SASE-ZTNA-001high weightmandatory: financial servicesmandatory: healthcare
Describe how your platform enforces zero trust access to private applications.
Private application access is a core SASE use case and should be controlled by identity, device and application context rather than broad network access.
Evidence: Architecture diagram; Policy example; Identity provider integration list
Red flags: VPN-only access model; No application-level policy; No identity provider integration
Follow-ups: Can policies differ by user group and device posture? Can access be restricted to specific private applications rather than subnets?
SASE-ZTNA-002high weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare
Which identity providers do you support natively, and which protocols (SAML, OIDC, SCIM)?
Native IdP integration determines whether identity, group and lifecycle data drive access decisions in real time.
Evidence: Supported IdP list; Protocol matrix
Red flags: SAML only with no SCIM; Limited to one IdP
Follow-ups: How are deprovisioning events handled end to end?
SASE-ZTNA-003medium weightmandatory: financial servicesmandatory: healthcare
How is device posture evaluated and used in access decisions?
Device posture lets buyers enforce different access rules for managed, unmanaged and high-risk devices.
Evidence: Device posture signal list; Sample posture-based policy
Red flags: No posture signals; Posture only on a single OS
Follow-ups: Which posture signals are available on unmanaged devices?
SASE-ZTNA-004medium weightmandatory: financial servicesmandatory: healthcare
Describe step-up authentication and continuous session validation.
Continuous validation reduces the risk of stale sessions being used after the risk context changes.
Evidence: Step-up trigger list; Session validation cadence
Red flags: Session validation at login only
Follow-ups: Which signals can trigger step-up?
SASE-ZTNA-005high weightmandatory: healthcaremandatory: financial services
Describe how third-party and contractor access is managed.
Third-party access is a common breach vector and needs tight, audited control.
Evidence: Third-party access workflow
Red flags: Shared accounts for contractors
Follow-ups: Is access time-bound by default?