Addressing Application Scoring Metrics in Microsoft Cloud App Security

MCAS, Microsoft’s choice to enter the Cloud Access Security Broker (CASB) market, has an awesome application database that can help technology teams solve issues like insider threat and Shadow IT. Consisting of around 17,000 applications, each app displays a risk score that is determined based off of four industry-leading categories. MCAS allows for companies to change these metrics in over 54 areas based off of their individual risk posture.

The current four individual sub categories for MCAS are as follows:

• General - Anything to do with hosting information, where the data centers are, and where the company was founded. 
• Security - Factors that play around cyber security. Security headers for HTTP, Data Classifications, Encryption, valid certificate names, pen-testing practices, etc.
• Compliance - Determining whether an application is compliant to certain industry standards (ISO, SOX, PCI, NIST, etc.)
• Legal - Anything related to Legal Standards like GDPR, Data Ownership, and DMCA.

It can be a bit difficult to find the perfect back end metrics for weighing these applications. MCAS by default for an application’s risk score adds all four individual sub categories together and finds the average. However, if IT teams wish to, they can weigh certain categories more than others. For example, if a team cared more about Security than compliance or legal, they can weigh this category more by changing the importance score. 

Teams should keep this in mind when determining the individual risk metrics for applications. My recommendation is to focus more on Security and Legal categories and making their individual score higher (4x) than General and Compliance. Security is a main component of why companies utilize CASBs to begin with, so having a higher weighted average in this space makes sense. Legal can also be viewed as a bigger category with security, as the ever-increasing data privacy rights like California 2020 and GDPR play a huge factor for businesses.

Luckily, MCAS also allows for you to weigh scoring on individual sub-factors. Compliance sees a big part inside this, with roughly 29 individual sub factors. For both General and Compliance, pick the sub-factors that your company would be very concerned about, and give them a very high score (x8). This way, when something concerning does come up inside these two categories, their individual score will bring the weighted average of the application down. A perfect example of this is a company that might be interested in credit card payments. If an application is not PCI compliant, it would be wise for them to weigh the metric as very high. Furthermore, if a company does not deal with the military, they would be completely irrelevant with ITAR. This could be an example to ignore the ITAR factor for compliance. 

Often, Microsoft might only have information on 2-3 factors in a sub category. This is because the information could not be gathered by either an individual cloud analyst, or machine learning mechanisms on Microsoft’s end. If only a few factors are present, the individual sub category as a result could be very skewed, making the risk score a lot lower or higher for the application. 

Once teams have their metrics figured out, they should be sure to do individual assessments on applications and verify that the metrics make sense. If you realize a category is weighing down a score too much, it might be best to make some edits to MCAS’s metrics again before continuing onward. 

Microsoft Cloud App Security is a great CASB to utilize for Shadow IT, insider threat, and security vulnerabilities. However, a lot of these capabilities come down to the applications users are utilizing, and the risk score that they have. A bad posture in this area can see issues for the future use of the tool. Be sure to align your risk score properly, and reap the long term benefits of a well-managed CASB.

For more information on MCAS's cloud app catalog, be sure to check out Microsoft's official documentation here: https://docs.microsoft.com/en-us/cloud-app-security/risk-score