Datacenter
Data center physical security and access control field guide
How a data center is secured in concentric rings from the fence to the cabinet, what enforces each boundary, and why life safety and free egress override the lock every time.
Direct answer
Data center physical security is the layered set of controls that keeps unauthorized people away from the computing equipment, built as concentric rings from the site fence to the cabinet so a breach at one ring meets the next. Access is authenticated at each ring, and life safety allows free egress. The security program and the AHJ control the design.
Key takeaways
- Data center security is built as five concentric rings: site perimeter, building entry, interior/gray space, data hall/white space, and cabinet/cage, each a separate authenticated, logged boundary.
- Free egress always wins: fail-safe locks release on power loss, fail-secure stay locked, and egress doors must allow exit on power loss and fire alarm per the building/fire codes and AHJ.
- A mantrap (security vestibule) is interlocked doors passing one cleared person at a time to defeat tailgating, paired with two-factor authentication at the data hall and cages.
- Mechanical keys fail audits because they cannot be tracked, time-limited, or revoked without a re-key; electronic access control logs every grant and deny.
- Vehicle barriers carry ASTM F2656 ratings (M30/M40/M50 for a 15,000 lb test vehicle) and ASTM F3016 for low-speed; access hardware is listed to UL 294.
What physical security protects, and the layered model
Physical security in a data center is the set of controls that keeps people who do not belong near the computing equipment from reaching it. It is built into the facility from the property line inward, not bolted on after the building is up. The white space and gray space layout guide covers how the building is zoned into rings. This guide covers the controls that enforce those rings: the fences, the doors, the readers, the cameras, and the people watching them.
The model the whole field runs on is defense in depth. You assume any single control can fail or be beaten, so you stack independent controls in concentric layers and make an intruder defeat each one in turn. A cut fence still leaves a locked lobby. A stolen badge still faces a biometric at the data hall door. Each layer is there to deter, to detect, to delay, and where it has to, to deny, long enough for someone to respond.
What separates a real security design from a pile of gear is that the layers are independent and the response is staffed. A camera nobody watches and an alarm nobody answers are not security. They are evidence collected after the fact. The asset being protected is rarely the hardware. It is the data on it and the uptime around it, which is why the access controls and the audit trail matter as much as the locks.
What is defense in depth in physical security?
Defense in depth is the practice of layering independent security controls so that defeating one does not get an intruder to the asset. Each layer buys two things: time and a chance to detect. The classic framing is deter, detect, delay, deny, and the layers are designed so that the delay any one of them imposes is longer than the time it takes the response force to arrive.
Independence is the part that gets faked. Two controls that share a failure are one control. A badge reader and a door alarm that both die when the same panel loses power are a single point of failure dressed as two layers. The same goes for an A and a B that secretly share an upstream feed, which is the redundancy mistake the power and layout guides warn about applied to security. Real layers fail separately.
The other half is response. Delay without response just means the intruder takes longer. A 90 second forced-entry delay matters only if a guard or a remote operator is dispatched inside that window. Design the delay around the real response time, not a number on a brochure, and test it by walking the path and timing it, not by assuming it.
The five rings, from the fence to the cabinet
A data center is secured as a set of concentric rings, and a useful way to count them is five. Ring one is the site perimeter, the fence and the vehicle approach. Ring two is the building entry, the lobby where people are identified and badged. Ring three is the interior and the gray space, the general inside of the building. Ring four is the data hall, the white space where the IT gear runs. Ring five is the cabinet or the customer cage, the last boundary around the gear itself.
The white space and gray space layout guide maps these rings onto the building zoning, and the rack readiness guide covers the cabinet itself. The point for security is that each ring is a separate access decision with its own credential check, and the strength of the check climbs as you go inward. The fence keeps out the casual and the vehicle. The lobby identifies. The data hall demands a second factor. The cage adds the customer's own lock on top of the facility's.
Count your own building honestly. Some sites split a ring or add one, a separate ring for the meet-me room, a sub-ring inside a colocation suite. The number is less important than the rule: between any two zones of different sensitivity there is a controlled, authenticated, logged boundary, and you can stand at any door and name which ring you are crossing.
| Ring | What it is | Primary control |
|---|---|---|
| 1. Site perimeter | Fence, gates, vehicle approach | Barriers, gates, lighting, CCTV, CPTED |
| 2. Building entry | Lobby, reception, entry doors | Badging, guard, single-factor access, visitor desk |
| 3. Interior / gray space | General building, plant rooms | Access control on doors, intrusion detection |
| 4. Data hall / white space | IT equipment floor | Two-factor, mantrap or portal, full CCTV |
| 5. Cabinet / cage | Customer cage, locking cabinet | Cage access, cabinet locks, customer's own credential |
The site perimeter and the approach
Ring one starts at the property line, and most of it is decided by where the building sits and how a vehicle reaches it. Standoff is the first control: distance between the public road and the building so a vehicle cannot get up speed or get close. Where standoff is short, crash-rated barriers make up the difference. Bollards, wedge barriers, and gates carry vehicle ratings under ASTM F2656 (the M30, M40, M50 speed classes for a 15,000 lb test vehicle), with the lower-speed storefront ratings under ASTM F3016. Pick the rating to the credible threat, and remember the foundation is part of the rating. A crash bollard set in shallow concrete is decoration.
The fence and the gates carry the line between the bollards. A real perimeter fence is high enough and detailed enough to slow a climb, with no convenient ladder of crossbars on the outside, and the gates are the weak point you watch, because a fence is only as good as its openings. Vehicle gates, sally ports for trucks, and the guard booth all sit here.
CPTED, crime prevention through environmental design, is the design discipline that ties it together. Sightlines kept open so there is nowhere to hide against the wall, lighting that removes the shadows a camera and a guard both need gone, landscaping that channels people to the controlled entrance instead of around the back. Lighting is doing double duty: it deters, and it gives the cameras the light they need to produce a usable image at night. A dark corner is a blind camera and a hiding spot at once.
How do data centers control physical access?
Data centers control access with an electronic access control system: a credential the person carries, a reader at the door, a controller that makes the decision, and an electric lock that holds or releases the door. The reader sends the credential to the controller, the controller checks it against the permissions for that door at that time, and it either releases the lock and logs a grant or holds it and logs a deny. Every grant and every deny lands in a database. That record is the point.
The credential comes in three kinds, often combined. Something you have, a card or badge or a phone. Something you know, a PIN. Something you are, a biometric. A card alone is the weakest, because a card can be lost, lent, or cloned, which is why sensitive rings demand a second kind. The reader and the lock are matched to the door and the rating, and the controller is the brains that holds the schedule, the permissions, and the log.
Mechanical keys are the quiet failure here. A brass key cannot be tracked, cannot be time-limited, and cannot be revoked without a re-key, so it produces no audit trail and it walks out the door with the person who quits. Auditors flag key-only doors for exactly this reason. The electronic system exists to answer one question on demand: who went through which door, when, and was it allowed. A key answers none of it.
What is a mantrap, and where two factors are required
A mantrap, also called a security vestibule, portal, or sally port, is a pair of interlocked doors with a small space between them where the second door will not open until the first has closed. It lets one cleared person through at a time and it defeats tailgating, because a second person cannot slip through behind the first while both doors are shut around them. Access to the data hall and the cages typically runs through one. The layout guide names the mantrap in passing; this is where it earns its keep.
At the sensitive rings, the mantrap is paired with two-factor authentication: a card plus a PIN, or a card plus a biometric. The logic is the defense-in-depth rule applied to one door. A lost card alone does not pass, because the thief does not have the PIN or the fingerprint. The deeper the ring, the more factors, so the data hall door asks for more than the lobby door did.
Portals take it further than interlocked doors. A security portal can carry an optical sensor array or a weight-sensitive floor that counts the occupants and refuses to cycle if it sees two people in a single-occupancy lane. That is the anti-tailgating control made physical instead of trusting a person to not hold the door. The tradeoff is throughput, since one-at-a-time is slower, so portals go where the security demand justifies the wait and turnstiles or staffed doors handle the higher-traffic outer rings.
Tailgating, the number-one way access gets beaten
The most common way a good access control system gets defeated is the simplest: someone walks in behind an authorized person. Tailgating is following through a door the legitimate holder opened. Piggybacking is the same thing with the holder's knowing help, the polite door-hold for a stranger carrying a box. No badge was cloned and no lock was picked. The system worked exactly as designed and the wrong person got in anyway, because the weak point is the human, not the hardware.
The controls that actually stop it are physical, because policy alone does not. A mantrap or a security portal that cycles one person at a time removes the door to hold. Optical or floor-sensor anti-tailgating detection on the portal locks down when it counts two bodies on one credential. Full-height turnstiles at the outer rings force single file. Anti-passback, covered later, kills the trick of handing a badge back through the fence to a second person.
The part you cannot buy is the culture. The strongest anti-tailgating door fails if staff treat challenging a stranger as rude. The sites that hold the line train people to expect the challenge and to not take it personally, and they back the portals up with cameras and a guard who watches the entry. The door slows the tailgater. The culture and the watch catch the one the door missed.
Biometrics at the high-assurance layers
Biometrics bind the credential to the body so it cannot be lent, lost, or handed back through a fence. The common modes are fingerprint, hand geometry, iris, and facial recognition, and they show up at the doors where a card and PIN are no longer enough, the data hall and the cage. The reason to put a biometric on the inner ring is the same reason you put two factors there: it removes the last way to pass a credential to someone who should not have it.
Every biometric lives on a tradeoff between two error rates. The false accept rate is how often it lets the wrong person in. The false reject rate is how often it turns the right person away. Tighten the threshold to drive false accepts down and you drive false rejects up, and now your own staff are locked out at the worst moment. Loosen it for convenience and you have widened the hole you installed it to close. The setting is a security decision, not a default to leave on the factory value.
The practical failure modes are mundane. A fingerprint reader struggles with a cut, a glove, or a dry winter hand. Facial recognition shifts with lighting and with a hard hat or safety glasses. Iris is among the more discriminating but costs more and reads slower. The move that holds up is the biometric as the second factor on top of a card, not as the only factor, so a bad read degrades to a retry instead of a lockout, and the card carries the identity the biometric confirms.
Video surveillance and the VMS
Cameras cover every ring, and their job is detection, assessment, and the record after the fact. A camera at the perimeter and the gate, at every controlled door, down the data hall aisles, and on the loading dock, all feeding a video management system, the VMS, that records, stores, and serves the footage. The value is in the coverage and the record, not the count of cameras, and the classic gap is the blind spot between two cameras that nobody walked the floor to find.
Coverage means no gaps at the boundaries that matter and an image good enough to identify, not just to notice motion. That takes resolution, a field of view that frames the door and the face, and light, which is why the lighting from the perimeter section is a surveillance control too. A camera that captures a dark silhouette tailgating through a door recorded the event and identified no one.
Retention is a policy and a compliance number, not a fixed law, so verify it against the project security program, the customer contracts, and any regulation the data brings with it. Colocation and regulated workloads often drive longer retention than an enterprise would choose on its own. The strongest version ties the video to the access control, so a forced or held-open door, or an access denial, flags the operator and pulls up the matching camera automatically. Analytics, line-crossing, loitering, and people-counting, turn a wall of feeds nobody can watch into alarms a person can act on.
Intrusion detection and alarm monitoring
Intrusion detection is the layer that notices a boundary being crossed where no access was granted. Door position contacts that fire when a controlled door opens without a valid grant or is propped open too long. Motion sensors in spaces that should be empty after hours. Glass-break detectors on vulnerable openings. Fence-line and perimeter sensors on the outer ring. Each one is a tripwire that turns a physical event into a signal.
The signal is worthless without somewhere to go. The detection field reports to an alarm panel that reports to a monitored point, the on-site security operations center or a central station, where a human assesses it and dispatches a response. The whole chain is designed around the question: how long from the trip to a person standing at the door. Forced-entry delay on the physical side has to outlast that number.
The defect that hides in plain sight is the door alarm that everyone ignores because it cries wolf. A held-open alarm that nuisance-trips fifty times a shift gets muted, and then the one real event is muted with it. Tune the detection so the alarms that fire are alarms worth answering, and audit the response so a trip actually produces a person, not just a line in a log.
The security operations center and the guard force
The security operations center, the SOC, is the staffed room where the cameras, the access logs, and the alarms come together and a person watches them around the clock. It is the response half of every delay the physical layers buy. A larger facility runs it on site, 24 by 7, with operators watching the VMS, working the access events, and dispatching the guard force. A smaller site may contract the monitoring to a central station, but the function is the same: someone is watching and someone can be sent.
Guards are the part of the system that can think. A portal counts bodies and a camera records, but a guard decides whether the contractor at the dock with the wrong paperwork gets in, patrols the rings on a schedule that an intruder cannot predict, and escorts the visitor who has no clearance to be alone inside. The patrol and the watch catch what the fixed controls miss, which is exactly the events the fixed controls were not designed for.
The SOC also owns the procedures, and procedures are where security lives or dies under stress. The response to a forced door, the escalation when an alarm is real, the lockdown when something is badly wrong, the coordination with the fire response when life safety takes over. A control room full of screens with no trained procedure behind it is a very expensive way to watch a breach happen.
How does visitor and contractor access work?
Visitors and contractors are the people without a standing credential, and they are handled by a visitor management process, not by a badge handed over at the desk. The visitor is pre-registered against an approved list, identified by government ID on arrival, issued a temporary, visibly different badge that expires, logged in and out, and, at the sensitive rings, escorted the whole time. The temporary badge carries only the access the visit needs and nothing else.
Escort is the control that does the work. A visitor or a contractor in the white space is accompanied by a cleared person who is responsible for them, because an unescorted stranger near a customer's racks is the threat the cages exist to stop. Sites set an escort ratio, a cap on how many visitors one escort can watch at once, since one person cannot truly supervise a crowd. The ratio is a policy number, so verify it against the project security program and the customer agreements.
Contractors are the harder case, because the work is real and the access is broad. The crew servicing a chiller or pulling cable needs into the gray space for hours or days, and the discipline is to scope the access to the work, the zone, and the window, escort where the work touches a customer's space, and revoke it cleanly when the job ends. The contractor badge that still works a month after the project closed is a standing hole nobody is watching.
Cages and colocation security
In a colocation building the white space is shared among customers who are often competitors, so the cage is the ring that separates one tenant's gear from the next. A cage is a fenced, lockable enclosure around a customer's rows; a suite is a walled private room for a larger tenant. The layout guide covers how cages are placed and how a cage changes the airflow. The security point is that the cage is its own access boundary on a floor full of other people's equipment.
The cage carries the customer's own access control on top of the facility's. The tenant reaches their cage through the building's rings and then through a credential that only their staff and their escorted visitors hold, so the facility operator controls the building and the customer controls the cage. The audit trail splits the same way: the operator can show who entered the data hall, and the cage log shows who entered the customer's space. Both records have to exist and agree.
The mesh and the lock are only as good as the top and the bottom. A cage with an open top that a person can climb over, or a gap at the floor and the containment, is a fence with a hole in it. Cameras cover the cage doors and the aisles around them, and the better builds put a camera looking into the high-value cages, with the customer's consent, so the record is there when a dispute or an incident lands on the operator's desk.
Cabinet-level locks, the last ring
Ring five ends at the cabinet itself, and on a multi-tenant floor or a high-value deployment the locking cabinet is the final boundary. A locked cabinet door means a person standing in the right aisle, even inside the right cage, still cannot open the wrong rack. The rack readiness guide covers preparing the cabinet to receive gear; the security layer here is the lock on the door and what it reports.
The lock has been getting smarter. A mechanical keyed handle is the floor of it, and the same audit problem applies as any other key: it cannot tell you who opened it. Electronic cabinet locks, opened by card, PIN, or a credential tied to the access system, log the open the way a door reader does, so the last ring produces a record like every ring before it. Some integrate with the data center management system so a cabinet open shows up alongside the door events.
The reason to bother is the insider and the shared floor. Most of the rings keep outsiders out, but a cabinet lock with its own log narrows who could have touched a specific rack, which is the question that matters when the incident is internal or when one tenant's gear is disturbed on a floor shared with others. It is the smallest ring and, for the right workload, the one that pins down accountability.
What is anti-passback, and the audit trail
Anti-passback is an access control rule that a credential used to enter a zone cannot be used to enter again until it has been used to exit. It kills two tricks at once. It stops a person from badging in and then passing the card back through a fence or a door for a second person to use, and it forces the system to know who is actually inside a zone, because every entry has to be matched by an exit. Regional anti-passback applies the rule across a defined area instead of a single door.
The deeper value is the audit trail it enforces. Because entries and exits have to pair, the access system holds a true record of who is in which zone right now, which matters for an evacuation muster as much as for security. The log answers the compliance question and the safety question from the same data: who went where, when, and is anyone still inside.
The audit trail is the deliverable auditors actually open. SOC 2, ISO 27001, and the rest are satisfied by the record, not the gear, so the log has to be complete, tamper-resistant, time-synced, and retained for the required period. A reviewable report that shows every grant, every deny, and every exception over the audit window is what passes the audit. Anti-passback is one of the rules that makes that record trustworthy instead of full of holes.
The loading dock and shipping security
The loading dock is the soft spot in a hard building, because it is the one ring that has to open wide and often. Trucks, pallets, and people move through it all day, gear arrives and leaves, and the temptation is to treat it as back-of-house and watch it less. That is exactly backward. The dock is a direct path toward the interior that bypasses the front-door rings, so it gets its own controls, not fewer.
The dock is run as a controlled boundary. Deliveries are scheduled and verified against what was expected, drivers are checked and not left to wander, and inbound material is screened and staged in a receiving area before anything moves toward the data hall. The white space and gray space layout guide covers the staging and burn-in rooms; the security job is that nothing crosses from the dock into the secured interior without passing a check, and the dock doors close and lock between deliveries instead of standing open for convenience.
Outbound is the half people forget. The dock is also the way a hard drive walks out of the building, so what leaves is logged and authorized the same as what comes in. Asset removal that is not tied to a record and an approval is how equipment, and the data on it, leaves without anyone noticing until the audit.
Media destruction and the chain of custody
A drive that held data is a security asset until it is destroyed, and the destruction is a controlled process with a record, not a bin by the door. Retired media is tracked from the moment it comes out of the rack: logged, secured, and either sanitized to a recognized standard or physically destroyed by shredding, degaussing, or crushing. The chain of custody is the unbroken record of who held the media at every step from removal to destruction, with a certificate at the end.
The reason to be strict is that the data outlives the hardware. A wiped or degaussed drive that was never verified, or a stack of decommissioned drives sitting in an unsecured room waiting for the shredder truck, is a breach waiting to be noticed. The gap between pulling the drive and destroying it is where media goes missing, so that gap is secured and short.
Asset tracking ties it together across the life of the gear, from receiving on the dock to placement in a rack to removal and destruction. Every move logged, every asset accounted for. The same discipline that proves a server is where the records say it is also proves a retired drive reached the shredder, which is the question an auditor and a regulator both ask.
What physical controls do auditors check?
Physical security is where the security frameworks meet the building, and several of them check the same controls. SOC 2 looks for documented access control to the areas housing the systems, visitor escort and logging, monitored physical access, and the audit trail that proves it ran, with the common-criteria physical controls living in the CC6 area of the framework. ISO 27001 carries explicit physical and environmental security controls, historically in the Annex A.11 grouping and reorganized as the physical controls in the 2022 edition, covering secure areas, entry controls, and monitoring.
The regulated workloads add their own. PCI DSS Requirement 9 governs physical access to the cardholder data environment, with named requirements for access restriction, visitor management, and media handling. HIPAA's physical safeguards require facility access controls and device and media controls for protected health information. The frameworks overlap heavily, so a building designed to the strictest one tends to satisfy the others, which is why operators design once to the high bar rather than chasing each audit separately.
TIA-942, the data center infrastructure standard, frames the security and monitoring alongside the rest of the facility. The thing to keep straight is what each document is. The frameworks audit your controls and your records; the standard guides the design. The exact requirements shift by framework edition and by the scope of the audit, so confirm the controls against the current edition of the framework that applies, the customer contracts, and the auditor, rather than carrying a remembered clause.
The insider threat and least privilege
Most of the rings are built to keep outsiders out, but the person who already has a badge is the harder problem. The insider, an employee, a contractor, a vendor with standing access, defeats the perimeter by being inside it legitimately. The controls that work against the insider are not bigger fences. They are tighter permissions and a record that survives the person.
Least privilege is the governing rule: each person holds access to exactly the zones the job needs and nothing more, and not one ring further. A cooling technician reaches the gray space and the mechanical rooms and never the customer cages. A network engineer reaches the meet-me room and not the switchgear. Role-based access control assigns the rights to the role, so a person inherits the access the job defines and loses it when the role changes, instead of accumulating doors over a career until they can go everywhere.
Deprovisioning is where this quietly fails. The badge that still works after someone leaves, the contractor credential live months past the project, the role change that added access and never removed the old, every one is a standing hole that no camera is pointed at. The discipline is to revoke on the day, audit the access list against the actual roster on a schedule, and treat a credential that outlives its reason as the security incident it is.
What is the difference between fail-safe and fail-secure?
Fail-safe and fail-secure describe what an electric lock does when it loses power, and getting it wrong is a life-safety violation, not a preference. A fail-safe lock releases when power is removed; power is what holds it locked. A fail-secure lock stays locked when power is removed; power is what releases it. The words sound interchangeable and they are opposites, so the one you specify is decided by whether the door is in an egress path or holding security.
Life safety wins, every time, and it is not negotiable. A door that people exit through has to let them out when the building loses power or the fire alarm sounds, so egress doors are arranged to allow free egress regardless of the lock's state. Electromagnetic locks are fail-safe only, because there is no holding force without power, and where they are used on egress they release on fire alarm and power loss. Where a fail-secure device sits on a fire-rated or egress door, it is tied to the fire alarm to release on alarm and it still allows mechanical free egress from the inside by a lever or a push bar. Free egress is always available from the secured side, by code.
The security balance is real but it bends to the code. You want doors locked against entry, and the failure case must still let people out. The resolution is that locks resist entry from the outside while egress from the inside is never blocked. Access control hardware listed to UL 294 is tested for exactly this behavior, including how the door acts during a fire alarm. The specifics, which doors are egress, which are fire-rated, how each is required to behave on alarm and on power loss, are set by the building and fire codes, the NFPA suite among them, and the AHJ. Confirm every door's behavior against the adopted code and the life-safety drawings, and where security and egress disagree, egress wins.
Integration with fire, the BMS, and commissioning the systems
The security systems do not stand alone; they tie into the fire alarm, the building and electrical management systems, and each other, and the integration is where the life-safety logic actually executes. The fire alarm has to be able to release the egress doors and override the locks, which is the fail-safe rule wired in, not written on a wall. The access control, the video, and the intrusion detection share events so a door alarm pulls up a camera and an access denial flags the operator. The BMS and EPMS visibility lets the SOC see a door, a power event, and an environmental alarm on one picture.
The integration that matters most is the fire-to-lock release, because that is the one that kills someone if it is wrong. It is tested, not assumed: trip the alarm and confirm the egress doors release. Confirm it again after any change to either system, because a security upgrade that quietly broke the fire release is the kind of latent fault that hides until the day it matters.
Commissioning the security systems is the same discipline the rest of the facility gets, run before turnover. Exercise every reader, door, and lock against the access matrix. Force every alarm and confirm it reaches the SOC and produces a response. Walk the camera coverage and find the blind spots while they are cheap to fix. Test the fire-alarm release on every egress door. Verify the fail-safe and fail-secure behavior of each door on power loss. A security system that was installed but never proven end to end is a set of assumptions, and the first time you find the gap should not be during an incident.
Security posture: hyperscale, colo, and enterprise
The same rings are built differently depending on who owns the building and who is inside it. A hyperscale operator owns the whole site and runs one tenant, itself, so the security model is uniform top to bottom: heavy perimeter, strict standing access for a small trusted staff, automation over guards where it scales, and no internal tenant boundaries to enforce. The threat is the outsider and the insider, and the design optimizes for consistency across a campus of identical halls.
Colocation is the harder security problem, because the building is full of customers who do not trust each other and the operator does not own the gear. The cages, the per-tenant access control, the split audit trail, and the visitor and escort discipline all exist because of the multi-tenant reality. The operator secures the building and the rings; each customer secures their own cage on top. Most of the controls in this guide are sharpest in a colo, where the boundary between two tenants is a real adversary line.
Enterprise data centers sit in between and vary the most. A bank's data center and a back-office computer room are both enterprise and worlds apart in posture. The driver is the data and the regulation it carries, so a regulated enterprise workload pulls the controls toward the colo and hyperscale level, while a low-sensitivity room may run lighter. Size the rings to the threat and the data, confirm the posture against the project security program, and do not copy a hyperscale design onto a closet or a closet's security onto a regulated hall.
What to document
The security record names every ring, the control that enforces it, and why it is there, so the design can be audited and the building can be operated without re-discovering it. Capture each layer, its access method and factors, the surveillance and detection on it, the response path, and the life-safety behavior of its doors. The audit trail is part of the record, not separate from it, because the frameworks are satisfied by the log as much as the design. A security design that lives only in the head of the consultant who left is a building you re-survey every audit.
| Layer | Control | Purpose |
|---|---|---|
| Site perimeter | Crash-rated barriers, fence, gates, lighting, CCTV | Keep vehicles and casual intruders off the site |
| Building entry | Badging, guard, visitor desk, single-factor access | Identify and admit, log every entry |
| Interior / gray space | Access control, intrusion detection on doors | Restrict the plant and back-of-house by role |
| Data hall | Two-factor, mantrap or portal, full CCTV | Authenticate strongly, stop tailgating, record |
| Cage / cabinet | Cage access, cabinet locks, customer credential | Separate tenants, pin accountability to the rack |
| Egress doors | Fail-safe or fire-released, free egress | Life safety overrides security on every alarm |
| Audit trail | Access logs, anti-passback, retention | Prove who went where and when, for the audit |
Common mistakes
- Building no anti-tailgating control, so one badged person walks a stranger straight into the data hall.
- Specifying fail-secure locks on egress doors that do not release on fire alarm or power loss, a life-safety violation.
- Letting visitors and contractors move unescorted in the white space, or leaving their credentials live after the job ends.
- A weak perimeter with short standoff and no crash-rated barrier, so a vehicle reaches the building wall.
- Single-factor card access at the data hall and the cages, where a lost or cloned card alone should never pass.
- No real audit trail: mechanical keys, gaps in the log, or retention too short to cover the audit window.
- Camera coverage with blind spots between feeds, too little light to identify a face, or footage nobody reviews.
- Treating the loading dock as back-of-house and watching it less than the front door it bypasses.
Field checklist
Want this checklist to run itself on every job — with photo proof and a signed record crews can hand the customer? That's FieldOS.
Standards and references
TIA-942, the data center infrastructure standard, frames the facility security and monitoring alongside the power, cooling, and telecommunications, and it traces the zoning the rings sit on. The access control hardware is commonly listed to UL 294, which tests access control system performance and, importantly, how the equipment behaves during a fire alarm so it does not impede egress. Vehicle barriers carry crash ratings under ASTM F2656 for high-speed and ASTM F3016 for low-speed storefront protection.
The life-safety side governs the doors and it overrides the security design. The building and fire codes and the NFPA suite, including the fire-door requirements in NFPA 80 and the life-safety provisions in NFPA 101, set which doors are egress, which are fire-rated, and how each must behave on alarm and on power loss. The rule that does not bend is free egress: people get out. Confirm every door against the adopted code edition, the life-safety drawings, and the AHJ.
On the audit side, the security frameworks check the physical controls and the record: SOC 2 common-criteria physical access, ISO 27001 physical and environmental security controls, PCI DSS Requirement 9 for cardholder environments, and HIPAA physical safeguards for protected health information. The exact requirements shift by framework edition and audit scope, and CPTED informs the site design rather than mandating it. Across all of it, the project security program, the customer contracts, and the adopted codes with local amendments control the specifics, so verify them against the design and the jurisdiction rather than carrying a remembered figure.
Terms and abbreviations
Physical security runs on a stack of terms that get used loosely across a security narrative, a door schedule, and an audit report, so pin the term to the control before you act on it.
- Defense in depth
- Independent security controls layered in concentric rings so defeating one does not reach the asset
- Mantrap / portal / vestibule
- Interlocked doors passing one cleared person at a time to defeat tailgating
- Tailgating / piggybacking
- Following an authorized person through a door, with or without their help
- Two-factor / MFA
- Requiring two of card, PIN, and biometric at a sensitive door
- Anti-passback
- A rule that a credential must exit a zone before it can enter again
- Fail-safe / fail-secure
- A lock that releases on power loss, versus one that stays locked on power loss
- Free egress
- The life-safety rule that people can always exit, regardless of the lock state
- FAR / FRR
- False accept rate and false reject rate, the biometric tradeoff between letting the wrong person in and locking the right one out
- VMS
- Video management system, the platform that records, stores, and serves CCTV
- SOC
- Security operations center, the staffed room that watches and dispatches the response
- CPTED
- Crime prevention through environmental design, securing a site through layout, sightlines, and lighting
- Chain of custody
- The unbroken, recorded handoff of media from removal to verified destruction
FAQ
How do data centers control physical access?
Data centers use electronic access control: a credential the person carries, a reader at the door, a controller that checks permissions, and an electric lock. Sensitive rings add a second factor, a PIN or biometric. Every grant and deny is logged, which is why mechanical keys, untrackable and unrevocable, fail an audit.
What is a mantrap in a data center?
A mantrap, also called a security vestibule or portal, is a pair of interlocked doors where the second will not open until the first has closed. It passes one cleared person at a time and defeats tailgating. At sensitive rings it pairs with two-factor authentication and sometimes optical or weight sensors that detect a second body.
What is defense in depth in physical security?
Defense in depth is layering independent security controls in concentric rings so defeating one does not reach the asset. Each layer is designed to deter, detect, delay, and deny, and the delay has to outlast the response time. A cut fence still meets a locked lobby; a stolen badge still meets a biometric.
What is the difference between fail-safe and fail-secure?
A fail-safe lock releases when power is removed; a fail-secure lock stays locked when power is removed. They are opposites, not synonyms. Egress doors must allow free exit on power loss and fire alarm, so the choice is a life-safety decision set by the building and fire codes and the AHJ, with egress always winning.
How do you stop tailgating in a data center?
Tailgating is stopped with physical controls, because policy alone fails. A mantrap or security portal cycles one person at a time, optical or floor-sensor detection locks down on a second body, and full-height turnstiles force single file. Anti-passback blocks badge sharing. Cameras and a guard catch the one the hardware missed, backed by a culture that challenges strangers.
What is anti-passback in access control?
Anti-passback is a rule that a credential used to enter a zone cannot enter again until it has been used to exit. It stops badge sharing and forces the system to know who is inside a zone, which feeds both the security audit trail and the evacuation muster. Regional anti-passback applies the rule across an area.
What physical security do SOC 2 and ISO 27001 auditors check?
Auditors check documented access control to system areas, visitor escort and logging, monitored access, and a complete audit trail. SOC 2 covers this in its common criteria, ISO 27001 in its physical and environmental controls, PCI DSS in Requirement 9, and HIPAA in its physical safeguards. The record satisfies the audit, so verify it against the current framework edition.
How long is data center CCTV footage kept?
Retention is a policy and compliance number, not a fixed law, set by the project security program, customer contracts, and any regulation the data carries. Colocation and regulated workloads usually drive longer retention than an enterprise would choose alone. Confirm the required period against the contracts and the applicable framework rather than assuming a default.
Where are biometrics used in a data center?
Biometrics, fingerprint, iris, hand geometry, or facial, sit at the high-assurance rings, the data hall and the cages, usually as a second factor on top of a card. They bind the credential to the body so it cannot be lent or passed back. The false accept and false reject thresholds are a security setting, not a factory default.
People also ask
Codes cited in this guide
This guide is written and reviewed against the published standards below. Always confirm the current adopted edition with the authority having jurisdiction.