Data Centre and Technology Facility Security | CloseProtectionHire

Data centres sit at the intersection of physical and cyber security in a way that makes physical security failures directly equivalent to cyber incidents. A physical intrusion into a data hall can achieve the same outcomes as a sophisticated remote attack: data exfiltration, hardware compromise, service disruption, or intelligence collection. The physical security programme for a data centre is, in effect, a component of the organisation’s cyber risk management.

This guide covers the specific physical security requirements for data centres and technology facilities, the insider threat dimension specific to privileged-access environments, the standards applicable to commercial and COLO facilities, and the particular challenges of P1 city data centre operations.

The Access Control Stack

The standard physical access control architecture for a data centre is a series of nested security perimeters, each requiring authentication to pass. The number of perimeters and the authentication method for each varies with the sensitivity of the facility.

Perimeter security: The site boundary is the outermost layer. For purpose-built data centres, this typically includes perimeter fencing (minimum 2.4 metres, anti-climb), vehicle access control (barriers, vehicle check area, vehicle registration logging), and CCTV covering all approach routes and the full perimeter. ANSI/TIA-942 Rated Design 4 (equivalent to Tier IV fault-tolerant) requires anti-ram vehicle barriers at all vehicle access points.

Building entry: The data centre reception or guardroom is the human checkpoint. All visitors must register identity and purpose, hand in mobile phones and recording devices (for highly sensitive facilities), and be escorted to the point of access. Unescorted visitor access is not permitted at any tier above the reception area. Access log data – who entered, when, and for what purpose – must be retained for a minimum of 12 months.

Data hall entry: Hall-level access is restricted to staff whose roles require data hall access, vetted contractors, and escorted visitors. The authentication method for hall access should be at minimum proximity card plus PIN (two-factor authentication). For Tier III/IV facilities or those hosting classified, defence-related, or highly sensitive commercial data, biometric authentication (fingerprint, retinal, or hand geometry) is the standard.

Cage or suite level (COLO): In multi-tenancy COLO environments, each tenant’s physical space – whether a cage, suite, or private hall – should have its own access control independent of the operator’s hall-level system. A situation where the facility operator can access the tenant’s cage without the tenant’s knowledge or authorisation represents a physical security risk that is frequently overlooked in COLO procurement.

Insider Threat Controls

Authorised access does not mean trusted access. The insider threat in data centre environments is elevated because the individuals who need physical access to do their jobs – server engineers, network technicians, facilities staff – have precisely the access required to cause significant harm.

The specific insider threat vectors in data centres include:

Hardware implants: The installation of recording or interception devices within servers, networking equipment, or power distribution units by an insider with access. Hardware supply chain attacks – replacing legitimate components with compromised substitutes – are a variant. The 2018 Bloomberg Businessweek report on alleged Super Micro hardware implants, though disputed by the companies named, focused attention on this risk at an industry level that had not previously been standard awareness.

Physical media exfiltration: Removal of data on physical media (USB drives, external storage, printed output) from the data hall. USB port blocking at physical workstations within the data hall, bag checks on exit, and CCTV covering exits with line-of-sight to staff departure are the standard countermeasures.

Deliberate outage: Physical damage to power, cooling, or networking infrastructure within the data hall. Two-person integrity rules – requiring two authorised staff to be present simultaneously for work on critical systems – provide an oversight mechanism that makes deliberate sabotage significantly harder to execute.

Credential sharing and access facilitation: An insider who shares their access credentials with an external party, or who deliberately props open access-controlled doors, creates a path for external intrusion that bypasses the access control perimeter entirely. Random access log reviews – checking whether a credential was used at an unusual time or location – and tailgating detection via CCTV are the primary detection controls.

COLO Facility Selection

For organisations co-locating infrastructure in a third-party data centre, the facility operator’s physical security programme is a risk that the organisation inherits. COLO selection that treats physical security as a secondary consideration behind power and connectivity specifications creates a situation where the organisation’s physical security posture is determined by a vendor they have not assessed.

The security evaluation criteria for COLO selection should include:

Certification status: SOC 2 Type II (AICPA Trust Services Criteria), ISO 27001 certification with specific reference to Annex A.11 (Physical and Environmental Security), and PCI DSS (for facilities hosting payment card data) are the principal standard frameworks. Certification does not guarantee the quality of the physical security programme but establishes that the controls have been independently audited against a defined standard.

Access log management: The facility operator should be able to provide, on request, an access log showing all entries to the tenant’s cage or suite. The operator’s policy on access log retention and the tenant’s contractual right to audit records should be confirmed before contract signature.

Contractor vetting: The operator’s procedures for vetting third-party contractors (mechanical, electrical, IT, cleaning) who work in the data hall should be confirmed. Contractors are a consistent vulnerability in data centre physical security – they may require hall access without the same background screening as permanent staff.

Visitor escort procedures: The operator’s visitor management procedures – registration, escort, escort qualification, access scope – should be reviewed. A visitor who is escorted to the hall entrance but then permitted to move unescorted within the hall represents a gap in the assumed security of the tenant’s cage.

P1 City Data Centre Operations

Data centres in P1 cities – Lagos, Mumbai, Manila, Jakarta, Karachi, and their equivalents – operate in a physical threat environment that is materially different from regulated markets in Europe or North America. The specific elevated risks are:

Power stability and security system vulnerability: Extended power outages in cities with unreliable grid supply – Lagos and Manila in particular – create transition windows during generator switchover where access control systems, CCTV, and alarm systems may be momentarily offline or at reduced function. A thorough generator and UPS (Uninterruptible Power Supply) inspection, including timing of transition windows and confirmation that security systems are on protected circuits, is a minimum standard for P1 city facility assessment.

Contractor and guard sourcing risk: In markets with weaker regulatory oversight of the security industry, the quality variance in physical security guards and contractors is significant. The risk that guard positions at a data centre in Lagos or Karachi have been filled through arrangements that involve corrupt selection – placing individuals with criminal associations or client-side intelligence obligations – is not theoretical. Independent verification of security contractor vetting procedures is warranted.

Informal law enforcement access: In some P1 markets, regulatory or law enforcement requests for access to data centre facilities may be made informally and without proper legal process. Tenants should maintain their own independent access logs and should have a protocol for responding to access requests that do not conform to the legal process applicable in the facility’s jurisdiction.

For the broader convergence of physical and cyber security in corporate environments, see our physical and cyber security convergence guide. For the insider threat framework applicable to all high-trust access environments, see our insider threat and corporate security guide. For the telecoms infrastructure that data centre network connectivity depends on – covering the Electronic Communications Security Act 2021, submarine cable vulnerabilities, Volt Typhoon state-sponsored pre-positioning in CNI, and physical security for tower estates and NOCs – see our security for telecom infrastructure guide. For satellite operations and space ground stations – which provide the uplink and downlink connectivity that data centres depend on for global reach, and which face NIS2 essential entity obligations requiring the same incident reporting and supply chain security standards as major data centre operators – see our security for satellite operations and space ground stations guide.

Sources

ANSI/TIA-942: Telecommunications Infrastructure Standard for Data Centres, 2017 (revision in progress). AICPA: Trust Services Criteria (SOC 2), 2017. ISO/IEC 27001:2022 – Information Security Management, Annex A.7 (Physical Controls). PCI DSS v4.0, Requirement 9: Restrict Physical Access to Cardholder Data, 2022. NCSC: Physical Security Guidance for Server Rooms and Data Centres, 2024. CISA: Data Centre Physical Security Best Practices, 2024. Uptime Institute: Global Data Centre Survey 2024. Gartner: Data Centre Physical Security Best Practice Report 2024. OSAC: Physical Security for Technology Facilities in High-Risk Markets, 2024. Control Risks: Technology Sector Risk Report 2025.

James Whitfield is a Senior Security Consultant with 20 years of experience in corporate security, physical access control, and insider threat management for technology sector clients globally.