In cybersecurity circles, the phrase "air-gapped" describes a system so physically isolated from external networks that no digital intrusion is possible. But an air-gapped server is only as secure as the room it sits in. The most sophisticated network security stack in the world is neutralised the moment an unauthorised person gains physical access to a server rack. Physical security is Layer Zero of data centre defence — the foundation on which every other control depends. And yet, of all the engineering disciplines in data centre design, physical security receives the least systematic attention in Irish project briefs.
This guide sets out the seven-zone concentric security model that governs best practice for Irish data centres, aligned to EN 50600-2-5, TIA-942, the Private Security Authority regulatory framework and the Data Protection Commission's guidance on CCTV.
Why Physical Security Is Layer Zero of Data Centre Defence
Consider the attack surface that physical access eliminates. A server in a rack contains: the data itself (accessible via physical memory attacks like cold boot or DMA); the credentials stored in management controllers (BMC/iLO/iDRAC); the encryption keys held in memory while the server is running; and the hardware itself, which can be removed, imaged and analysed offline. A determined attacker with five minutes of unmonitored physical access to a server rack can accomplish what months of network intrusion attempts cannot.
Beyond targeted attacks, Irish data centres face threats including opportunistic theft of hardware, insider threat from contractors and temporary staff, social engineering and tailgating, and physical damage from vandalism or civil unrest. The seven-zone model mitigates all of these through layered deterrence, detection and delay — ensuring that no single control failure leads to direct access to IT equipment.
The Concentric Zone Model
The concentric zone model places security controls in progressively tighter rings around the most sensitive assets — the IT equipment in the racks. Each zone boundary requires authentication that is distinct from and independent of the preceding zone. A credential that grants access to Zone 3 must not also grant access to Zone 5. This principle — zone isolation — prevents a compromised credential or tailgating event in an outer zone from cascading into the inner zones.
Zone 1: Perimeter
The site perimeter is the outermost layer of defence and the first deterrent to casual or opportunistic intrusion. Standard specifications for an Irish commercial data centre perimeter include:
- Anti-climb fencing — minimum 2.4 m height with anti-climb topping (chevron arms or rotating pales); BS EN 1317 or equivalent for vehicle restraint integration
- Hostile Vehicle Mitigation (HVM) — rated vehicle barriers at all vehicular entry points; PAS 68 rated to K12 (30 t truck at 80 km/h) or M50 (7.5 t vehicle at 80 km/h); shallow-mount versions available for retrospective installation on existing sites
- ANPR cameras — Automatic Number Plate Recognition at all vehicle entry and exit points; plates logged with timestamp and image capture; integrated with access control whitelist
- Perimeter CCTV — 24/7 coverage of all fence lines with overlapping fields of view; PTZ cameras for alarm-triggered investigation; thermal cameras for after-dark perimeter monitoring without lighting infrastructure
- Perimeter intruder detection — vibration detection on fencing or buried geo-seismic cable; triggers CCTV pre-positioning and security officer dispatch
Irish planning conditions for data centres in the Greater Dublin area typically require perimeter security design to be submitted as part of the planning application, including visibility splay analysis for vehicle entry points and a Construction Management Plan covering security during the build phase.
Zone 2: Building Envelope
The building itself constitutes the second security layer. Data centre buildings are specifically designed to present a hardened external face:
- Construction standard — RC2 or RC3 (EN 1627) resistance class for external walls and glazing; reinforced concrete construction standard for new builds
- Minimal fenestration — windows restricted to office areas only; no windows on data hall elevations; all penetrations (cable routes, mechanical services) sealed and documented
- No external signage — data centres avoid identifying signage on the exterior; no company logos, technology branding or anything that identifies the building as a data centre to passersby
- External CCTV — all external elevations covered; all door and loading dock entry points with facial recognition or video analytics capability
- Roof access prevention — roof hatches secured from inside; rooftop equipment (chillers, cooling towers) in fenced enclosures with separate access logging
Zone 3: Reception and Lobby
The reception and lobby zone controls all pedestrian access into the facility. This zone is staffed 24/7 by security personnel (PSA licensed) and serves as the primary visitor management and badging point:
- All visitors sign in with government-issued photo ID; visitor identity logged and retained for 31 days minimum
- NDA (Non-Disclosure Agreement) signed by all visitors before entry; documented and filed with access log
- Visitor badge issued with colour coding indicating access zone limitations; badge must be visible at all times
- Escort requirement: all visitors escorted by a permanently badged staff member or authorised escort for the duration of their visit
- Personal device policy enforced: mobile phones with cameras may be prohibited in certain zones; a clear signage and acknowledgement process is required
Zone 4: Mantrap and Airlock
The mantrap — a two-door interlocked access chamber — is the transition point between the publicly accessible reception zone and the restricted data centre operational zone. It is the most critical single physical security control in the building design:
- Two-door interlock — the inner door cannot open until the outer door is closed and locked; prevents tailgating in either direction
- Anti-passback — access control system prevents an access credential from being used to enter without a corresponding exit record; prevents badge sharing
- Weight/occupancy sensing — floor sensors or thermal imaging detect more than one person in the mantrap; alert triggers and both doors lock until security officer reviews
- Biometric plus card — two-factor authentication required; typically fingerprint or palm vein biometric plus an RFID smart card; PIN-only or card-only insufficient for Zone 4 entry
- Full CCTV coverage — interior and exterior of mantrap covered by high-resolution cameras; footage retained for 90 days minimum
Zone 5: Data Hall
The data hall is the primary asset zone — the space containing live IT equipment. Access control requirements at this level are the most stringent of the building zones:
- Full biometric MFA — multi-factor authentication combining biometric verification (palm vein preferred over fingerprint for anti-spoofing), RFID smart card and optional PIN; all three factors required simultaneously
- No personal device policy — mobile phones, cameras, personal USB drives and removable media prohibited; lockers provided in Zone 3 for device storage; enforced through awareness training and security officer check
- CCTV at all rack faces — fixed cameras covering every rack front face in the data hall; no blind spots at any rack position; images time-stamped and linked to access control log
- 90-day CCTV log retention — EN 50600 Protection Class 3 minimum; required for incident investigation and regulatory audit
- Clean-desk equivalent — all maintenance activities documented in a works record; no tools or materials left unattended; any physical changes to rack configurations logged in DCIM
Zone 6: Client Cage and Suite
In colocation facilities, individual client areas — typically mesh-sided cages or walled suites — constitute a sixth security zone within the data hall. Each client cage has:
- Unique access credentials for the client's authorised personnel — independent of the colocation operator's access control system
- Separate audit trail logged by the colocation operator and accessible by the client via a customer portal
- Dedicated CCTV covering all access points to the cage; footage accessible by the client under service agreement
- Physical barrier meeting EN 50600-2-5 specifications for the protection class — typically 2.4 m mesh cage with lockable door(s) and anti-climb deterrent at the top
Zone 7: Rack Level
The innermost zone is the individual rack itself. Smart rack locks provide the final layer of granular access control:
- Electronic lock on each rack door, individually addressable and remotely controllable
- Every rack door open/close event logged with timestamp and credential used
- Integration with DCIM: any rack door open event triggers a DCIM alert; unexpected door open events (outside scheduled maintenance windows) generate a high-priority alert
- Optional in-rack cameras for ultra-high-security environments (government, defence, financial trading)
Security Zone Comparison Table
| Zone | Area | Authentication Method | CCTV Type | Physical Barrier | Log Retention |
|---|---|---|---|---|---|
| Zone 1 | Perimeter | ANPR + manual | PTZ + thermal | Anti-climb fence + HVM | 31 days |
| Zone 2 | Building envelope | RFID card | Fixed wide-angle | RC2/RC3 construction | 31 days |
| Zone 3 | Reception / lobby | Photo ID + sign-in | Fixed + PTZ | Reception desk + turnstile | 31 days |
| Zone 4 | Mantrap / airlock | Biometric + RFID card | High-res fixed | Two-door interlock + weight sensor | 90 days |
| Zone 5 | Data hall | Biometric + card + PIN | Full coverage + analytics | Secure door + rack-face CCTV | 90 days |
| Zone 6 | Client cage / suite | Client-unique RFID | Fixed cage-entry | 2.4 m mesh cage + lock | 90 days |
| Zone 7 | Individual rack | Electronic smart lock | Optional in-rack | Smart locking rack door | 90 days |
Irish Regulatory Context
Physical security design for Irish data centres must account for three key regulatory frameworks beyond EN 50600-2-5 and TIA-942:
PSA (Private Security Authority) — The Private Security Services Act 2004 requires all companies providing security guarding services in Ireland to hold a PSA licence, and all individual security officers to hold a PSA Security Licence. Data centre operators must verify PSA licence currency for all contracted security providers and retain licence records as part of their due diligence documentation. PSA licences are publicly searchable on the PSA register.
GDPR and DPC CCTV Guidance — The Irish Data Protection Commission has published specific guidance on CCTV in the workplace. For data centres, the key obligations are: complete a DPIA before deploying CCTV; document the legal basis for processing (typically legitimate interest, Article 6(1)(f) GDPR); establish a data retention policy proportionate to the security purpose; implement strict access controls on footage; and maintain a record of processing activities under GDPR Article 30. Staff and contractors must be informed of CCTV monitoring via clear signage and privacy notices.
Critical Infrastructure (Resilience) Act 2025 — Ireland's transposition of the EU NIS2 Directive and the Critical Entities Resilience Directive designates certain data centres as Critical Infrastructure Entities, requiring mandatory security risk assessments, incident reporting to the National Cyber Security Centre (NCSC) and minimum physical security standards. Operators receiving a Critical Infrastructure designation must implement and document a Physical Protection Plan reviewed by a competent security consultant.
AI Surveillance and EU AI Act Considerations
Intelligent video analytics — including tailgating detection, loitering detection and behavioural anomaly detection — are increasingly deployed in Irish data centres as a force multiplier for security operations teams. These systems use computer vision models to analyse CCTV footage in real time and generate alerts without requiring a human operator to watch every camera continuously.
However, the EU AI Act (applicable from August 2026) classifies real-time remote biometric identification systems used in publicly accessible spaces as high-risk AI systems. While data centre interiors are not publicly accessible, the Act's obligations around transparency, human oversight and accuracy testing for AI-driven identification systems will apply to any biometric AI used in data centre access control from 2026. ASDV recommends that Irish operators planning AI-enhanced security systems in new build or major refurbishment projects engage legal counsel familiar with the EU AI Act compliance requirements before specifying these systems.
Frequently Asked Questions
A commercial colocation data centre in Ireland targeting EN 50600 Protection Class 3 or TIA-942 Rated-3 should implement a minimum of five distinct security zones: perimeter, building envelope, reception/lobby, data hall entry (with mantrap), and individual data hall. Higher-specification facilities add a sixth zone (client cage/suite) and a seventh zone (smart rack lock). Each zone requires increasingly stringent authentication and monitoring.
GDPR (as enforced by the Irish Data Protection Commission) requires that CCTV footage retention periods be proportionate to the purpose. For data centre security, 31 days is the commonly accepted standard for general area monitoring. However, EN 50600 Protection Class 4 and TIA-942 Rated-4 specify 90 days minimum retention for data hall CCTV. A GDPR Data Protection Impact Assessment (DPIA) must be completed to justify any retention period, particularly for footage covering areas where personal data is visible.
Yes. The Private Security Authority (PSA) licenses security companies that provide guarding services in Ireland, including data centre security officers. Any security company contracted to provide manned guarding at an Irish data centre must hold a valid PSA licence. Individual security officers must hold a PSA Security Licence. Data centres that operate their own employed security officers rather than a contracted company must comply with the Private Security Services Act 2004.
Need Data Centre Security Zone Design for an Irish Project?
ASDV designs complete physical security systems for Irish data centres — from perimeter CCTV and HVM through access control, mantrap interlocks and DCIM integration, all to EN 50600-2-5 and TIA-942 specifications.