Overview - Total Cloud Security | Bitglass

 Cloud Access Security Broker Request for ProposalHow to use this templateThis template is meant to serve as a comprehensive Request for Proposal (RFP) for cloud access security broker (CASB) solutions, covering the most common functions that CASB vendors provide. Before sending this RFP to vendors, delete all blue text (including this introductory paragraph). Fill in or delete all fields highlighted in blue. Company NameDate of Issue TOC \h \u \z TABLE OF CONTENTSOverviewQuestionsReferenceEstimated PricingOverviewPurposeThe purpose of this RFP is to invite prospective vendors to submit a proposal to supply a cloud access security broker solution to Company Name. Company Name increasingly relies on public cloud applications such as App 1, App 2, and App 3. Since these applications are hosted on public infrastructure that is not managed by Company Name, there is a great need to: Gain a complete understanding of both managed and unmanaged public cloud applications in-use throughout the organization. Understand what sensitive data is being processed and stored in public cloud environments.Securely enable the public cloud applications required by our lines of business.Secure cloud data end-to-end - from the cloud to the point of consumption (which may include both managed and unmanaged devices).Identify and stop zero-day threats that put sensitive data at risk.This RFP is to select a cloud access security broker to allow for an enterprise approach to security controls and policies for public cloud applications. As a recipient of this document, Company Name is requesting that your firm submit a proposal to provide these services to Company Name. Company BackgroundBriefly describe your company. Include a description of the business, key locations, number of employees, relevant regulatory compliance mandates, and both cloud apps in-use (today and future). Also include key stakeholder groups involved in the decision, high-level objectives of each group, anticipated number of users for the system, and project growth of the user base. RFP TimelineThe tentative timeline for this RFP is as follows:List all major dates or milestones below. Include the issuance of the RFP, the technical questions closing dates, the RFP response closing date (including an exact time and time zone), the end of evaluation date, and the final award notification date.RFP IssuedInsert date hereDeadline for questionsInsert date/time/timezone hereRFP submission deadlineInsert date/time/timezone hereVendor selection short list notified Insert date herePresentations by shortlisted vendors Insert date hereEvaluation vendors selectedInsert date hereEvaluation of shortlisted vendors beginsInsert date hereNotification to winning vendorInsert date hereNote that this timeline may change at any time. All changes will be communicated by email to all invited bidders. QuestionsAll questions pertaining to the content of this proposal must be made in written form, via email. All content questions must be submitted via email before the “Deadline for questions” to:RFP Contact NameRFP Contact Email AddressCompany Name reserves the right to share such questions and their answers with all other RFP participants without disclosing the originator of the questions. Proposal TermsYour company, by making a proposal, claims that it has read and completely understands this Request for Proposal. Company Name reserves the right to reject the proposal and to accept the proposal which appears to have the biggest benefit to Company pany Name will not reimburse the bidder for any preparation costs or other work performed in connection with this RFP. Company Name is not liable for mistakes in the submitted proposal. The vendor may correct mistakes in their proposals after the due date only with Company Name’s approval, and only to correct a mistake in existing submission sections. QuestionsPlease answer the following questions. Max 100 words per answer. OverviewPlease describe your overall approach/philosophy towards securing data in the public cloud.Please provide a brief company overview and timeline of key milestones in your company’s history. How is your solution differentiated from competitors in the CASB space? Please describe any limitations that the product has with the following applications:App 1App 2App 3etc...System ArchitectureThe system must support multimode proxies and API for real-time data protection. Please indicate which of forward proxy, reverse proxy, and ActiveSync proxy are supported.Please indicate mechanisms for ensuring robustness of proxy architecture across public cloud application updates. Does the system feature machine learning capabilities for identifying and blocking zero-day threats?Does the system feature machine learning capabilities for managed application control? Does the system feature machine learning capabilities for unmanaged application control? The system should integrate native identity management components, including single sign-on and multi-factor authentication. Does the solution provide native IAM or integrate with third-party IAM solutions?How does your product address data sovereignty, data residency, and other compliance issues? How is your product typically deployed (on-premises gateway, cloud proxy, API only, etc.)?What is the uptime SLA provided for your offering?Please describe any noticeable impact the system may have on application performance.Please describe system fault tolerance and high availability mechanisms.Please describe how the system scales during periods of high usage.Managed App ControlPlease describe how your solution delivers CASB security to managed cloud applications.Can the solution provide different levels of access to any cloud application based on user, group, and access method?Does your solution deliver real-time proxy-based access control for any app without requiring agents or configuration on browsers or network proxy appliances?Please describe the DLP actions your solution can take on sensitive data in managed cloud applications.Is your DLP capability real-time inline for any application?Does your DLP engine handle both file and field-level dataDo you require API integration to deliver DLP functionality?Unmanaged App Control and Shadow IT DiscoveryDoes the system support discovery of “Shadow IT” unmanaged apps?Does the system provide corresponding trust ratings for all unknown “zero-day” unmanaged applications in use?How many applications with trust ratings are included in the system’s Shadow IT database?Does the system support control of zero-day unmanaged apps?What mechanism does the system use to restrict access to zero-day unmanaged apps?Can the solution provide different levels of access to unmanaged applications including read-only access?Does the solution enable sanctioning of zero-day unmanaged applications?Access Control Can the solution provide different levels of access to applications based on user/group?Can the solution provide different levels of access to applications based on managed versus unmanaged devices? How are different device types classified? Can the solution provide different levels of access to applications based on geographic location and/or IP range?Can the solution provide different levels of access to applications based on access method (web, client apps, mail client, etc.)? Please describe how the solution can block native application sync client access from unmanaged devices.Data Loss Prevention (DLP)Does your system support both simple and advanced patterns, keyword and regular expression matching, proximity and occurrence based matching? Can multiple match types be combined via boolean expressions to create advanced detection patterns?Does your system’s DLP solution include a pre-built library of patterns for common data types?Does the system support exact match policies?Please describe how your solution integrates with premises-based DLP from DLP Vendor.Can the solution block or quarantine external sharing and remove public access to files? Are such policies mapped to DLP rules?Can the solution mask/block sensitive data before it is downloaded to devices?Can the solution encrypt and/or apply rights management to files upon download? Please describe how such mechanisms work. Can the solution apply watermarks or fingerprints to files matching DLP patterns?Threat and Malware ProtectionPlease describe the solution’s ability to scan cloud data-at-rest for malware.Please describe the solution’s ability to stop upload of malware files from unmanaged/unprotected devices.Please describe the solution’s ability to stop download of malware to unmanaged/unprotected devices.Please describe the mechanisms, and any partnerships, employed by the solution to detect known and unknown/zero-day threats. Visibility & AnalyticsDoes your system provide a dashboard with a consolidated view of data, device, user, application and administrative activities?Does your product provide comprehensive activity and transaction logging?How does the system correlate user activity and suspicious user behavior across applications? Please describe the system’s mechanisms for automated alerting and reporting.Please describe the solution’s ability to track data that has been downloaded from the cloud application. Identity ManagementDoes your product provide native single sign-on functionality or must a third-party product be acquired?Please describe the solution’s ability to provide multi-factor authentication to cloud applications as a risk mitigation mechanism. Please describe how the product integrates with Active Directory for user authentication and security group/OU synchronization. Mobile Data ProtectionCan your solution selectively wipe cloud data that has been synchronized or downloaded to mobile devices?How does your solution ensure that basic device-level security configuration, such as PIN code and device encryption, have been enabled prior to providing access?How does your product address protection of data that has been downloaded or synced to endpoint devices?Please describe how your solution offers data protection for mobile mail via ActiveSync.Please describe how your solution offers data protection for native mobile applications. Please describe whether your solution has an ability to protect mobile data without taking management control over the device via software/agent installation. Cloud EncryptionPlease describe your solution’s capability and approach for encrypting structured data (field level) uploaded to the cloud. Please describe your solution’s capability and approach for encrypting unstructured data (file level) uploaded to the cloud.Please describe your solution’s capability and approach for encrypting data upon download from the cloud.Does your product weaken encryption strength in any way in order to preserve application functionality? Does your product impede upon any native SaaS or IaaS functions such as searching, sorting, or creating reports?How are keys managed with your solution? Can keys be managed on-premises?IaaS Data ProtectionPlease describe how your solution protects data-at-rest in IaaS data lakes.How is data in IaaS data lakes encrypted and decrypted on upload/download?Do you support both encryption and tokenization?Does your solution handle both structured and unstructured data?Does your solution allow for data to be tagged with a sensitivity level for selective access control and decryption?Can the solution provide different levels of access to the IaaS application’s admin console based on user, group, and access method?Can the solution provide different levels of access to IaaS-connected cloud applications based on user, group, and access method?User ExperiencePlease describe any changes that must be made to endpoint devices in order to securely access cloud apps through your system.Please describe how your solution supports access from unmanaged devices, where no configuration, client apps, or profiles are installed.Please describe the user experience when a user attempts to access a public cloud application directly. Please describe how user enrollment and initial access can be achieved with no IT involvement. Please describe how your solution is able to provide control/visibility over corporate data while having absolutely no visibility into any employee personal data or applications. ReferencesPlease provide contact information for at least 2 reference customers with whom we can speak. Estimated PricingPlease provide pricing for implementation of your solution for Company Name’s project as described in this RFP. The vendor must agree to keep these prices valid for Number of Days days, as of Starting Date. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download