Unified Cloud Security and Connectivity Platform

The Vendor is required to provide a comprehensive software solution that delivers secure, scalable, and policy driven connectivity across distributed environments.
- The solution must include advanced Layer 7 load balancing, DNS replacement capabilities, and intelligent routing to ensure optimal performance and availability.
- These capabilities must be delivered as software, not cloud-hosted services, and must integrate seamlessly into existing infrastructure.
- This includes Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Digital Experience Monitoring (DEX).
- Network connectivity features such as Network-as-a-Service and Firewall-as-a-Service are essential to support secure branch and remote access. 
- The selected software must enable unified policy enforcement, visibility across all traffic flows, and enhanced user experience through intelligent routing and performance optimization. 
- A platform that consolidates edge security and network access into a single, software-delivered solution.
- Services include: 
•    3600 Users
•    23,5000 Students
•    60 locations
•    120 Endpoints for apps and balancing
•    17 domains
•    30 million DNS requests monthly
•    Approximately 14,000 devices across
o    Windows
o    ChromeOS / Android
o    iOS / macOS
•    Integrates with Juniper SRX and standardized security logging to SIEM
- Required and future-capable software functionalities for securing applications, optimizing traffic, and enabling resilient, policy-driven connectivity across distributed environments.
- The solution must be software-based and deployable within existing infrastructure, supporting seamless BYOD (Bring Your Own Device) access, secure tunneling, and intelligent traffic management. 
- While generalized, the scope reflects the architectural strengths of modern edge-based platforms with global reach and integrated security.
- The solution must be delivered as a cloud-based software platform, capable of operating without reliance on traditional on-premises infrastructure. It must support distributed access, centralized policy enforcement, and scalable performance across all service components.
- The solution must include a secure, centralized portal for configuration, monitoring, reporting, and policy management. 
- The portal must support role-based access control, audit logging, and integration with identity providers.
- Global Content Distribution: Accelerates delivery of web and application content through a globally distributed edge network, reducing latency and improving user experience across geographies.
- Layer 7 Load Balancing:
•    Routes traffic based on application-layer metrics such as path, headers, and cookies.
•    Supports geo-aware and latency-based routing to optimize performance.
•    Enables failover and health checks across multiple origins or data centers.
- Application Firewalling:
•    Provides deep packet inspection and rule-based filtering to block malicious traffic.
•    Protects against OWASP Top 10 threats and custom-defined attack patterns.
•    Supports virtual patching and real-time threat intelligence updates.
- Payload Inspection & Content Scanning:
•    Scans inbound and outbound traffic for malware, unauthorized scripts, and sensitive data leakage.
•    Detects embedded threats in file uploads, API payloads, and user-generated content.
- API Protection:
•    Enforces schema validation, token authentication, and mutual TLS.
•    Blocks unauthorized access and abuse of public and private APIs.
•    Supports rate limiting and behavioral analysis for API endpoints.
- Bot Management:
•    Detects and mitigates automated traffic using behavioral analysis, fingerprinting, and challenge-response mechanisms.
•    Differentiates between good bots (e.g., search engines) and malicious automation.
- Client-Side Security:
•    Monitors and controls third-party scripts and browser-side vulnerabilities.
•    Prevents data exfiltration and supply chain attacks via injected or compromised scripts.
•    Provides visibility into client-side behavior and script execution.
- Traffic Control & Routing
•    Rate Limiting:
o    Applies granular traffic shaping policies to prevent abuse and ensure fair usage.
o    Supports per-user, per-IP, and per-endpoint rate enforcement.
•    Advanced Rate Enforcement:
o    Context-aware rate limiting with adaptive thresholds based on user behavior and traffic patterns.
o    Integrates with identity and session data for precision control.
•    Managed Challenge System:
o    Replaces traditional CAPTCHA with seamless challenge-response mechanisms.
o    Verifies human users without degrading experience or accessibility.
•    Client-Side Challenge Enforcement:
o    Browser-based verification to prevent bot access and credential stuffing.
o    Supports device fingerprinting and behavioral heuristics.
•    Intelligent Routing:
o    Dynamically selects optimal paths for traffic based on real-time network telemetry, latency, and congestion metrics.
o    Improves application responsiveness and reduces packet loss.
•    Layer 7 Smart Routing:
o    Enhances application performance by routing requests to the fastest and healthiest origin.
o    Supports weighted routing, failover, and traffic steering.
- Zero Trust & SSE Capabilities
•    Zero Trust Network Access (ZTNA):
o    Grants identity-aware access to internal applications without relying on traditional VPNs.
o    Enforces device posture, user identity, and contextual policies.
o    Supports browser-based access and clientless deployment for BYOD.
•    Secure Web Gateway (SWG):
o    Filters and inspects web traffic to enforce acceptable use policies and block threats.
o    Supports URL categorization, SSL inspection, and malware scanning.
•    Cloud Access Security Broker (CASB):
o    Provides visibility and control over SaaS usage, including shadow IT detection.
o    Enforces data protection policies across sanctioned and unsanctioned apps.
•    Data Loss Prevention (DLP):
o    Scans traffic for sensitive data and enforces policies to prevent unauthorized exfiltration.
o    Supports regex, fingerprinting, and predefined data classifiers.
•    Digital Experience Monitoring (DEX):
o    Offers end-to-end visibility into application performance from the user’s perspective.
o    Monitors latency, jitter, and availability across user sessions.
•    Network-as-a-Service:
o    Replaces legacy MPLS with software-defined WAN capabilities.
o    Supports secure branch connectivity, dynamic routing, and traffic segmentation.
•    Firewall-as-a-Service:
o    Delivers cloud-native firewall functionality with granular rule sets.
o    Supports Layer 3–7 inspection, policy enforcement, and threat blocking.

- Contract Period/Term: 3 years
- Questions/Inquires Deadline: September 15, 2025