DataCentersX > Facility Ops > Physical Access Systems
Physical Access Systems
Physical access systems are the hardware that controls who enters which spaces inside a data center. The category covers the readers, locks, mantraps, turnstiles, biometric devices, and the access control panels and software that coordinate them. Physical access lives in FACILITY OPS because the hardware, wiring, and panel infrastructure is operated as facility infrastructure. The credentialing policy, audit logs, and incident response that drive the system live in Security. Both pillars cross-reference at this boundary.
Layered defense
Modern facilities apply layered access control from the site perimeter to the rack. Each layer raises the time-and-effort cost for an unauthorized actor by roughly an order of magnitude, so that a breach at one layer leaves detection and response time at the next.
| Layer | Typical control | Authentication |
|---|---|---|
| Site perimeter | Vehicle gates, guard booths, fence-line detection, license plate readers | Vehicle credential or guard verification |
| Building entry | Lobby turnstiles, escorted visitor processing, badge issuance | Badge plus PIN or biometric |
| Secure interior corridors | Mantraps, anti-passback readers, video-verified access | Multi-factor (badge + biometric) |
| Data hall | Hall-level mantraps; biometric verification at hall entry | Biometric + badge; often two-person rule for sensitive halls |
| Cage and rack | Cage locks, rack-level electronic locks, video coverage at rack-row level | Tenant-specific credentials; intelligent locks tracked centrally |
Authentication technologies
| Technology | Role | Notes |
|---|---|---|
| Smart card / proximity badge | Primary credential at most facility entries | HID iCLASS, MIFARE DESFire dominant; legacy 125 kHz Prox being phased out for security |
| Biometric - fingerprint | Second factor at higher-security boundaries | Suprema, IDEMIA, ZKTeco common; fast throughput; works with gloved hands less reliably |
| Biometric - iris and retina | High-assurance authentication at sensitive halls | Iris higher throughput than retina; preferred for repeat operator access |
| Biometric - face | Frictionless authentication; visitor verification | Privacy and consent considerations vary by jurisdiction |
| Biometric - hand vein / palm | High-assurance authentication, privacy-sensitive contexts | Fujitsu PalmSecure widely deployed in regulated facilities |
| PIN | Knowledge factor combined with badge or biometric | Standalone PIN inadequate for data center boundaries |
| Mobile credential | Phone-based access via Bluetooth, NFC, or BLE | HID Mobile Access, Lenel BlueDiamond; growing in colocation |
Mantraps and turnstiles
Mantraps and turnstiles enforce the one-person-per-credential rule that prevents tailgating. A mantrap is a two-door interlock where the second door does not open until the first is closed and the person inside has been verified, often with weight-sensing floors or volumetric sensors that detect a second occupant. Optical turnstiles use beams to detect tailgating without physical barriers. Full-height turnstiles add a physical barrier at perimeter and high-security points. The choice depends on throughput requirements, threat model, and facility class - colocation lobbies tend toward optical turnstiles for visitor experience; AI factory and government facilities lean toward full mantraps with anti-tailgating sensors.
Access control panels and software
The physical readers and locks connect to access control panels (typically distributed throughout the facility) which in turn connect to a central access control software platform that holds credentials, schedules, audit logs, and integration interfaces.
| Vendor | Platform | Distinctive |
|---|---|---|
| Lenel S2 (Honeywell) | OnGuard | Enterprise-scale access control widely deployed in hyperscale and colocation |
| Genetec | Synergis (access) integrated with Security Center | Unified access, video, and intrusion under single pane |
| Software House (Tyco / Johnson Controls) | C-CURE 9000 | Mature enterprise platform; common in government and regulated facilities |
| AMAG (Allied Universal) | Symmetry | Integration-heavy; widely deployed in critical infrastructure |
| Brivo | Brivo Access | Cloud-native access control; growing adoption in colocation and edge |
| Verkada | Verkada Command (access + cameras) | Cloud-managed converged access and video |
| Gallagher | Command Centre | High-security and government-aligned deployments |
Visitor management
Visitor management systems handle pre-registration, identity verification, escort assignment, badge issuance, and audit trail for non-employee facility access. The discipline is operationally distinct from employee access control because visitors typically have no persistent credential and the system must verify identity, host approval, and escort coordination at point of entry. Common platforms include Envoy, Sine, iLobby, HID Visitor Manager, and Lenel and Genetec visitor modules integrated with the broader access platform. NDA capture, photo capture, watch-list checks, and printed visitor badge generation are standard features.
Anti-passback and two-person rules
Anti-passback is the rule that a credential cannot enter a space without first having exited it - preventing one person from using the same badge to admit a second. It requires reader pairing at every door and is enforced in software by the access control system. Two-person rules require two distinct credentials to access certain spaces (sensitive data halls, government workloads, vault rooms), often with the additional constraint that the two people must be different roles or different organizations. These controls are policy-driven from Security and enforced by the FACILITY OPS access infrastructure.
Compliance touchpoints
Physical access controls produce evidence consumed by multiple compliance frameworks. SOC 2 expects logged physical access for systems handling customer data. ISO 27001 Annex A covers physical security controls explicitly. FedRAMP and DoD authorization tiers require specific access control rigor (background checks, citizenship verification, two-person rules at higher tiers). HIPAA Security Rule includes physical safeguards for facilities handling PHI. PCI-DSS requires physical access logging for cardholder data environments. The access control system is therefore the operational source of truth for a substantial fraction of the audit evidence the facility produces - covered in GRC:Auditability.
Where this fits
Physical access hardware is operated under FACILITY OPS. The credentialing policy, audit log review, and incident response are operated under Security. Visitor management overlaps both. Compliance evidence flows to GRC:Auditability. Physical Monitoring covers the broader video and intrusion detection that complements access control.
Related coverage
Facility Ops | Physical Monitoring | Life Safety | Security | Physical Security | Auditability | Controls | Compliance