Security Is Table Stakes, Not a Differentiator
Every data centre operator claims "enterprise-grade security." The meaningful question is what specific controls are implemented, independently audited, and documented. Tenants evaluating facilities need to look past marketing language and assess the actual security posture across three layers: physical, cyber, and compliance.
Physical Security: Perimeter to Rack
**Layer 1 — Perimeter:** - Anti-vehicle barriers (bollards, K-rated fencing) rated to stop a 15,000 lb vehicle at 30 mph - 8-10 ft anti-climb fencing with detection sensors (vibration, tension, or electrified) - Vehicle entrance via sally port (dual-gate system — one gate closes before the other opens) - Perimeter CCTV with 90-day minimum retention, 360-degree coverage, and infrared/low-light capability - Security lighting: 2+ foot-candles at perimeter, 5+ foot-candles at entrances - Cost: $500K-2M for a 20-acre campus perimeter
**Layer 2 — Building exterior:** - Limited entry points (ideally 1-2 controlled entrances for personnel) - Loading dock separate from personnel entrance, with airlock or mantrap - No windows at ground level (or ballistic-rated if present) - Blast-resistant construction in high-security facilities (government, financial) - Reception/guard station at primary entrance staffed 24/7
**Layer 3 — Building interior (common areas):** - Mantrap/airlock entry to data hall corridors (dual-door system requiring authentication at both doors) - Multi-factor authentication: badge + biometric (fingerprint, hand geometry, or iris scan) - Visitor escort requirements (no unescorted visitor access to data halls) - CCTV at all corridor intersections and transition points - Intrusion detection on all doors and emergency exits
**Layer 4 — Data hall:** - Dedicated access control per hall (separate badge permission from corridor access) - Cabinet/cage-level locking (key, combination, electronic, or biometric) - In-row CCTV capturing all aisle activity - Environmental sensors (temperature, humidity, water leak, smoke) - No food, drink, or cardboard permitted (fire risk and contamination)
**Layer 5 — Rack/cabinet:** - Individual cabinet locks (electronic with audit trail preferred) - Cable management that prevents unauthorised physical access to ports - Tamper-evident seals on critical equipment - Asset tagging and inventory management
Cyber Security
Physical and cyber security are interdependent. A physically secure facility with an insecure building management system (BMS) is vulnerable.
**Infrastructure security:** - Building Management System (BMS) on isolated network, never internet-facing - SCADA/ICS systems segmented from IT networks with firewalls and monitoring - Out-of-band management for critical infrastructure (generators, UPS, cooling) - Network intrusion detection/prevention on all management networks - Regular penetration testing of facility management systems (quarterly minimum)
**Tenant-facing security:** - DDoS mitigation services at the facility level (volumetric and application-layer) - Clean power and grounding to prevent side-channel attacks via power infrastructure - Physical separation between tenants (dedicated cages rather than shared racks for high-security tenants) - Secure media destruction services (on-site degaussing and shredding)
Compliance Frameworks
**SOC 2 Type II:** - The most commonly required compliance certification for data centres - Covers five trust service criteria: security, availability, processing integrity, confidentiality, privacy - Type II reports cover a 6-12 month audit period (versus point-in-time Type I) - Audit cost: $50-200K depending on scope - Annual recertification required - Tenant access: Available under NDA; request and review before signing a lease
**ISO 27001:** - International standard for information security management systems (ISMS) - More prescriptive than SOC 2, with 114 controls across 14 domains - Certification by accredited third-party auditor - 3-year certification cycle with annual surveillance audits - Particularly important for European tenants and organisations with EU data
**PCI DSS (Payment Card Industry):** - Required for facilities hosting payment processing infrastructure - Prescriptive physical security requirements including CCTV retention, access logging, and visitor management - Level 1 compliance (for service providers) requires annual on-site audit
**HIPAA (Health Insurance Portability and Accountability Act):** - Required for facilities hosting protected health information (PHI) - Physical safeguard requirements: facility access controls, workstation security, device and media controls - Business Associate Agreement (BAA) required between data centre and healthcare tenant
**FedRAMP / FISMA:** - Required for facilities hosting US federal government data - Most stringent physical security requirements including cleared personnel, dedicated infrastructure, and continuous monitoring - FedRAMP High baseline requires 421 security controls
What to Ask During a Tour
1. What is the authentication method at each access layer? (Badge only is inadequate for data halls — require multi-factor.) 2. What is the CCTV retention period? (90 days minimum; 180+ for compliance-sensitive tenants.) 3. Can I review the most recent SOC 2 Type II report? (If they hesitate, that is informative.) 4. How are terminated employees' access credentials revoked, and what is the SLA? (Should be immediate — within 1 hour.) 5. When was the last penetration test of facility management systems? (If the answer is "never" or "we don't do that," reconsider.)
Browse security-certified facilities on our facility directory or contact our advisory team for compliance-focused site selection.