Score metrics
The Cloud app catalog and Cloud Discovery Dashboard both list a "score" for cloud apps, this score is determined by adding up a number of known factors about the company, its security practices, and it's compliance and legal standards. You can get in-depth details on the scoring system from Microsoft here. A brief summary of the score system is provided below:
- Each score field is scored from 0-10
- Some fields are boolean such as SOC 2 compliance, so that's only 0 or 10
- Some fields are 0-10 based on:
- Factors such as domain age, the older it is, the higher the score
- Some are scaled based on multiple factors bundled into one such as some GDPR fields
- Information is gathered from the below sources, and you can view the individual source on the cloud application itself.
- Cloud application owner
- Automated sources
- Automated algorithms
- Analysis by MDCA team
- Customer submitted reports
All score fields
| Field | Category | Customizable | Description |
|---|---|---|---|
| Category | General | False | Microsoft currently has 42 categories they assign to a cloud app such as Education or IT Services. |
| Headquarters | General | False | Cloud app company headquarter location. |
| Data center | General | False | Cloud app company data center location. Can contain multiple countries. |
| Hosting company | General | False | Who hosts the servers, i.e. AWS, Azure, etc. |
| Founded | General | True | Year founded. |
| Holding | General | True | Private or public company. |
| Domain | General | False | All domains associated with the cloud app. |
| Terms of service | General | False | URL to regulated terms of service. |
| Domain registration | General | True | |
| Consumer popularity | General | True | |
| Privacy policy | General | False | URL to legally binding privacy policy. |
| Logon URL | General | False | URLs used to logon to cloud app. Can contain multiple URLs. |
| Vendor | General | False | Vendor providing the cloud app. |
| Data types | General | False | Data types that can be uploaded to the app. |
| Disaster recovery plan | General | True | Cloud app has a disaster recovery plan including backup and restore procedures. |
| Latest breach | Security | False | Last time sensitive or confidential data was accessed by someone unauthorized to do so. |
| Data-at-rest encryption | Security | True | |
| Data-at-rest encryption method | Security | True | Type of encryption for data-at-rest. |
| Multi-factor authentication | Security | True | Cloud app supports MFA. |
| IP address restriction | Security | True | Cloud app allows restricting specific IPs. |
| User audit trail | Security | True | User actions are auditable and available. |
| Admin audit trail | Security | True | Admin actions are audited and available. |
| Data audit trail | Security | True | Audited data report available. |
| User can upload data | Security | False | Users can upload data. |
| Data classification | Security | True | Users can classify the type of data. |
| Remember password | Security | False | Cloud app can save or remember password. |
| User-roles support | Security | True | Cloud app allows roles for limiting permissions. |
| File sharing | Security | False | Cloud app allows sharing of files between users |
| Valid certificate name | Security | True | |
| Trusted certificate | Security | True | |
| Encryption protocol | Security | True | |
| Heartbleed patched | Security | True | |
| HTTP security headers | Security | True | |
| Supports SAML | Security | True | Authentication of SAML is supported. |
| Enforce transport encryption | Security | True | |
| Protected against DROWN | Security | True | App servers protected from breaking HTTPS encryption. Drown Research |
| Penetration Testing | Security | True | Cloud app is penetration tested. |
| Requires user authentication | Security | True | App requires authentication, no anonymous use. |
| Password policy: Password length limit | Security | False | Limits to password length. |
| Password policy: Character combination | Security | False | Password has complexity requirements. |
| Password policy: Change password period | Security | False | Password must be changed periodically. |
| Password policy: Password history and reuse | Security | False | Can’t reuse a password. |
| Password policy: Personal information use | Security | False | Can't use personal info in the password. |
| Password policy | Security | True | Best practice password policies in place. |
| ISO 27001 | Compliance | True | Ensures systematic information security management and risk control. |
| ISO 27018 | Compliance | True | Ensures privacy protection in cloud services. |
| ISO 27017 | Compliance | True | Provides cloud security controls and best practices. |
| ISO 27002 | Compliance | True | Guidelines for implementing information security controls. |
| FINRA | Compliance | True | Regulates and oversees U.S. broker-dealers for market integrity. |
| FISMA | Compliance | True | Mandates security for U.S. government information systems. |
| GAAP | Compliance | True | Standards for financial reporting and accounting practices in the U.S. |
| HIPAA | Compliance | True | Regulates the privacy and security of healthcare information. |
| ISAE 3402 | Compliance | True | Assesses controls at service organizations affecting user entities' financial reporting. |
| ITAR | Compliance | True | Regulates export of defense-related goods and services. |
| SOC 1 | Compliance | True | Evaluates controls affecting financial reporting at service organizations. |
| SOC 2 | Compliance | True | Assesses controls related to security, availability, and privacy in services. |
| SOC 3 | Compliance | True | Publicly available report on service organization controls and security. |
| SOX | Compliance | True | Requires financial reporting accuracy and internal control compliance for public companies. |
| SP 800-53 | Compliance | True | NIST guidelines for securing federal information systems and data. |
| SSAE 16 | Compliance | True | Assesses service organization controls impacting financial reporting. |
| Safe Harbor | Compliance | True | EU-U.S. agreement for data protection and privacy transfer compliance. |
| PCI DSS version | Compliance | True | Standards for securing payment card data and preventing fraud. |
| GLBA | Compliance | True | Regulates financial institutions' handling of personal customer information. |
| FedRAMP level | Compliance | True | Standardizes cloud security assessment for U.S. government agencies. |
| CSA STAR level | Compliance | True | Cloud security certification framework with multiple assurance levels. |
| Privacy Shield | Compliance | True | Framework for transatlantic data transfer compliance between EU and U.S. |
| FFIEC | Compliance | True | Sets standards for financial institutions' IT and cybersecurity practices. |
| GAPP | Compliance | True | Framework for data privacy principles in public and private sectors. |
| COBIT | Compliance | True | Framework for IT governance and management of enterprise resources. |
| COPPA | Compliance | True | Regulates online collection of personal information from children under 13. |
| FERPA | Compliance | True | Protects the privacy of student education records. |
| HITRUST CSF | Compliance | True | Certifies integrated security and privacy standards for healthcare organizations. |
| Jericho Forum Commandments | Compliance | True | Principles for secure, boundaryless information sharing and collaboration. |
| Data ownership | Legal | True | User maintains ownership of their data. |
| DMCA | Legal | True | Protects copyright holders and limits liability for online platforms. |
| Data retention policy | Legal | True | Data retained when a user is deleted. |
| GDPR readiness statement | Legal | False | URL on how app maintains compliance with GDPR. |
| GDPR - Right to erasure | Legal | True | Data can be deleted upon user’s request. |
| GDPR - Report data breaches | Legal | True | Data breaches reported to users and authorities within 72 hour of detection. |
| GDPR - Impact assessment | Legal | Needs review | Risk assessments to individual data. |
| GDPR - Secure cross border data control | Legal | Needs review | Data securely crosses borders. |
| GDPR - Data protection officer | Legal | Needs review | Data protection office to oversee data security strategy. |
| GDPR - Right to object | Legal | Needs review | Object to processing of personal data. |
| GDPR - Right to access | Legal | Needs review | Provide users with what personal data is being used. |
| GDPR - Right to data Portability | Legal | Needs review | User can reuse their data across different services. |
| GDPR - Right to be informed | Legal | Needs review | User informed of data security when data is leaving the EU. |
| GDPR - Right to restriction of processing | Legal | Needs review | Users can block processing of personal data. |
| GDPR - Rights related to automated decision making | Legal | Needs review | User may choose to not be profiled through automated means. |
| GDPR - lawful basis for processing | Legal | Needs review | User data processed lawfully. |
| GDPR - Right to rectification | Legal | Needs review | User can rectify data. |
| GDPR - Data protection | Legal | True | |
| GDPR - User ownership | Legal | True |
Customizing the score
As you can see there are tons of items factored into a score, and not every item will be a concern or priority for your organization. You may be an educational institute and be mostly concerned with COPPA, or healthcare and concerned about HIPAA. You can adjust the weighting given to an app and count missing data on a cloud app against them.
Scale options include:
| Option | Multiplier |
|---|---|
| Ignored | x0 |
| Low | x2 |
| Medium | x4 |
| High | x8 |
| Very high | x16 |