Data Centre Physical Security Is a Compliance Requirement, Not Just a Protection Measure.
Data centre certifications require documented, auditable physical access control. We design systems that produce that documentation automatically.
Securing Singapore data centre environments since .
In Short
Physical Security as Compliance Infrastructure
Data centre security is about maintaining operational continuity, controlling access, and ensuring accountability across critical infrastructure. The security system typically includes tiered access control, CCTV with compliance-formatted retention, visitor and contractor management, and audit documentation. The objective is not simply preventing unauthorised access. The objective is protecting uptime, maintaining governance, and producing the documented evidence of control that certification auditors, enterprise customers, and regulators require.
The most common misunderstanding about data centre physical security is that it is primarily a hardware problem: more cameras, stronger doors, better locks. In practice, the most common audit finding is a process problem: stale credentials that were never revoked, visitor logs that are incomplete, CCTV retention that does not cover the required period, or access rights that were not reviewed after a staff member changed roles. The hardware provides the capability. The configuration, the process, and the documentation determine whether the capability translates into a passing audit.
Physical Security Is the First Line of Infrastructure Protection.
A data centre is not a building with servers in it. It is a controlled physical environment in which every layer of access: from the site perimeter to the individual rack: is deliberately restricted, monitored, and documented. The value of what is inside is not measured in hardware replacement cost; it is measured in the data it holds, the services it runs, and the contractual and regulatory obligations it carries. A physical security breach in a data centre is not a property incident: it is a data incident, a compliance incident, and a client incident simultaneously.
Singapore's data centre sector: anchored by the Jurong and Tanjong Kling facilities of global colocation operators and the private data rooms of financial institutions, government agencies, and enterprise IT teams: operates under physical security frameworks that include SSAE 18 / SOC 2 Type II audit requirements, ISO 27001 physical and environmental security controls, and client contractual obligations that typically require documented access logs, CCTV retention, and visitor escort records as standard deliverables. The security system that supports these requirements must be designed around them from the start: not retrofitted to a generic access control installation after the first audit finding.
Common Mistakes We See in Data Centre Physical Security Projects
After reviewing secure facilities and data centre environments across Singapore, several issues appear repeatedly: almost all of them in configuration and process rather than in hardware selection.
Focusing on Perimeter Security While Leaving Internal Access Uncontrolled
The majority of physical security incidents in data centres involve authorised people operating outside their expected procedures: a staff member accessing a zone they are not supposed to be in, a contractor completing work in an area beyond their permitted scope, a visitor moving through the facility without an escort. A strong perimeter with weak internal zone differentiation does not produce the layered access control that SOC 2 and ISO 27001 physical security controls require. The internal zone architecture: data hall access, cage access, restricted support areas: matters as much as the building entrance.
Managing Contractor Access Manually
Data centres typically involve multiple concurrent vendors, maintenance teams, and contractors: each with different access requirements, different work windows, and different zones they need to reach. Manual processes for logging contractor access, issuing temporary credentials, and verifying escort compliance create accountability gaps that appear in audits as missing records, incomplete visitor logs, or access events with no corresponding registration. A digital visitor management system with pre-registration for known contractors and automatic log generation removes the manual step and produces a complete, searchable record automatically.
Treating Access Provisioning as a One-Time Exercise
The most common audit finding in data centre access control is stale credentials: staff members who have left the organisation, contractors who completed a project months ago, and customer staff who changed roles: all with active credentials that are never revoked. Access rights reviews should be conducted quarterly at minimum and immediately when personnel changes occur. The credential database at many facilities reflects the access profile from the day the system was installed, not the current operational reality. This is a process failure, not a system failure: and it is visible to every auditor who requests a credential list.
Collecting Audit Logs That Are Never Reviewed
A data centre that collects complete access logs and CCTV footage but has no process for reviewing anomalies, investigating unexpected access events, or generating compliance reports from the data has built compliance infrastructure without compliance practice. The access log is valuable when it is actively used: when access events are reviewed periodically, when unusual patterns are investigated, and when the log is the first resource consulted after any incident. A log that exists only to be presented to an auditor is not the same as a log that is operationally used.
A Practitioner Observation
We begin every data centre security project with the compliance framework and the customer contractual requirements: not with a camera count and an access reader specification. Two facilities with identical floor plans may require very different system configurations depending on the certification tier they are targeting, the customer industries they serve, and the specific audit requirements they are currently working toward. The compliance brief determines the system design. The hardware follows.
Tiered Zone Access: From Perimeter to Rack.
Data centre physical security is built on the principle of defence in depth: multiple independent access control layers, each of which must be individually defeated for an unauthorised person to reach the infrastructure they are targeting. In practice, this means a minimum of three to four distinct access tiers between the site perimeter and any active rack: perimeter, lobby and reception, data hall, and cage or suite: with each tier requiring its own credential presentation and generating its own access event record.
At the perimeter and lobby level, standard card access is the appropriate credential for authorised personnel whose identity and access rights have been pre-verified. A staff member or authorised colocation customer whose card is presented at the building entrance is recognised, logged, and admitted. The lobby is also where visitor and contractor management operates: every non-permanent access holder registers at reception, has their identity verified against the appointment record or escort authorisation, receives a time-limited visitor credential, and is logged as a named individual with the purpose of visit, the escorting staff member, and the approved access zones. No visitor or contractor proceeds beyond the lobby without an escort and a logged authorisation. This is not a courtesy protocol: it is a formal access control requirement under SOC 2 and ISO 27001 physical security controls, and it must be enforced systematically, not by convention.
At the data hall door, the credential requirement steps up. Card-only access is not sufficient for the data hall in any facility that operates to recognised security standards: the data hall door requires multi-factor authentication. The most common implementation is card plus biometric: the staff member or authorised customer presents their access card and then confirms their identity with a fingerprint or palm scan at the door reader. Both factors must match for the door to open. This two-factor requirement means that a lost or stolen card alone cannot grant data hall access: the physical biometric is required. Some facilities implement a man-trap or airlock configuration at the data hall entrance: a short enclosed vestibule between two controlled doors, where the outer door must close and lock before the inner door can open. This prevents tailgating: the entry of an unauthorised person immediately behind an authorised one: which is one of the most common physical access bypass techniques in access-controlled environments.
Within the data hall, cage and suite access adds the final layer. Each colocation customer's cage or suite has its own card reader: only that customer's credentialled personnel can open their cage. The access event is logged at the cage level, not just at the data hall door, so the audit trail can confirm not just that a named individual entered the data hall, but which cage they accessed and at what time. Rack-level physical locks: keyed or electronic: are the final physical barrier for the highest-sensitivity infrastructure. All access events across all tiers: lobby, data hall, cage: are aggregated in the access management platform and exportable for compliance audit in the formats that SOC 2 and ISO 27001 auditors require.
Credential Management for Colocation Customers: A colocation facility may have dozens or hundreds of customer organisations, each with their own staff, their own contractors, and their own access requirements. Managing this through a single platform: where the facility operator provisions customer access rights, each customer administrator manages their own staff credentials within their permitted zones, and all access events are logged at both the facility and customer level: is the architecture that makes colocation physical security auditable. A system that requires the facility operator to manually manage every individual customer staff credential does not scale and does not produce the audit trail that customer contracts require.
Camera Coverage That Documents Every Access Event Without Exposing What It Protects.
CCTV in a data centre serves a specific evidentiary function: every person who enters a controlled zone should be captured on camera at the point of entry, and their movement through the facility should be traceable from the footage record. The camera network is the visual counterpart to the access control log: when an access event is queried in an audit or investigation, the camera footage of that event provides the visual confirmation that the access log entry corresponds to the correct person at the correct time. Without that visual confirmation, the access log alone is a record of credential use: not a record of who was actually present.
Camera placement in a data centre follows the zone structure of the access control architecture. Entry and exit points at every access tier: lobby entrance, data hall door, cage access points: are covered by cameras with clear sight lines to the access reader and the person presenting credentials. Corridors between zones are covered for movement tracking. The security office and reception desk are covered. The loading dock and equipment delivery area are covered: unmonitored equipment delivery to a data centre is a documented physical attack vector, and camera coverage of every delivery event with a timestamped record of what equipment entered and left the facility is standard practice in any facility operating to tier standards.
What the cameras in a data centre specifically do not cover: or cover only with carefully considered restrictions: is the interior of active racks and equipment cages. A camera positioned to show rack front panels, server equipment labels, or cable configurations provides an adversary with infrastructure reconnaissance that could be used remotely. Camera positions in active data hall aisles are planned to capture the aisle and the people in it: the access event, the personnel, and the general activity: without providing a clear view of individual equipment serial numbers, cable patching layouts, or IP address labels on devices. This is a placement discipline that most integrators without specific data centre experience do not apply by default.
Footage retention is a compliance specification, not an operator preference. SOC 2 and ISO 27001 physical security controls typically require a minimum of 90 days' footage retention, with some customer contracts specifying longer periods. NVR storage is sized during design for the specific retention period required, with the configuration documented and included in the compliance handover package. Footage access is role-restricted in the camera management platform: data centre operations staff can review footage from areas relevant to their role; customer representatives can request footage review for their cage area under escorted review protocols; no individual can export footage without a logged authorisation record.
Integration With the Access Control Log: The most operationally useful CCTV configuration for a data centre is one where camera events and access control events are indexed against the same timeline in the management platform. When an auditor or investigator queries a specific access event: "who entered Cage 14B at 02:47 on the 12th": they can pull the access log entry and the corresponding camera footage reference simultaneously, without cross-referencing two separate systems. This is a platform configuration requirement, not a camera specification requirement, and it is the detail that separates a functional compliance system from one that creates additional work at every audit.
Every Non-Permanent Access Holder Logged, Escorted, and Accounted For.
Visitor and contractor management in a data centre is not a reception courtesy: it is an access control layer with specific requirements under every major data centre security framework. A visitor or contractor who enters a data centre without being individually identified, logged with a purpose of visit and an escorting staff member, issued a time-limited credential for permitted zones only, and escorted throughout their visit has bypassed a formal security control. The framework auditor will find it, the customer whose cage was accessed will ask about it, and the incident response team will not be able to reconstruct what the person did while they were in the facility.
A digital visitor management terminal at the reception desk registers every non-permanent access holder: colocation customer staff visiting their cage, hardware vendors delivering or maintaining equipment, facility contractors working on M&E infrastructure, auditors conducting on-site reviews. Each registration captures the visitor's identity document, their purpose of visit, their destination zone within the facility, the name of the staff member escorting them, and the approved time window for the visit. A pre-registration workflow allows expected visitors: a colocation customer's regular maintenance team, a scheduled vendor visit: to be logged in advance against a service ticket or appointment record. On arrival, their registration is confirmed rather than created from scratch, reducing reception processing time without reducing the rigour of the access record. The visitor log is searchable, exportable, and formatted for the access control section of a SOC 2 or ISO 27001 audit. It is not a separate administrative system: it is part of the same access management platform that logs all card and biometric access events, so every access event: permanent staff, visitor, or contractor: appears in a single auditable record.
Escort Protocol Enforcement: The requirement that every visitor and contractor be escorted at all times within the data hall is a formal control under SOC 2 and ISO 27001. Enforcing this through training and convention alone is not sufficient: the access control architecture should support it. A visitor credential that physically cannot open a data hall door without the simultaneous presentation of an escorting staff card enforces the escort requirement at the hardware level, rather than relying on the escorting staff member to remember to badge in with the visitor. This configuration is a design decision made during system specification, not a feature that can be added after installation.
The Security System Is a Compliance Infrastructure.
Physical security in a data centre is not evaluated on whether an incident has occurred. It is evaluated on whether the documented controls exist, whether they are operating as specified, and whether the evidence of their operation is available for inspection at any time. A SOC 2 Type II audit covers the full assessment period: typically twelve months: and requires evidence that access controls were applied consistently throughout, not just at the moment of audit preparation. The access log and the CCTV retention record are the primary evidence sources for physical security controls, and they must be complete, consistent, and tamper-evident for the audit period.
This means the security system must be specified with the audit requirements in mind from the first day of design. Retention periods are a specification input, not a default setting. Access log formats are a specification input, not whatever the platform exports by default. Credential management workflows: who can provision access, under what approval process, with what supporting documentation: are a design requirement, not an operational convention. Securevision works through these requirements with the facility's compliance team as part of the site assessment, before any hardware is specified or any configuration is proposed. The handover package at project completion includes the compliance-formatted documentation that the facility's audit team needs to include in their control evidence library.
Singapore's data centre sector is among the most demanding physical security environments in the region, and the standard of what auditors and enterprise customers expect from physical security documentation is rising with each audit cycle. Securevision has deployed physical security systems in data centre environments in Singapore since 2006. Every data centre project starts with the compliance framework and the customer contractual requirements: not with a camera count and an access reader specification.
What Affects the Cost of Data Centre Physical Security?
Two facilities of similar physical size may require very different security system scopes depending on their certification tier, the number of distinct access zones, and the complexity of their compliance documentation requirements.
Number of Controlled Zones and Access Points
Each tier in the access control architecture: perimeter, lobby, data hall, cage, rack: requires its own credential readers, door controllers, and access event logging. A compact enterprise data room with one data hall and a single colocation customer population is a fundamentally different scope from a multi-floor colocation facility with separate data halls per tier, dozens of customer cage areas, and a loading dock access control requirement. The zone count and the credential population size drive the hardware scope more than the physical floor area.
Biometric Authentication Scope
Multi-factor biometric authentication is required at data hall doors in facilities operating to recognised security standards. The number of biometric reader installations: and the type of biometric technology required by the compliance framework: is a significant cost variable. Fingerprint readers are standard for most environments; palm vein readers provide higher assurance and are specified where customer contractual requirements or certification tier demand it. Each biometric reader requires enrolment of every credentialled user during commissioning.
CCTV Retention Storage Infrastructure
Footage retention periods of 90 days or longer at data centre camera resolutions require substantial NVR storage. A facility with 60 cameras retaining at full resolution for 90 days requires significantly more storage than a standard commercial installation. Storage is sized during the design phase based on the specific retention requirement and camera count. Where the compliance framework requires longer retention or higher resolution at specific locations, the storage scope increases accordingly.
Platform Integration and Compliance Documentation Scope
Integrating access control events, visitor management logs, and CCTV footage into a single searchable platform: and configuring the export formats to match the facility's audit requirements: is a configuration and commissioning scope that varies significantly between facilities. The compliance handover package, formatted for the facility's audit evidence library, is a deliverable that adds project time but is essential for facilities with active certification programmes. Facilities that are building toward a first SOC 2 or ISO 27001 certification typically require more documentation scope than those renewing an existing certification.
A Practitioner Observation
The most consistent finding in data centre security assessments is that the compliance gap is almost never in the hardware: it is in the configuration and the process. A facility that has installed strong hardware but has not configured retention periods correctly, has not documented the credential management workflow, or has not reviewed access rights since the system was installed will not pass a SOC 2 or ISO 27001 physical security audit regardless of the quality of the cameras and readers. The audit tests the control, not the hardware.
The Brands Behind the Systems
Hikvision
IP cameras for data centre surveillance: standard and low-profile models for corridor and entry point coverage, with NVR storage configured to the facility's specific retention period requirement.
View Specification →Access Control
Multi-tier card and biometric access control for data centre zones: card-only at perimeter and lobby, card plus biometric at data hall doors, cage-level access with individual credential profiles for each colocation customer.
Explore Access Systems →Visitor Management
Digital visitor registration terminal at reception: pre-registration for expected visitors, identity verification, time-limited credentials, escort record logging, and exportable visitor audit trail for compliance documentation.
Explore Visitor Systems →Biometric Readers
Fingerprint and palm biometric readers for multi-factor authentication at data hall doors: second factor that cannot be shared, transferred, or cloned, enforcing identity verification at the highest-risk access point.
Explore Biometric Systems →Access Management Platform
Centralised platform integrating access control events, CCTV footage index, and visitor logs: multi-tier credential management, compliance report export, and role-based access for facility operators and colocation customers.
Explore Platform →Omada & Ruijie
Managed PoE switches for CCTV and access control network infrastructure: separate security VLANs from operational IT networks, with network topology documentation included in the compliance handover package.
View Specification →Frequently Asked Questions
Questions we hear from data centre facility managers, compliance teams, and colocation operators evaluating physical security systems.
How is data centre security different from standard office or commercial building security?
The fundamental difference is that data centre security is a compliance deliverable, not just an operational control. Office security is primarily about protecting people and assets from external threats. Data centre physical security is about maintaining documented, auditable control over every person who accesses the facility and every zone within it: and producing the evidence of that control for SOC 2, ISO 27001, customer contractual, and regulatory inspections. The camera retention period, the access log format, the visitor management workflow, and the credential management process are all specification inputs driven by compliance requirements: not operational preferences.
What access control configuration is required at the data hall door?
Card-only access is not sufficient for the data hall in any facility operating to recognised security standards. The data hall door requires multi-factor authentication: most commonly card plus biometric, where both the access card and a fingerprint or palm scan must match before the door opens. Some facilities add a man-trap or airlock configuration at the data hall entrance to prevent tailgating. These requirements are enforced at the hardware level: not managed by convention or staff training alone.
How are contractors and visitors managed in a data centre?
Every non-permanent access holder must be individually identified, registered at reception with a purpose of visit and escorting staff member, issued a time-limited credential for permitted zones only, and escorted throughout their visit. This is a formal access control requirement under SOC 2 and ISO 27001, not a courtesy protocol. A digital visitor management terminal automates the registration and logging process, and the visitor log is searchable and exportable for compliance audits: formatted as part of the same access management platform that logs all card and biometric events.
What CCTV retention period is required for a data centre?
SOC 2 and ISO 27001 physical security controls typically require a minimum of 90 days' footage retention, with some customer contracts specifying longer periods. Retention period is a specification input determined by the facility's compliance framework and customer contractual requirements: not a default setting. NVR storage is sized during system design for the specific retention period required, with the configuration documented and included in the compliance handover package.
Can existing access control systems be retained when upgrading a data centre security system?
It depends on the age and integration capability of the existing hardware. Existing card readers, door controllers, and camera infrastructure may be retainable if they are compatible with the new management platform and can produce access logs in the format required by the compliance framework. Where existing hardware cannot produce compliant audit trail output, replacement is required regardless of the hardware's physical condition. We assess existing infrastructure reuse potential during the site assessment, with the compliance requirements as the primary evaluation criterion.
How often should data centre access rights be reviewed?
Access rights should be reviewed formally at a minimum quarterly: and immediately when a staff member changes role, leaves the organisation, or completes a project requiring temporary elevated access. SOC 2 Type II and ISO 27001 auditors specifically look for evidence of regular access rights reviews and will flag inactive credentials and over-provisioned access rights. The most common audit finding in data centre access control is stale credentials that remained active after the person they were issued to had left or changed roles.
What happens to access control and CCTV during a network or power failure?
Access control hardware is configured with local storage and offline mode: controlled doors continue to function during network interruptions using locally cached credentials. Camera recording continues to on-site NVR storage regardless of network status. Critical security infrastructure is connected to UPS backup so that a power interruption does not create a gap in the access log or the footage record. Fail-safe door configurations are specified per door based on the security requirement: some doors fail secure, others fail open, depending on their function and the safety requirements at that access point.
Can multiple data centre facilities be managed from a single platform?
Yes. A centralised access management and video management platform allows the security operations team to manage credentials, review access events, and monitor camera feeds across multiple facilities from a single dashboard. For colocation operators, this allows a central security team to maintain oversight of all facilities while each facility's access control and CCTV operates independently. Customer-level credential management: where each colocation customer administers their own staff credentials within their permitted zones: is available within the same platform, with facility-operator oversight of all customer access events.
Ready to Design Physical Security for Your Data Centre?
Every data centre environment is different: colocation, enterprise, or hyperscale, each has a distinct compliance framework and customer base. Book a site assessment and we will start with your specific requirements.
Licensed by the Police Force: Licence · Serving Singapore since 2006