

H

37

SECTION F: OFFICE 365 SECURITY


F-1-1 Can the solution support the scanning and inspection (on-demand, ongoing) of files in the following Office 365 services:

• SharePoint

• OneDrive

• Mail

• Yammer

• Teams

• Other?

H

F-1-3 How long does the solution take to enforce DLP policies via inline proxy and/or APIs?

H

F-1-4 Can the solution support inline DLP for Exchange Online? Does this require agents to be installed at endpoints?

H

38

F-1-5 Can the solution discover all sites within SharePoint based on author and other metadata parameters?

H

F-1-6 Can the solution monitor activity across the following Office 365 applications for audit trail and forensic investigations?

• SharePoint

• OneDrive

• Exchange

• Azure AD

• Yammer

• Teams

How many types of activities can the solution parse/recognize from these cloud services providers?

H

F-1-7 Which Microsoft APIs does your solution rely on for CASB functionality?

H

F-1-8 Can the solution provide real-time support for collaboration policies (e.g. prevent sharing of confidential data with external parties)? Please explain how?

H

39

SECTION G: IAAS AND CUSTOM APPS SECURITY

Infrastructure-as-a-Service (IaaS) Security


G-1-1 Can your solution discover usage across IaaS platforms such as AWS, Azure, Google Cloud? List all the IaaS platforms supported.

H

G-1-2 Can your solution discover and manage unsanctioned IaaS accounts?

H

G-1-3 Does your solution audit service configurations for IaaS platforms against best practices and common misconfiguration issues?

H

G-1-4 Does the solution automatically identify security configuration incidents and flag them as ‘Resolved’ when IT or Operations teams have fixed them?

M

40

G-1-5 Can the solution update the settings of the IaaS provider to auto-remediate misconfigurations found in an audit?

H

G-1-6 Does your solution identify inactive IaaS admin accounts?

H

G-1-7 Can your solution analyze IaaS activities to identify threats associated with insiders, compromised accounts, and privileged users?

H

G-1-8 Does your solution capture an audit trail of all user and administrator activities on IaaS services? Is the activity monitoring process real-time/near real-time? And for what duration is the data retained?

H

41

G-1-9 Can your solution capture the audit trails of multiple accounts from one IaaS provider (e.g. multiple AWS CloudTrail buckets)? Can these audit trails be assessed separately or together?

M

G-1-10 Does your solution automatically categorize IaaS activities across commonly understood categories?

H

G-1-11 For AWS, how many sub-accounts does your solution support for activity monitoring?

M

G-1-12 Does your solution provide incident response workflow to triage and remediate violations?

H

G-1-13 Can all of your solution’s capabilities be applied for more than one AWS (or IaaS) account? How many accounts can be covered?

M

G-1-14 How does your solution detect/prevent publicly readable/writeable IaaS data stores such as AWS S3 Buckets?

H

42

Custom Apps Security


G-2-1 Can your solution provide a reverse proxy deployment to secure custom applications? Describe the method your solution uses to get in-line.

H

G-2-2 Can your solution enforce DLP policies on data in custom apps built on IaaS platforms such as AWS, Azure? Can these policies be applied on files as well as form fills, XML, and data entered within individual fields?

H

G-2-3 Does your solution allow customers to use existing DLP policies created for SaaS applications (e.g. Office 365) to custom applications?

H

G-2-4 Can your solution capture an audit trail of activities performed within custom apps deployed on public IaaS platforms? Please describe.

H

43

G-2-5 How does your solution detect threats in custom apps associated with insiders, compromised accounts, and privileged users?

H

G-2-6 Can your solution enforce access controls on custom apps based on contextual parameters such as device, location, user, activity?

M

44

SECTION H: PLATFORM & INTEGRATION

Reporting


H-1-1 Does the solution allow users to customize views and create new reports based on the information they want to see?

M

H-1-2 Does the solution allow users to schedule reports to be periodically sent by email in selected formats (PDF, CSV, XLS)?

M

H-1-3 Does your solution provide out of the box reports? Please provide a list?

H

H-1-4 Does your solution provide cloud service specific dashboards?

M

45

Deployment


H-2-1 Is your solution a multi-mode CASB as defined by Gartner? Does it offer multiple deployment options:

• API

• Reverse Proxy

• Forward Proxy

• Log collection

H

H-2-2 What modes do you support to steer traffic to your proxy?

M

H-2-3 Can you deploy an agent-based model if required?

M

H-2-4 How many cloud services do you secure via API deployment mode?

H

H-2-5 Does your solution support real-time API controls?

H

46

H-2-6 Does your product enable cloud service providers, partners, or customers to build API integration between a cloud service and your CASB in a self-serve model?

H

H-2-7 How do you handle conflict with existing agents in our security infrastructure?

H

H-2-8 Does your CASB endpoint agent split traffic and bypass the coverage of existing proxies and firewalls?

H

H-2-9 Please provide 5 customer references where your agent has been successfully deployed in production in a company with more than 10,000 users.

H

H-2-10 Does your solution require any of the following on unmanaged devices (PC's, iPads, Mobile phones) or 3rd party contractors, customers, alliance partners:

• Agents

• VPN Backhaul

• PAC Files

H

47

Integration


H-3-1 Does your product integrate with Identity Management solutions to authenticate access through the reverse proxy to sanctioned cloud services? Please list the solutions that are supported today.

H

H-3-2 Does the product provide log analysis capabilities for the following firewalls:

• Palo Alto Networks

• Juniper

• Cisco

• Barracuda Networks

• Check Point

• Fortinet Include other supported products.

H

H-3-3 Does the product provide log analysis capabilities for the following proxies:

• Blue Coat

• Websense

• Zscaler

• McAfee Include other supported products.

H

48

H-3-4 Does the product allow automatic push of cloud service information to third party firewalls/proxies, so that the necessary controls (block, warn, justify, etc.) can be enforced.

• Blue Coat

• Websense

• McAfee

• Palo Alto Panorama Include other supported products.

H

H-3-5 Does the product provide log analysis capabilities for the following SIEMs –

• ArcSight

• Splunk

• McAfee

• LogRhythm

• Qradar

• Dell Secureworks Include other supported products.

H

H-3-6 Can your solution integrate with Enterprise Mobility Management (EMM) or Mobile Device Management (MDM) solutions to enforce access controls for managed vs unmanaged devices?

• VMware AirWatch

• MobileIron

M

49

H-3-7 Can your solution integrate with Electronic Digital Rights Management (EDRM) solutions? Please specify the EDRM solutions that are supported.

M

H-3-8 Does the product support on-network and off-network (remote employees) access? Please describe how?

M

H-3-9 How do you manage customer encryption keys M

H-3-10 Do you identify noncompliant perimeter policies related to cloud?

H

50

User Experience


H-4-1 Does the product provide different levels of access (Role Based Access Control) to the data and product capabilities based on the role assigned to the user by the admin:

• Administrator

• Executive

• Governance/risk manager

• Policy manager

• Incident responder

H

H-4-2 Does the solution provide a streamlined and persona-based navigation for multiple roles? Can read-only access be set for specific users or roles?

M

H-4-3 Can the solution limit admin access to a defined list of IP addresses?

M

H-4-4 Can the solution integrate with the identity management solution for single sign-on access to the user interface?

H

H-4-5 Does the CASB offer a mobile optimized user interface, so users can be productive across all device-types and screen sizes?

M

51

SECTION I: ADMINISTRATION


I-1-1 If your solution is hosted, is it multi-tenant? H

I-1-2 Are there any onsite hardware or software requirements for any aspect of your solution? If so, please describe.

M

I-1-3 How are customers notified of scheduled maintenance?

M

I-1-4 Identify all other supporting software from other vendors that would be required for the product to work. Example: Need for a database for tokenization. If so, identify other software required.

M

I-1-5 Does your solution allow us to specify which geographical locations our data traverses in and out of, so we can address legal and jurisdictional considerations based on where data is stored vs. accessed?

H

I-1-6 Are there any additional location(s) where target (regulated) data is stored? If so, provide locations (address, city, state, country).

M

52

SECTION J: VENDOR OPERATIONS AND SECURITY INFRASTRUCTURE


J-1-1 Which third-party and industry standard certifications have been performed on both your product and the underlying infrastructure? Comment specifically on ISO 27001, ISO 27018, FIPS 140-2, CSA STAR, and FedRAMP.

H

J-1-2 Describe how your APIs are secured. H

J-1-3 Describe your corporate security policy. Attach a copy.

H

J-1-4 What areas are covered in your security policy? (E.g. Physical access, Encryption, etc.)

H

J-1-5 Is the identity and background of all your staff known based on security background checks? If yes, describe the screening activities performed on job applicants (e.g., credit, drug screening, references, and criminal background checks)

M

53

J-1-6 Are your systems subjected to penetration testing? Is testing performed by internal personnel or outsourced? When was the last penetration test?

H

J-1-7 What is your SLA for the various deployment modes you support?

• Proxy

• API

• Log Collection

M

J-1-8 Describe your High Availability Architecture. M

J-1-9 Are documented backup and recovery policies in place? If so, please describe.

H

J-1-10 Where are backups stored? M

J-1-11 How long are backups kept? M

54

J-1-12 Describe your disaster recovery strategy and frequency of testing.

H

J-1-13 What is your data ownership and retention policy?

M

J-1-14 Is the service located in multiple, fully-redundant global data centers (for cloud based solutions)?

M

J-1-15 What are your data retention policies for customer data?

H

55

SECTION K: CUSTOMER SUCCESS & SUPPORT


K-1-1 Do you provide pre-project planning support as part of enterprise engagements?

K-1-2 What is your implementation methodology in an organization with 5,000+ employees?

K-1-3 Is Customer Support included in the pricing?

K-1-4 Provide Customer Support days and hours of operation.

56

K-1-5 Do I have access to my local account team as an escalation path?

K-1-6 Is there a proven methodology defined for deployment, ongoing risk reduction, and measurement of customer success?

K-1-7 Is there 24x7 customer support available via email, web, and phone?

57

SECTION L: PRICING


L-1-1 Provide licensing and pricing details for your solution.

L-1-2 What is the cost for maintenance and support? Please detail available support packages.

L-1-3 Are professional services available? Please list available services and cost.

58

SECTION M: CUSTOMER REFERENCES Please provide four customer references that [COMPANY NAME] may contact that have used the solution you are proposing for at least 6 months:

Reference 1

Company Name

Contact Name

Contact Phone

Contact Email

Company Address

Description of Solution Provided

Benefits of Solution Provided

59

Reference 2

Company Name

Contact Name

Contact Phone

Contact Email

Company Address



60

Reference 3

Company Name

Contact Name

Contact Phone

Contact Email

Company Address



61

Reference 4

Company Name

Contact Name

Contact Phone

Contact Email

Company Address



62

SECTION N: TERMS AND CONDITIONS Please describe the appropriate terms and conditions the vendor must agree to for this project including confidentiality, insurance, compliance with applicable laws and indemnity clauses.

Cloud Access Security Broker (CASB) Request For Proposal ... · investigation? Does this action...

Documents

Transcript of Cloud Access Security Broker (CASB) Request For Proposal ... · investigation? Does this action...