Readers Write: When the Cloud Becomes the Attack Surface

When the Cloud Becomes the Attack Surface
By Brian McManamon

Brian McManamon, MBA is general manager of managed security and managed services at Clearwater.

Healthcare organizations often talk about cloud as though it is a destination. In reality, for most hospitals, it has become an operating layer that keeps expanding.

That expansion did not usually happen through one formal strategy. It happened incrementally through SaaS adoption, remote access, vendor integrations, analytics tools, backup environments, and acquisitions. What many organizations now manage is not a clean cloud migration, but a hybrid environment made up of on-premises systems, cloud platforms, and third-party services that are tied together through identity and connectivity.

That matters because the cloud is no longer just part of the technology stack. In many environments, it has become part of the attack surface.

For many hospitals, “moving to the cloud” does not mean shutting down the data center and rebuilding everything as cloud-native. It usually means adding cloud services around existing operations. Clinical and business systems may still sit on-premises while identity, disaster recovery, remote access, analytics, and collaboration tools increasingly depend on cloud services. SaaS expands the footprint even further, often without being treated internally as part of the organization’s cloud environment.

That is where risk begins to grow quietly.

One of the most common misconceptions is that cloud is secure by default because the provider is secure. Major providers such as AWS, Azure, and Google Cloud invest heavily in securing their platforms. What they do not secure is each customer’s implementation.

Hospitals still own the responsibility for identity, configuration, access controls, logging, monitoring, and governance. If those areas are weak, cloud adoption can expand exposure faster than teams realize.

The opposite misconception is also common. Some organizations assume that keeping critical systems on-premises limits cloud risk. In practice, many of those same organizations have already adopted cloud identity, SaaS, remote vendor access, and external integrations. They have become hybrid whether they planned to or not. The difference is that they may not be managing that reality with a clear operating model.

Hybrid itself is not the failure. It is normal. In many cases, it is the natural result of smart teams making practical decisions over time.

A department adopts a new SaaS platform. IT centralizes identity. A cloud backup initiative begins. A new analytics platform is introduced. An acquisition brings another tenant, another domain, or another set of inherited tools. None of those decisions is inherently problematic. The problem is that governance and visibility often do not scale at the same pace.

That is when the cloud starts to become the attack surface.

The risk shows up first in identity. In hybrid healthcare environments, identities increasingly function as the control plane. Privileged roles accumulate. Service accounts remain active without clear ownership. Exceptions to MFA or conditional access persist longer than intended. Shared administrative access and standing privileges expand the potential blast radius of a single compromise.

An attacker no longer needs to move through the environment in the old ways if they can come through a valid account, exploit a policy exception, or take advantage of weakly governed permissions in a cloud-connected system.

The problem is compounded by visibility gaps. Many healthcare organizations do a strong job monitoring endpoints and network activity, yet cloud signals often remain fragmented. Logs may live across multiple consoles, subscriptions, tenants, and SaaS environments. Security teams may be watching the perimeter closely while missing critical changes in role assignments, application permissions, data shares, or service account behavior.

When those signals are not centralized and correlated, detection slows down. In some cases, it never happens at all.

Data sprawl adds another layer of risk. Healthcare environments generate copies of sensitive data for backups, archives, exports, analytics, and testing. Over time, protected health information can end up in more places than intended, sometimes with broader access and weaker protections than production systems. The issue is not only where the data started, but where it moved, who can reach it, and whether that movement is being governed consistently.

This is why cloud security in healthcare cannot be treated as a narrow infrastructure question. It is a governance question, an identity question, and ultimately a resilience question.

Cloud can improve resilience, but only when it is designed deliberately. Redundancy, scale, and operational flexibility can be real advantages. But those advantages weaken quickly if identity becomes a single point of failure, if disaster recovery exists only on paper, or if dependencies across cloud, SaaS, and legacy systems are not fully understood. In a hospital, resilience is not just uptime. It is the ability to support patient care when systems are under stress.

Good governance in that environment does not mean a large policy binder sitting on a shelf. It means a small number of clear, enforceable standards.

Hospitals need defined ownership for subscriptions, accounts, and services. They need baseline guardrails that prevent unsafe defaults. They need identity governance that prioritizes least privilege, manages non-human identities, and reviews exceptions regularly. They need enough centralized logging and alerting to see meaningful changes in the environment and act on them.

Most importantly, governance has to work in a 24/7 clinical setting. That means building models that support urgent care delivery without abandoning accountability. Exceptions may be necessary, but they should be time-bound, documented, owned, and reviewed.

The cloud is not the problem by itself. Unmanaged cloud is.

For healthcare leaders, one of the most useful next steps is a practical reality check. Inventory the tenants, subscriptions, service accounts, and privileged identities that are already in use. Confirm ownership. Review standing administrative access. Identify where visibility into cloud activity is missing. In most organizations, the attack surface has expanded gradually enough that no single decision created the problem. That is exactly why it deserves attention now.

In healthcare, the fundamentals still apply. Know your environment. Govern identity and access. Maintain visibility into critical systems and data flows.

The cloud becomes dangerous when organizations stop treating it as infrastructure and start assuming it will govern itself.