6.2 Layered Physical Security & Access Control

Key Takeaways

  • Defence in depth layers controls from perimeter to building shell, data hall, rack, and asset so that defeating one layer still leaves others intact; codified in EN 50600-2-5 and ISO/IEC 27001.
  • A mantrap is an interlocking two-door vestibule that admits one authenticated person at a time, and with anti-passback rules it defeats tailgating and badge sharing.
  • The 'six walls' rule requires a secure room to be a barrier on all six surfaces - four walls plus floor and ceiling, slab-to-slab - so a partition stopping at a dropped ceiling is not secure.
  • Best-practice CCTV retention is 30-90 days, with regimes such as PCI DSS commonly mandating 90 days or more.
  • EN 50131 grades intrusion detection systems 1-4 (data centres typically Grade 3-4), and EN 50600-2-5 defines physical Protection Class 1-4 selectable independently of the availability class.
Last updated: July 2026

Defence in Depth: The Layered Model

Data centre physical security rests on defence in depth (layered security): multiple independent controls arranged so that defeating one still leaves the others in place. EN 50600-2-5 and ISO/IEC 27001 (2022 Annex A 'Physical controls', historically the Annex A.7 and A.11 domains) codify the approach. The canonical layers, from outside inward, are:

  1. Perimeter - fence or wall, gates, bollards and vehicle barriers, lighting, a cleared standoff zone, and a guardhouse.
  2. Site / grounds - controlled parking, CCTV coverage, and intrusion detection on the approaches.
  3. Building shell - a hardened exterior with a single controlled main entrance and staffed reception.
  4. Room / data hall (white space) - access-controlled doors, a mantrap, and anti-tailgating measures.
  5. Rack / cabinet - locking cabinets and, for colocation, per-client caged mesh enclosures.
  6. Asset - the server and its media, protected by secure disposal and media sanitisation.

A key exam point: each layer must be independently auditable and testable. A control that silently depends on another is not a genuine additional layer.

CPTED: Designing Crime Out

Beyond hardware, CPTED (Crime Prevention Through Environmental Design) shapes the site so the environment itself deters intrusion. Its four principles are natural surveillance (clear sightlines and lighting so intruders are visible), natural access control (funnelling visitors through one obvious, monitored entrance using landscaping and bollards), territorial reinforcement (fences, signage, and clear boundaries that signal ownership), and maintenance (a well-kept site signals control; broken lights and unrepaired fences signal neglect). Data centres also apply operational security by looking anonymous - no signage advertising the tenant or the building's function.

Mantraps and Anti-Tailgating

The most-tested access device is the mantrap (also called an interlocking-door vestibule, sally port, or air-lock): two doors where the second cannot open until the first has closed. Combined with weight or scale sensors, biometric readers, or optical anti-piggybacking sensors, it enforces one authenticated person at a time, defeating tailgating / piggybacking - following an authorised person through a door. Anti-passback rules reinforce this by refusing a badge a second entry until it has been used to exit, which prevents one badge from admitting several people.

Access Control: Card, PIN, and Biometric

Authentication uses the three classic factors: something you have (an access card or smart badge), something you know (a PIN), and something you are (a biometric). High-security zones require multi-factor authentication - for example, card plus PIN, or card plus biometric at the mantrap.

Credential / factorCategoryData-centre note
Access card / smart badgeSomething you haveFast, but can be lost, shared, or cloned - pair with a PIN or biometric
PIN / passcodeSomething you knowCheap; vulnerable to shoulder-surfing; best as a second factor
FingerprintSomething you areLow cost and common; requires contact
IrisSomething you areVery high accuracy; contactless
Vascular (finger / palm vein)Something you areInternal pattern, spoof-resistant, sub-second - suited to high throughput

Among biometric modalities, fingerprint is cheap and common, iris is highly accurate, facial recognition is contactless, and vascular (finger or palm vein) reads internal vein patterns that are difficult to spoof, works without contact, and authenticates in under a second - making it well suited to high-throughput gates. Retinal scanning exists but is intrusive and slow, so it is rarely deployed.

CCTV, Surveillance, and Visitor Management

CCTV feeds a VMS (Video Management System) for live monitoring and forensic review. Industry best practice retains footage 30-90 days, and regulated regimes such as PCI DSS and FedRAMP commonly mandate 90 days or more, which directly drives storage sizing. Cameras cover the perimeter, entrances, aisles, mantraps, and cabinet rows, with analytics flagging motion, loitering, or line-crossing.

Visitor management is a formal control set: pre-registration, government-ID verification, a logged, time-stamped visitor record, a temporary badge with limited zone rights, and continuous escort by authorised staff inside secure areas. Deliveries are routed through a separate loading dock or staging area so couriers never enter the white space.

Security Zones and the 'Six Walls' Concept

Controlled areas are organised into security zones of escalating trust - public reception, staff office, data hall, and high-security cage - each demanding stronger authentication than the last. The 'six walls' (six-sided) rule is a CDCP favourite: a truly secure room must be a barrier on all six surfaces - the four walls plus the floor and the ceiling. A partition that stops at a suspended (dropped) ceiling is not secure, because an intruder can climb over it through the ceiling void or crawl under it through the raised-floor plenum. Genuine security walls run slab-to-slab (structural floor to structural ceiling), and any floor or ceiling void is alarmed or physically blocked. Forgetting the top or bottom 'wall' is the classic exam trap.

Intrusion Detection and European Classes

IDS (Intrusion Detection Systems) - door contacts, motion/PIR, glass-break, and vibration sensors - alarm and record unauthorised entry. In Europe they are specified to the EN 50131 series, which grades systems 1-4 by risk; data centres typically require Grade 3 or 4, integrated with access control and CCTV. Facility-wide physical security classification comes from EN 50600-2-5, defining Protection Class 1-4 selectable independently of the availability class. Layered controls, CPTED, mantraps, multi-factor access, surveillance, disciplined visitor handling, six-sided rooms, and graded IDS together deliver the independent, auditable layers the standards demand.

Test Your Knowledge

Which access-control feature is specifically designed to defeat tailgating by ensuring only one authenticated person passes through at a time?

A
B
C
D
Test Your Knowledge

Which principle applies multiple independent physical controls - perimeter fence, building shell, mantrap, room door, and cabinet lock - so that defeating one layer still leaves the others intact?

A
B
C
D
Test Your Knowledge

Which European standard series classifies intrusion and hold-up alarm systems into Grades 1-4 by risk level, with data centres typically specifying Grade 3 or 4?

A
B
C
D