Skip to main content

Permissions

Add user
Done

Start your AI search

AI search
Outbound call compliance Gamification for customer service Outsourcing services

How to write an RFP for CASB

Requirements, questions, and evaluation criteria specific to CASB procurement

7 min read

Cloud Access Security Brokers (CASBs) are critical for securing cloud applications and data, but their integration into broader security frameworks like SSE and SASE adds complexity. A well-crafted RFP is essential to navigate this evolving landscape and ensure the chosen solution aligns with your organization's specific security needs and cloud strategy.

What makes CASB RFPs different

CASB RFPs differ significantly from other security software RFPs due to the unique challenges of securing cloud environments. Unlike on-premises solutions, CASBs must integrate with various cloud providers and SaaS applications, each with its own security configurations and APIs.

The rise of Shadow IT and Shadow AI further complicates matters, requiring CASBs to discover and govern unsanctioned cloud usage, including generative AI tools. nnFurthermore, the convergence of CASB with SSE and SASE necessitates a broader evaluation of the vendor's overall security roadmap and integration capabilities.

Procurement teams must assess not only the core CASB functionalities but also the vendor's ability to deliver a unified cloud security platform that encompasses SWG, ZTNA, and FWaaS. Data residency and compliance requirements also play a crucial role, especially for multinational organizations operating in regions with strict data privacy laws.

  • Integration with existing identity and endpoint management systems
  • Coverage of critical SaaS applications and cloud platforms
  • Ability to govern Shadow IT and Shadow AI usage
  • Compliance with relevant data privacy regulations (e.g., GDPR, HIPAA)

RFP vs RFI vs RFQ

Here's when to use each document type when procuring CASB software.

RFI

Request for Information

Use early in your search to understand what vendors offer and narrow your list. Gather general capabilities, company background, and high-level pricing ranges.

RFP

Request for Proposal

Use when you know your requirements and want detailed vendor solutions and pricing. This is your main evaluation document for shortlisted vendors.

RFQ

Request for Quote

Use when requirements are fixed and you just need final pricing. Often used after RFP when you're ready to negotiate with finalists.

For CASB procurement, an RFI is useful for initial market research and understanding different vendor approaches to cloud security. An RFP is necessary for a thorough evaluation of technical capabilities, deployment options, and pricing, while an RFQ is generally not suitable due to the complexity and customization required.

Technical requirements checklist

Use this checklist when defining your RFP scope.

Deployment Modes

  • API-based integration for data-at-rest scanning
  • Forward proxy for managed devices
  • Reverse proxy for unmanaged devices (BYOD)
  • Support for both inline and out-of-band deployment

Data Loss Prevention (DLP)

  • Predefined DLP policies for common data types (PII, PHI, PCI)
  • Customizable DLP policies with regular expression support
  • Exact Data Matching (EDM) and Indexed Document Matching (IDM)
  • Real-time DLP enforcement for cloud applications

Shadow IT Discovery

  • Automatic discovery of cloud applications in use
  • Risk scoring for discovered applications
  • Reporting on Shadow IT usage trends
  • Ability to block or sanction applications

AI Governance

  • Detection and control of unsanctioned AI tools (Shadow AI)
  • Prevention of sensitive data leakage into public LLMs
  • Real-time prompt inspection for generative AI tools
  • AI Security Posture Management (AI-SPM)

Integration Requirements

  • Integration with Identity Providers (IdP) such as Okta or Azure AD
  • Integration with SIEM/SOAR platforms
  • Integration with Unified Endpoint Management (UEM) tools
  • API integration with critical SaaS applications (Salesforce, Microsoft 365, etc.)

Questions to include in your RFP

Architecture & Deployment

  • Describe your solution's architecture, including the different deployment modes (API, forward proxy, reverse proxy) and their respective advantages.
    Understanding the architecture is crucial for assessing scalability and performance.
  • What is your approach to data residency and compliance with regional regulations?
    Data residency is critical for organizations operating in multiple regions.
  • How does your solution ensure high availability and business continuity?
    Ensuring uptime is critical for business-critical applications.
  • Detail your solution's scalability and performance characteristics under peak load.
    Scalability is essential to accommodate future growth.

Functionality & Features

  • Describe your solution's Shadow IT discovery capabilities, including the number of cloud applications identified and the risk scoring methodology.
    Shadow IT discovery is crucial for identifying and mitigating risks associated with unsanctioned cloud usage.
  • How does your solution prevent data leakage into unsanctioned AI tools?
    Data leakage into public LLMs is a growing concern.
  • Explain your solution's DLP capabilities, including the types of data it can identify and the actions it can take to prevent data loss.
    DLP is essential for protecting sensitive data in the cloud.
  • How does your solution manage non-human identities and secure API-based integrations between SaaS apps?
    Securing non-human identities is crucial for preventing unauthorized access.
  • Detail your solution's SaaS Security Posture Management (SSPM) capabilities.
    SSPM helps identify and remediate misconfigurations in SaaS applications.

Integration & Interoperability

  • Describe your solution's integration with our existing Identity Provider (IdP) and Unified Endpoint Management (UEM) systems.
    Integration with existing systems is crucial for seamless deployment and policy enforcement.
  • What APIs does your solution expose for integration with other security tools and platforms?
    API integration enables automation and data sharing.
  • How does your solution integrate with SIEM/SOAR platforms for incident response?
    SIEM/SOAR integration streamlines incident response workflows.
  • Detail your solution's integration capabilities with [list your critical SaaS applications].
    Ensuring integration with critical SaaS apps is paramount.

Security & Compliance

  • What security certifications and compliance standards does your solution meet (e.g., SOC 2 Type II, ISO 27001, FedRAMP)?
    Certifications demonstrate a commitment to security and compliance.
  • Describe your solution's data encryption capabilities, both in transit and at rest.
    Encryption is essential for protecting sensitive data.
  • How does your solution protect against malware and other threats?
    Threat protection is a core security requirement.
  • What is your approach to vulnerability management and patching?
    Vulnerability management is crucial for maintaining a secure posture.

Vendor Stability & Roadmap

  • Describe your company's financial stability and market position.
    Vendor stability is crucial for long-term partnership.
  • What is your product roadmap for the next 12-24 months, particularly regarding SSE and SASE convergence?
    Understanding the roadmap is essential for future-proofing your investment.
  • How do you handle customer support and incident response?
    Reliable support is crucial for resolving issues quickly.
  • Provide customer references in similar industries and with similar deployment sizes.
    References provide valuable insights into real-world performance.

Pricing & Licensing

  • Provide a detailed breakdown of your pricing model, including all costs associated with implementation, licensing, and ongoing support.
    Understanding the pricing model is crucial for budgeting and TCO analysis.
  • Are there any usage-based overage fees or hidden costs?
    Hidden costs can significantly impact TCO.
  • What are your licensing options (e.g., per-user, per-device, per-application)?
    Licensing options should align with your organization's needs.
  • What discounts are available for multi-year contracts or volume purchases?
    Discounts can significantly reduce TCO.

Compliance and security requirements

Depending on your industry, you may need to require proof of these certifications and standards.

GDPR

Required if processing personal data of eu citizens. If applicable, request documentation on GDPR compliance and data processing agreements.

HIPAA

Required if handling protected health information (phi). If applicable, request a Business Associate Agreement (BAA) and HIPAA compliance documentation.

PCI DSS

Required if processing credit card data. If applicable, request a copy of the solution's PCI DSS Attestation of Compliance (AOC).

SOC 2 Type II

Required generally recommended for saas providers. If applicable, request a copy of the solution's SOC 2 Type II report.

CCPA/CPRA

Required if processing personal data of california residents. If applicable, request documentation on CCPA/CPRA compliance.

Evaluation criteria

Here is the suggested weighting for CASB RFPs.

Functionality Fit How well the solution meets the stated requirements, including DLP, Shadow IT discovery, and AI governance.
25%
Integration Capabilities Seamless integration with existing identity, endpoint, and security systems.
20%
Deployment Flexibility Support for various deployment modes (API, forward proxy, reverse proxy) and cloud environments.
15%
Vendor Stability & Roadmap Financial stability, market position, and future product roadmap.
15%
Total Cost of Ownership (TCO) Implementation, licensing, and ongoing support costs.
15%
Compliance & Certifications Compliance with relevant industry regulations and security certifications.
10%

Some weights were adjusted based on your priorities.

  • Increase if specific features are critical to your organization's security posture.
  • Increase if you have a complex and highly integrated IT environment.
  • Increase if you have a hybrid or multi-cloud environment.
  • Increase if you are looking for a long-term strategic partner.
  • Decrease if you prioritize functionality over cost.
  • Increase if you operate in a highly regulated industry.

Red flags to watch

  • Lack of Shadow AI governance capabilities

    Indicates the vendor may not be prepared for emerging security threats related to generative AI.

  • Limited integration with existing security tools

    Can create silos and hinder incident response efforts.

  • Poor performance and high latency

    Can negatively impact user experience and productivity.

  • Vague or complex pricing models

    Suggests potential hidden costs and difficulty in predicting TCO.

  • Inability to provide relevant customer references

    Raises concerns about the vendor's experience and ability to deliver on promises.

Key metrics to request

Ask vendors to provide benchmarks from similar customers.

Number of SaaS applications supported with API integration

Indicates the breadth and depth of coverage for data-at-rest scanning and remediation.

Average time to detect (MTTD) for Shadow IT applications

Measures the effectiveness of the solution in identifying and flagging unsanctioned cloud usage.

Reduction in data breaches or security incidents after CASB implementation

Demonstrates the tangible impact of the solution on reducing security risks.

Percentage of SaaS misconfigurations automatically remediated

Highlights the automation capabilities of the solution in addressing security posture management.

Average latency introduced by the CASB solution

Measures the performance impact of the solution on network traffic and user experience.