This is not my experience at all (frequently visiting datacenters for my job).
At the main entrance, anti-tailgating locks requiring an electronic badge + fingerprints are the norm. Once inside, electronic badges required at all doors and in the lifts to navigate in the building. Badge + fingerprint to enter server rooms.
Deliveries are only received under the supervision of a DC employee (or received directly by a DC employee) and must go through a lock to enter the building. No extern (delivery person or w/ever) is allowed in (if somebody sneaks into the lock, the guard never opens the second door obviously).
The biggest weakness imo (but still requires a bit of insider access, so it's not completely out in the open for anybody to exploit) is that the registration process for new access requests seems fairly weak security-wise.
It's usually a simple email from the client to the DC provider with the date of the intervention and the identity of the person. Will the DC provider notice if the access request is sent from a spoofed domain? or from a legitimate domain but by another person than the one who's accredited to issue access requests? Will they notice if the person who shows up for the intervention has a fake ID?
Deliveries are only received under the supervision of a DC employee (or received directly by a DC employee) and must go through a lock to enter the building. No extern (delivery person or w/ever) is allowed in (if somebody sneaks into the lock, the guard never opens the second door obviously).
The biggest weakness imo (but still requires a bit of insider access, so it's not completely out in the open for anybody to exploit) is that the registration process for new access requests seems fairly weak security-wise. It's usually a simple email from the client to the DC provider with the date of the intervention and the identity of the person. Will the DC provider notice if the access request is sent from a spoofed domain? or from a legitimate domain but by another person than the one who's accredited to issue access requests? Will they notice if the person who shows up for the intervention has a fake ID?