Prisma Cloud

RFP Checklist
Comprehensive cloud native security requires a broad set of capabilities
with deep functionality across the development lifecycle (build, deploy,
run). The distributed risks involved in hybrid and multi-cloud environments
also require integration with other cloud native tools across infrastructure,
applications, and data. Furthermore, to successfully coordinate enterprise-
scale protection against modern threats, nearly every organization will
benefit from a consolidated platform that can deliver all of these capabilities
in a single console.

The following RFP checklist includes requirements across key categories to

help you evaluate the quality of the products you’re considering. Use this as
a starting point, and tailor it to your company’s needs to ensure you’re able
to identify vendors that can best support your organization.

Prisma by Palo Alto Networks | Prisma Cloud RFP Checklist | Datasheet 1

1. Platform Requirements
Product Architecture and Platform-Wide Functionality
□ Single, unified agent framework
□ Flexible delivery options, delivered in a SaaS model or self-hosted
□ All functions accessible via one user interface to centralize use cases across teams
□ Single SKU (i.e. single license) for all platform functionality—one purchase to access the full plat-
form
□ Flexible, pricing structure based on platform-wide credits
□ Fully automated on-boarding of cloud accounts using APIs
□ Customizable dashboard views
□ Provides command-line interface control and configuration tool
□ Integrated query tool to gain security and operational insights about your deployments
□ Continuous monitoring and protection across functions
□ Critical functionality available "out-of-the-box" for near-immediate value
□ Easily customizable functionality for nuanced security controls
□ Intra-platform data sharing to eliminate operational silos
□ Data encrypted in transit and at rest
□ Full audit log for all administrative activities
□ ISO 27001 compliant
□ SOC 2 compliant
□ Comprehensive API documentation and user guidance
□ Self-serve support via product documentation
□ Professionals services available for complete deployment and implementation help
□C ustomer success teams available for technical and general assistance (onboarding, use case
­d­evelopment)

Integrations and Ecosystem Support

□O
 ut-of-the-box support for a wide range of integrations, including communication and workflow
tools (e.g., JIRA®, ServiceNow®, PagerDuty®)
□ I ntegrated with IDE, SCM, and CI/CD workflows for developers and DevOps (e.g., Bitbucket, CircleCI,
GitHub, GitLab, HashiCorp, Jenkins, JFrog)
□ I ntegrated with SIEM tools (e.g., Splunk, Azure Sentinel)
□C
 ustom integrations can be built using the API
□S
 upport for major cloud service providers including AWS®, Google Cloud, Azure, OCI, and Alibaba
Cloud
□F
 edRAMP certified

2. Cloud Security Posture Management Requirements

Monitor posture, detect and respond to threats, and maintain compliance across
public clouds.
□C
 ontinuous asset discovery within on-boarded cloud accounts
□C
 ontinuous compliance posture monitoring
□A
 utomated workload and application classification
□V
 isualization of all resources across cloud platforms, with customizable views
□R
 esource configuration monitoring and controls
□A
 utomated remediation for common misconfigurations and compliance violations
□O
 ut-of-the-box compliance templates to align your policies to recommended practices for PCI DSS,
HIPAA, NIST SP 800-190, GDPR, ISO 27001, and other standards
□E
 asily modify existing policies/frameworks, and create custom policies

Prisma by Palo Alto Networks | Prisma Cloud RFP Checklist | Datasheet 2

□G
 enerate reports with a single click, using prebuilt and custom frameworks
□D
 efine and save custom reports, filters, and views
□E
 xport compliance violation events, reports, metrics, and metadata via API
□A
 bility to feed alerts into third-party workflow tools
□U
 ser and entity behavior analytics (UEBA) to detect and understand anomalous network behavior
□S
 ecurity alerts include detailed context with suggested remediation steps
□F
 iltering for security events across all resources in the cloud accounts, including containers and
serverless
□R
 ule- and behavior-based analytics, which can be augmented using machine learning
□S
 can for insecure configurations in infrastructure-as-code (IaC) templates, integrated across IDE,
SCM, and CI tools
□S
 et global policies for development and DevOps
□S
 can for publicly exposed information within cloud data storage
□S
 can for sensitive information within cloud data storage
□R
 eal-time threat feed contains continuously updated vulnerability data and threat intelligence (e.g.,
CVEs, malware)
□P
 rovides a ranked list of the most critical vulnerabilities in your environment based on risk score
□H
 op-by-hop network configuration analysis provides visibility into network reachability of cloud
assets

3. Cloud Workload Protection Requirements

Secure hosts, containers, and serverless functions across the application lifecycle.
□S
 can for vulnerabilities in container images and repositories
□S
 can for vulnerabilities in serverless functions and libraries
□E
 nforce security policies on applications deployed on Linux hosts, Windows hosts, or Kubernetes®
infrastructure
□S
 upport for Kubernetes security, including managed Kubernetes services (e.g., Amazon EKS, Google
GKE, Azure Container Service)
□S
 upport for container platform security (e.g., Red Hat® OpenShift®)
□S
 ecurity container runtimes, including Docker Engine, CRI-O, and cri-containerd
□S
 can container images and libraries before, during, and after deployment
□A
 ssess image provenance, including registries and other attributes
□A
 ssess privileges used by containers
□O
 ut-of-the-box and customizable policies for detecting common misconfiguration problems
□M
 onitor and enforce compliance settings across your environments, with built-in support for
frameworks like CIS benchmarks and customizable checks
□O ut-of-the-box support for hundreds of discrete checks that cover images, containers, hosts,
­clusters, and clouds
□C ompliance and configuration checks for compute resources to monitor and enforce baseline
­configurations
□D eclare, by policy, which registries, repositories, and images to trust, along with responses to
­untrusted entities
□F
 ail/interrupt a build if an image contains vulnerabilities that meet severity criteria
□D
 etect sensitive information (secrets) that is improperly secured inside images and containers
□ I dentify changes to containers at runtime (aka, configuration drift), and prevent unknown behavior,
including processes and unknown file system calls
□S
 earch cloud infrastructure to identify resources with compliance, vulnerability or runtime anomalies,
or threats like malware
□M
 onitor Kubernetes event logs
□F
 unction as an admission controller, with support for OPA and Rego for custom admission checks

Prisma by Palo Alto Networks | Prisma Cloud RFP Checklist | Datasheet 3

□R
 untime protection to ensure that processes that run in your environment meet the parameters of
the learned models and the rules defined in Console
□M
 ap detected incidents to the MITRE ATT&CK® framework
□D
 etection of unprotected web applications and APIs
□S
 ecure web applications with comprehensive coverage for the OWASP Top 10
□ I mplement DoS protection for web applications and APIs with event management dashboards

4. Cloud Network Security Requirements

Gain network visibility, enforce microsegmentation, and secure trust boundaries
across public, private, and hybrid clouds.
□A
 utomatically learn and generate workload tags from learned metadata (e.g., AWS, Azure, Kubernetes)
□S
 upport for one or many user-defined tags per workload
□A
 pplication dependency map visualizes near real-time and historical network traffic
□M
 onitor and query for any flow log in your environment
□H ierarchical policy model provides a "big-picture" operations view and “drill-down” views to
­enable segmentation administration
□D
 eploy microsegmentation without blocking communications or breaking apps
□A
 utomatically generate new network policies based on observed traffic in runtime
□M
 odel new network segmentation policies without worry of disruption
□E
 nforce microsegmentation policy on Linux hosts, Windows hosts, or Kubernetes
□S
 upport for managed Kubernetes services (e.g., Amazon EKS, Google GKE)
□S
 upport for other container platforms (e.g., Red Hat OpenShift, Docker nodes)
□S
 upport for service mesh environments (e.g., envoy proxies)
□C
 onsistent microsegmentation across private, public, and multi-cloud deployments
□A
 ssign every workload with a cryptographically signed identity as part of Zero Trust models
□M icrosegmentation enforcement that uses cryptography to restrict communications between
­managed workloads and verify workload authenticity per connection
□M
 icrosegmentation enforcement that uses IP or FQDN to restrict communications with external or
unmanaged services
□S
 ecure TCP, UDP, and ICMP traffic
□S
 ecure IPv4 and IPv6 traffic
□S
 ecure communications on flat networks
□S
 ecure traffic passing through Layer 3 & 4 termination points (e.g., TCP load balancer)
□ I mplicit allow policy helps you learn about communications without breaking apps
□ I mplicit reject policy helps you implement toward a Zero Trust model
□U
 sers define allow or reject microsegmentation policies for granular control
□M
 icrosegmentation policy-as-code to help secure developer-led environments
□C
 ustom resource definitions (CRDs) enable segmentation administration from Kubernetes CLI
□S
 treamflow logging to external SIEM tools (e.g., Splunk)
□N
 ext-Generation Firewalls to inspect all cloud network traffic and prevent threats
□C
 lassify and view detailed information on suspicious IPs

5. Cloud Infrastructure Entitlement Requirements

Enforce permissions and secure identities across workloads and clouds, integrated
with Cloud Security Posture Management functionality.
□A
 utomatically calculate a given entity's net-effective permissions across cloud service providers
□D
 etect and alert to overly permissive access at the API level
□A
 utomatically suggest corrections to reach least-privilege entitlements
□Q
 uery any identity-related event across cloud environments

Prisma by Palo Alto Networks | Prisma Cloud RFP Checklist | Datasheet 4

□T
 urn queries into custom cloud-agnostic policies
□S
 upport federated identity management with SAML-based SSO platforms
□ I ntegrate with third-party alerting tools, including email, AWS Lambda and Security Hub, PagerDuty,
ServiceNow and Slack
□S
 upport for granular role-based access controls (RBACs)
□M
 anage all cloud entitlements within a single solution, with resource-level posture management of
cloud identities
□O
 ut-of-the-box policies to detect risky permissions and remove unwanted access
□G
 enerate cloud permissions audits, including historical activity for related user data, service data,
and cloud accounts
□U
 ser and entity behavior analytics (UEBA) detects abnormal behaviors that signal account compromise,
insider threats, and other potentially malicious activity
□E
 xtend all CSPM functionality to cloud identities

6. DevSecOps Requirements
Embed security guidance and guardrails into developer tools throughout the
­development lifecycle.
□S
 upport for infrastructure-as-code (IaC) templates in use (e.g., Terraform, Kubernetes manifests)
□S
 upport for relevant cloud providers (e.g., AWS, Azure, GCP)
□A
 bility to detect secrets in IaC files
□O
 ut-of-the-box policies based on CIS and industry frameworks to help provide configuration guard-
rails for developers
□A
 bility to create custom policies in code (policy as code)
□O
 ut-of-the-box and custom graph-based policies (context-aware)
□A
 utomatic variable rendering to provide a complete picture of your cloud infrastructure for security
checks prior to deployment
□A
 bility to scan Terraform modules
□ I ntegrations with continuous integration (CI) tools in use (e.g., Jenkins, CircleCI, GitHub Actions)
□A
 bility to automatically block builds based on policy violations
□ I ntegrations with version control system (VCS) in use (e.g., GitHub, GitLab, Bitbucket)
□ I ntegrations with alerting and ticketing systems (e.g., Jira, Slack)
□R
 emediation guidance for policy violations along with relevant benchmarks
□P
 rioritized alerts
□P
 ull request ready auto-remediations
□A
 bility to detect drift from version controlled state

Learn More
For high-level overviews showing how Prisma® Cloud addresses these requirements, please watch our
pre-recorded product demonstrations.
For technical details on performing individual functions within Prisma Cloud, please explore our
­comprehensive product documentation.
To understand how Prisma Cloud can address your specific environment or to explore a function not
detailed above, please contact your sales or account representative, or request a hands-on trial.

3000 Tannery Way
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
© 2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered ­
trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
marks mentioned herein may be trademarks of their respective companies.
prisma_ds_cloud-rfp-checklist_090821

www.paloaltonetworks.com