Physical Security for Data Centres and Critical Infrastructure

A data centre is, in physical terms, a building containing extremely high-value assets – servers holding financial records, personal data, intellectual property, and operational systems that, if disrupted, can cause significant harm. The physical security protecting those assets should match that valuation. In many cases, it does not.

The cyber security investment in enterprise data centre environments is typically significant. Firewalls, intrusion detection, endpoint protection, and network segmentation receive sustained attention and substantial budget. Physical security – the locks, guards, access controls, and visitor management systems that determine who can walk up to a server rack – is too often treated as a facility management function rather than a security function.

This article examines what good physical security for data centres and critical infrastructure looks like, what the standards require, and where the most common gaps are.

Why Physical Security Matters for Data Centres

The argument for treating physical security as seriously as cyber security is straightforward. A physical intruder who reaches a server room can:

• Insert a hardware implant into a server (a device costing under £100 can be used to exfiltrate data or establish persistent access)
• Physically extract storage media containing sensitive data
• Install a keylogger on management consoles
• Power off or physically destroy infrastructure to cause a service outage
• Photograph or photograph rack layouts and hardware configurations to inform a subsequent cyber attack

None of these attacks require any cyber capability. They require physical access. And physical access, in many data centre environments, is less rigorously controlled than the network perimeter.

The documented cases make the point. In 2023, two Yandex employees in the Netherlands were arrested after allegedly attempting to plant surveillance devices in a data centre. A 2021 report by the NCSC and CISA noted physical intrusion at telecommunications infrastructure as a documented tactic of state-sponsored actors. Red team engagements published by Coalfire and Rapid7 have repeatedly demonstrated that physical access to data centre floors is achievable in environments that passed their own security audits.

The Tiered Zone Model

The structural foundation of data centre physical security is tiered zones – concentric rings of control from the perimeter inward. Each ring has its own access requirements, and movement between rings is logged, verified, and auditable.

Zone 1: Perimeter. The site boundary. Perimeter fencing (minimum 2.4 metres), vehicle access barriers (hostile vehicle mitigation where the threat warrants), CCTV covering the entire perimeter, and security lighting. The perimeter must have no blind spots.

Zone 2: Building exterior. All building entry points under CCTV and access control. Visitor reception clearly defined and separated from staff entry. No uncontrolled entry points (loading bays, service entrances, emergency exits that can be propped open).

Zone 3: Reception and lobby. Visitors are identified, logged, and issued time-limited visitor credentials. They do not proceed without escort. Anti-tailgating vestibules or turnstiles at the controlled entry to interior security zones.

Zone 4: Operational areas. Server halls, network operations centres, and infrastructure rooms. Access restricted to personnel with an explicit operational need. Dual-factor authentication (access card plus PIN, biometric, or equivalent). No visitor access without escort. CCTV with no coverage gaps.

Zone 5: Individual racks and cages. For co-location facilities, individual customer cages or racks have their own locking mechanisms. Customers access only their assigned space. Locks are auditable. Key or electronic access credentials are logged.

Each transition between zones is a control point. An individual who has legitimate Zone 2 access does not automatically have Zone 4 access. Access control lists are maintained by role and reviewed regularly – particularly when personnel leave or change roles.

Access Control

Access control is the central physical security control for data centres. Standard elements:

Multi-factor authentication. Access card alone is not sufficient for Zone 4 and above. Multi-factor (card plus PIN, card plus biometric) is standard for all inner zones. This mitigates the risk of lost or stolen access cards.

Anti-tailgating. Tailgating – an unauthorised person following a legitimate access holder through a controlled door – is the most common physical intrusion method in data centre red team exercises. Mitigations include: anti-tailgating vestibules (airlock-style entries that allow only one person at a time), optical turnstiles with detection sensors, and staff briefing and culture (every employee challenged to prevent tailgating, not just security staff).

Least privilege access. Personnel have access only to the zones and areas required for their work. A cleaning operative has access to office areas, not server rooms. A network engineer has access to the network operations centre, not to unrelated customer cages. Access lists are reviewed at defined intervals and whenever a person changes role.

Time-based access. For roles that have legitimate access to inner zones only during business hours, time-based restrictions ensure that access credentials do not function outside defined hours. This limits the window for misuse of legitimate credentials.

Audit logging. Every access event – successful or failed – is logged with timestamp, credential used, and zone. Logs are retained for a minimum of 90 days (many data centre standards require 12 months). Logs are reviewed for anomalies: out-of-hours access, repeated failed attempts, access to zones not consistent with role.

Guard Force and Monitoring

A 24/7 onsite security presence is standard for Tier 3 and Tier 4 facilities. Guards must be trained for the specific data centre environment, not generic site security. This includes:

• Understanding of the access control system and ability to respond to access anomalies
• Visitor management procedures and ability to identify and challenge unauthorised access
• Emergency response protocols (fire, intrusion, power events, medical)
• CCTV monitoring competence – ability to actively monitor, not just record

The guard force should conduct regular interior patrols of the operational areas, not just exterior perimeter checks. Patrol logs are documented and reviewed. Body-worn cameras for security personnel are increasingly standard at higher-tier facilities.

CCTV coverage must achieve full coverage of all zones with no blind spots. Camera placement in server halls should cover aisle access points, not just the ends of rows. Resolution sufficient to identify individuals and read rack numbers is required. Off-site storage of recordings ensures that a physical incident that disables on-site systems does not destroy the evidence.

Vendor and Contractor Management

Third-party access is the primary physical security risk in most operational data centres. In a large facility, the volume of vendor activity – hardware maintenance, network upgrades, cleaning, catering, physical infrastructure maintenance – can be substantial. Each vendor visit is a potential physical security event.

Best practice vendor management:

Pre-visit identity verification. Vendors provide identity documents in advance. The data centre security team verifies identity on arrival against pre-submitted information.

Work order control. Every vendor visit is associated with a specific, authorised work order. The work order specifies exactly which areas and equipment can be accessed. The escorting employee verifies that work is conducted within the approved scope.

Escort throughout. Vendors are escorted by a data centre employee from entry to departure. The escort is present during all work activity. Unescorted vendor access is not permitted in Zones 4 and 5.

Time-limited credentials. Visitor access credentials are issued for the specific visit duration and revoked on departure. They are not retained between visits.

Post-visit review. CCTV of vendor activity is reviewed following any visit involving access to server hardware. This does not require watching every minute of footage – anomaly detection or a brief review following complex hardware work is proportionate.

Physical Security in Co-Location Environments

For organisations that co-locate their infrastructure in a third-party data centre, physical security is partly the responsibility of the operator and partly the responsibility of the customer. Organisations should verify:

The operator’s certification. Uptime Institute Tier certification, ISO 27001 certification, or equivalent independent verification that the facility meets a defined security standard.

Access control for the specific cage or suite. In a shared facility, other customers and their vendors are also present. Your cage or suite must be locked and access-controlled independently of the general floor access.

Right to audit. The co-location contract should permit you to conduct physical security reviews of your specific space and, in principle, to review the operator’s general security procedures. Many enterprise co-location agreements include this provision.

Incident reporting. The operator should have a defined process for notifying customers of any physical security incident that affects or could affect their infrastructure.

Critical National Infrastructure: Statutory Obligations

For UK operators of critical national infrastructure – including energy, water, transport, financial services, and digital infrastructure – physical security obligations extend beyond commercial best practice to statutory requirements.

The NIS Regulations 2018 require in-scope operators to implement appropriate and proportionate technical and organisational measures to manage security risks. Physical security is explicitly a component of this obligation. NCSC’s Cyber Assessment Framework (CAF) includes physical access management within the Protecting objective.

For operators in scope, the implications include: documented physical security policies and procedures, evidence that physical access controls are implemented and reviewed, integration of physical security into the overall information security management system (ISMS), and incident reporting of physical security events that meet the significance threshold.

The UK government’s review of critical infrastructure security following the NIS2 Directive has proposed enhanced obligations for in-scope operators, including physical security provisions. Organisations in potentially in-scope sectors should review the current consultation documents from DSIT (Department for Science, Innovation and Technology) and NCSC.

Summary

Physical security for data centres and critical infrastructure is not a facilities management task. It is a security function that requires the same structured risk assessment, layered controls, and ongoing monitoring as cyber security – and it must be integrated with the cyber programme, not operated alongside it in isolation.

The most effective data centre physical security programmes are built around tiered zone access control, anti-tailgating infrastructure, rigorous vendor management, 24/7 guard presence with active monitoring, and regular audit against a recognised standard. Where the organisation operates under NIS Regulations or equivalent CNI obligations, compliance is a legal requirement as well as a security best practice.

For related reading, see our articles on physical and cyber security convergence and corporate security programme design.

James Whitfield is a Senior Security Consultant with 20 years of experience in corporate security, facility protection, and critical infrastructure security across the UK and internationally.