Investigating Cloud Access Security Broker In A Healthcare Service : Creating A Cloud Access Security Broker (CASB) Discussion Frame-work For Evaluating Security in Cloud Healthcare Services

Abstract

Covid-19 accentuated the importance of accessible services, causing a major increase in the adoption of cloud services for enterprises. Cloud computing is a new paradigm that promises significant benefits for organizations in healthcare services. However, cloud computing also transforms enterprise architectures and introduces new problems of information security. Decision-makers in a large healthcare service provider need to justify decisions on cloud adoption, but such a task is convoluted given the different views on cloud computing and the potential impact of cyberthreats on critical infrastructures. As a consequence, cloud security controls need to be selected and implemented to complement cloud services. Our research focuses on the decision-making process for selecting a Cloud Access Security Broker (CASB) in a large public healthcare ICT provider in Norway. This thesis applies Action Design Research (ADR) to design a decision support tool for cloud security control selection in healthcare organizations. The result is a framework for evaluating cloud security controls that facilitates the decision-making process by considering multiple aspects of enterprise security architectures. Participants in the decision-making process can achieve a common understanding of cloud security control and a tailored assessment of how the cloud will impact information security in the organization. We present the design process and apply the framework to the CASB selection problem. As a practical implication, our findings suggest that selecting a cloud security control in a healthcare service provider is an ill-structured or “wicked” problem that requires a unique problem-solving approach