Microsoft Cloud App Security (MCAS) at UMB

Microsoft Cloud App Security (MCAS) is a critical part of UMB’s strategy to ensure safe and responsible use of cloud-based applications, including AI tools. It helps assess the security posture (overall cybersecurity strength and readiness to identify, protect against, respond to and recover from cyber threats) of applications by assigning risk scores based on factors like data handling, compliance, and platform integrity.

How MCAS Risk Scores Are Generated

MCAS evaluates cloud applications using a multi-dimensional scoring system based on over 90 risk factors. These factors are grouped into four main categories:

Each property within these categories is scored from 0 to 10:

• True/False fields receive either 10 or 0.
• Continuous metrics (e.g., domain age) are scored on a spectrum.
• These scores are weighted to produce a subscore for each category.
• The overall risk score is a weighted average of all category subscores.

MCAS uses a combination of:

• Automated data extraction from app metadata (e.g., SOC 2 compliance, privacy policy, sign-in URLs).
• Manual review and updates from Microsoft’s security analysts.
• User feedback and custom overrides for enterprise-specific risk tolerance.

If an app is not in the Microsoft catalog of identified AI apps, it will appear as unscored. UMB users can request scoring via the AI Tool Request Form, and the CITS team will evaluate it using MCAS and other internal criteria.

Why It Matters

UMB uses MCAS to evaluate AI-powered tools before they are approved for use on university devices, networks, or with university data. Any application scoring below 7/10 is flagged as high risk and subject to further review.

Return to UMB AI Application Usage & Request Process.