Nobody steals a server. The threat is a person with legitimate access, and the asset you are protecting is uptime.
Data centre security inverts almost every instinct from conventional guarding. There is very little to steal, the perimeter is rarely tested, and the guard usually has no idea what is inside the racks he is protecting — which is exactly as it should be.
What a data centre sells is uptime. Everything security does serves that.
Which means the events that matter are not thefts. They are:
None of these look like a security incident. All of them are.
The realistic risk to a data centre is not a stranger climbing a fence. It is someone with legitimate access and an illegitimate purpose — an engineer, a contractor, a vendor, a customer's own staff visiting their cage.
This changes the guard's job entirely. He is not there to keep people out. He is there to ensure that everyone inside is where they are supposed to be, doing what they said they would do, for as long as they said.
That is a discipline problem, not a deterrence problem, and it depends on procedures being followed every single time — including when the person is senior, familiar, and in a hurry.
Every data centre has an escort policy. Almost every data centre stops enforcing it.
The pattern is predictable. The engineer is familiar. He has been here forty times. He knows the route. He is in a rush, and the guard is busy. So he goes in alone "just this once" — and after a month, the escort policy exists only on paper.
This is the single most common security failure in the sector, and it cannot be fixed by hiring a stricter guard. It is fixed by management backing the guard when a senior engineer objects, and by supervision that actually checks. Without that, the policy is decoration.
Access technology in a data centre is excellent and it does not solve the problem. Biometric readers, mantraps and badge systems verify credentials. They do not verify intent, and they are entirely defeated by the oldest technique there is: tailgating. Someone holds the door. Nobody wants to be rude.
No system stops that. A person does — and only if the organisation expects him to. See access control.
Where camera systems are deployed, they need someone watching them. An unmonitored camera in a data hall is a device that will tell you, afterwards, exactly who took the facility down. See control room operators.
Clients sometimes ask for security staff with technical knowledge. They almost never need it, and there is a good argument they should not have it.
The guard's job is procedure, verification, escort and documentation. He does not need to know what is in the rack — and a guard who does not know is a guard who cannot be usefully compromised. What he does need is the discipline to apply the rule to the person who least wants it applied.
Data centres are audited — by customers, by regulators, by insurers. Every entry, every escort, every visit is a record someone will eventually read.
A guard who cannot produce a clean, accurate, timestamped access log has failed at the primary task, however uneventful the shift was.
Someone with legitimate access and an illegitimate purpose — an engineer, contractor, vendor or customer's own staff. The realistic risk is not a stranger climbing a fence. The guard's job is not to keep people out but to ensure everyone inside is where they should be, doing what they said, for as long as they said.
No. Access technology verifies credentials, not intent, and it is entirely defeated by tailgating — someone holds the door and nobody wants to be rude. No system stops that; a person does, and only if the organisation expects him to.
Because it is the control that always erodes. The engineer is familiar, he is in a rush, the guard is busy — so he goes in alone 'just this once', and within a month the policy exists only on paper. This is the most common security failure in the sector, and it is fixed by management backing the guard, not by hiring a stricter one.
Almost never, and there is a good argument they should not have it. The job is procedure, verification, escort and documentation. A guard who does not know what is in the rack is a guard who cannot be usefully compromised. What he needs is the discipline to apply the rule to the person who least wants it applied.
Clean, accurate, timestamped access logs — every entry, every escort, every visit. Data centres are audited by customers, regulators and insurers, and a guard who cannot produce a proper log has failed the primary task however uneventful the shift was.
Tell us about your site and we will scope it honestly — including telling you if you need less than you think.
Message us on WhatsApp Request a Quote