printer friendly version

Cloud security in visitor management and access control

Cloud has become the default platform for modern security operations, from visitor management portals and remote access control to incident logging, reporting, analytics, and integrations. But “in the cloud” does not mean “someone else is securing it for us”.

In 2025, the organisations getting this right are those that treat cloud security as a shared responsibility, integrate cloud and on-site defence into a single response capability, and design hybrid options that match operational realities (power outages, remote sites, contractor traffic, and BYOD).

Below is a practical guide for the industries SA Technologies serves (estates and office parks, logistics and manufacturing, mining, commercial buildings, and security resellers), focused on the risks we see most often and what good looks like when a data security technology partner manages and mitigates them.

1.) Who is responsible for cloud data security?

Every major cloud provider follows a shared responsibility model: the provider secures the cloud infrastructure, while the customer remains responsible for their data, identities, and configuration choices.

For example, Microsoft’s shared responsibility guidance is blunt on the non-negotiables; customers always retain responsibility for customer data, identities and users, configurations and settings, and endpoints, regardless of whether you are using IaaS, PaaS, or SaaS.

That matters because most cloud breaches are not Hollywood-style hacks of a hyperscaler. They are everyday failures like:

• Storage left publicly accessible.

• Excessive permissions (service accounts that can do far too much).

• Weak authentication and session controls.

• Secrets left in code, containers, or workflows.

• No meaningful logging/alerting until after data leaves the environment.

Exposed cloud data is still common

Tenable’s 2025 Cloud Security Risk Report findings (published June 2025) underline the scale of basic exposure issues: 9% of publicly accessible cloud storage contained sensitive data, and 97% of that sensitive data was classified as restricted or confidential.

It also highlights how frequently organisations leave credentials where attackers can find them. For example, 54% of organisations had at least one secret stored directly in AWS ECS task definitions (with similar patterns in GCP Cloud Run and Azure Logic Apps workflows).

What clients should insist on (in plain English)

When you are using a cloud-based security platform (or any cloud-hosted portal that stores visitor/tenant/vehicle or incident data), you should expect the provider to demonstrate controls across five areas:

1. Identity and access: MFA, conditional access, least privilege, role-based access (RBAC), admin separation.

2. Data protection: encryption in transit and at rest, key management, secure retention and deletion policies.

3. Secure configuration: hardened baseline, no public storage by default, continuous posture monitoring.

4. Logging and detection: centralised logs, alerting, tamper resistance, and tested incident playbooks.

5. Operational discipline: patching cadence, vulnerability management, third-party risk controls, and change control.

A good partner will clearly document what they secure and what you must own (e.g., user access, device hygiene, who can export reports, and how staff are offboarded).

2.) Integrating cloud and onsite cybersecurity

Most businesses now operate in both environments at once:

• On-site: access control hardware, networks, controllers, CCTV/NVRs, gate infrastructure, workstations.

• Cloud: portals, dashboards, mobile apps, reporting, integrations, backups, analytics, remote management.

The most common failure pattern we see is treating cloud and on-site security as separate projects with separate tools and separate accountability. Attackers do not respect that boundary.

The Unit 42 Global Incident Response reporting shows how quickly incidents move in practice; in 2025, the fastest 25% of intrusions reached exfiltration in 1,2 hours, down from 4,8 hours previously. In other words, if your cloud logs, endpoint visibility, and on-site telemetry are not connected, you may not even see the incident before the data is gone.

What “integrated defence” looks like operationally

For our sectors, an integrated approach typically includes:

• One identity strategy across cloud and on-site (MFA, conditional access, device compliance, least privilege).

• Centralised logging (cloud audit logs + firewall/VPN + endpoint + server + application events) feeding one monitoring capability.

• Joined-up incident response: a single playbook that covers cloud accounts, on-site networks, endpoints, and operational continuity (e.g., gate operations).

• Segmentation by design: guest Wi-Fi, IoT/CCTV networks, gate systems, admin workstations, and cloud management paths separated.

• Routine testing: tabletop exercises and real recovery tests (not just “we have backups”).

A security technology partner adds real value here by engineering the platform and deployment approach so that security controls are not optional add-ons; they are built into the way the solution runs, how users authenticate, and how sensitive actions (exports, admin changes, integrations) are logged and controlled.

3.) Hybrid cybersecurity options for businesses

Hybrid architectures (some services in the cloud, some on-site) are common in security and access environments because we must accommodate:

• Remote sites and variable connectivity.

• Power interruptions and backup requirements.

• Operational needs at the gate (where downtime becomes a safety and business continuity risk).

• Legacy systems that cannot be moved immediately.

• Data residency, retention and compliance requirements.

Cloud also brings genuine advantages, but only when configured and governed correctly. Most organisations have already embraced it; a PwC survey cited in 2025 commentary reported 78% of respondents had adopted cloud across most of their organisations.

Practical hybrid options

Option A: Cloud-first platform plus on-site enforcement (common in access control/visitor management).

• Cloud portal for reporting, configuration, booking workflows, and audits.

• On-site devices at the gate/entry for enforcement and operational continuity.

• Strong identity controls and logging around administrative actions.

Option B: “Secure core on-site” plus cloud analytics.

• Sensitive operational functions remain on-site (where required).

• Cloud used for dashboards, trend analysis, and controlled exports.

• Tight data classification rules: what can leave on-site, what cannot.

Option C: Segmented hybrid with managed detection.

• Hybrid architecture plus continuous monitoring (MDR/SOC).

• Alerting on identity anomalies, impossible travel, suspicious exports, new admin privileges, unusual API usage.

• Clear response runbooks: disable accounts, rotate secrets, block tokens, isolate endpoints, and preserve evidence.

A capable partner should be able to support whichever path fits your operational reality, and help you migrate safely over time, rather than forcing a one-size-fits-all cloud leap.

4.) BYOD risks and solutions

For many of our clients, BYOD happens at multiple layers:

• Managers approving access remotely from personal phones.

• Residents/tenants using mobile apps for gate access and visitor bookings.

• Contractors and vendors receiving QR/PIN credentials and using personal devices on site.

• Security staff using personal devices when corporate devices are limited or unreliable.

The risk is that BYOD often expands access without expanding control. Research from October 2025 (based on Ivanti findings) stated:

• 44% of workers used their personal phone for work.

• In organisations that forbid BYOD, 78% of employees do it anyway.

That is exactly how organisations end up with sensitive systems being accessed by devices that have:

• No screen lock enforcement.

• outdated OS versions.

• Unpatched apps.

• Insecure Wi-Fi use.

• No ability for IT/security to remotely remove corporate data if the device is lost or the employee leaves.

What works: secure the access, not ban the device

A BYOD-ready approach typically combines:

• Strong identity controls: MFA, conditional access, risk-based sign-in.

• Device posture checks (where feasible): require updated OS, encryption, screen lock; block jailbroken/rooted devices.

• App-level controls: restrict export/download, watermark sensitive documents, limit session duration.

• Least privilege by role: residents, guards, administrators, resellers, and contractors must have different capabilities.

• Revocation discipline: access removed immediately when roles change; tokens invalidated; shared accounts eliminated.

• Secure onboarding: clear user guidance, training, and “what to do if your phone is lost” processes.

This is also where well-designed security platforms quietly reduce risk. If the system is built with fine-grained permissions, strong audit trails, and controlled workflows, BYOD becomes manageable rather than chaotic.

How do you choose the right cloud security partner?

When selecting a provider for cloud-hosted security systems (visitor management, access control portals, mobile apps, reporting), we recommend asking direct questions that reveal whether security is engineered in or bolted on.

10 questions to ask:

1. What is your shared responsibility model in writing?

2. How do you secure identities and admin access (MFA, RBAC, conditional access)?

3. How is data encrypted (in transit/at rest), and who manages keys?

4. How do you prevent public data exposure by misconfiguration?

5. Where do you store secrets, and how are they rotated?

6. What logs are captured, how long are they retained, and can we access audit trails?

7. What is your incident response process, and have you tested it recently?

8. How do you support hybrid requirements (on-site continuity, remote sites, offline resilience)?

9. How do you handle BYOD safely without making the system unusable?

10. How do you help us with governance (user offboarding, role reviews, policy templates, training)?

A strong partner will not dodge these questions. They will welcome them, and they will be able to show evidence, not just assurances.

Share this article:

Further reading: