Blog

A data center spec divides openings into four security zones, and each zone has its own hardware playbook. The perimeter zone uses high-cycle maglocks or electric strikes with anti-passback card readers. The vestibule and mantrap zone uses interlocked doors with optical tailgating detection. The white-space zone uses dual-credential biometric readers tied to electric strikes on rated doors. The cage and cabinet zone uses rack-level locks with audit trail down to the U position. Get the zoning right and the hardware spec writes itself. Get it wrong and you build a $50M facility with a $500 weak point at the cleaning crew's back door.

The threat model that drives data center hardware spec

Data center hardware is not specified for a single-event break-in. It is specified for two threats:

1. Tailgating and piggyback access: an authorized person enters, an unauthorized person follows. This is the most common access control failure mode in data centers and the reason mantraps exist.
2. Insider misuse: an authorized person accesses an area they should not, or accesses with shared credentials. The hardware response is audit trail granularity and dual-credential requirements at sensitive openings.

The hardware spec ladders up these two threats by security zone. SOC 2, ISO 27001 Annex A.11, PCI DSS 9, and FedRAMP all reference physical access controls. The audit trail is what proves compliance.

The four security zones

Every data center floor plan divides into the same four zones, regardless of size.

Zone 1: Perimeter (building entry, loading dock, parking garage)

Public-facing or vendor-facing entries. Hardware is for deterrence, ingress logging, and weather/security balance.

• Card reader (long-range or proximity) on outside.
• Electric strike or maglock with REX.
• Door contact sensor (DPS) on each leaf.
• Camera coverage of approach.
• Crash bar or panic device for egress.

Zone 2: Vestibule and mantrap (between perimeter and operations)

Two-door interlock that prevents straight-through traffic.

• Both doors normally closed and locked.
• Card reader on outer door, card reader (and often second factor) on inner door.
• Inner door locked while outer door is open (anti-tailgating).
• Optical tailgating detection or weight mat in the vestibule.
• Camera with face capture at the inner door.

Zone 3: White space (server hall floor)

The data hall itself. Hardware here protects the racks.

• Card + biometric (dual-factor) reader.
• Electric strike on rated door (typically 90-minute fire rating).
• Anti-passback enforced (can't re-enter without exiting first).
• Audit trail at the door level.

Zone 4: Cage and cabinet (rack-level)

Per-customer cage doors and per-cabinet locks.

• Cage door: same hardware as white space.
• Cabinet lock: smart lock with PIN, card, or app, audit trail down to the U position for shared cabinets.
• Sensor on cabinet door (open/close logged).

Hardware by zone, model-by-model

Zone	Lock	Strike/Maglock	Reader	DPS	Egress
Perimeter	Heavy-duty mortise or panic	HES 9600 or maglock 1200lb	Long-range prox or mobile	Hi-cycle DPS	Panic bar (Von Duprin 99)
Vestibule	Mortise + electrified	HES 1006 or Securitron maglock	Card + optical sensor	Latched DPS	REX (no panic)
White space	Mortise electrified	HES 9600 fire-rated	Card + biometric	Latched DPS	REX
Cage	Same as white space	Surface maglock or strike	Card + biometric	DPS	REX
Cabinet	Smart cabinet lock	Internal solenoid	Built-in	Built-in	Built-in

For mortise lock options across vendors, read Schlage L9000 vs Sargent 8200 vs Corbin ML2000 for the spec comparison.

Anti-tailgating: turnstiles, mantraps, piggyback detection

Three technologies compete here.

Optical turnstiles. Lobby-mount, glass barriers, IR sensors detect a single body. Fast (30+ people per minute). Best for high-throughput lobbies. Cost: $15-30k per lane.

Mantraps. Two-door interlock with vestibule. Slow (one person every 15-30 seconds). Best for true single-person enforcement. Cost: $8-20k per opening including hardware.

Piggyback detection (sensor in mantrap or vestibule). Optical or weight-based detection inside the vestibule. Logs and alarms but does not physically prevent. Add-on to mantrap. Cost: $3-8k per opening.

Most enterprise data centers use a mantrap for the operations entry and optical turnstiles for the lobby. Tier IV (highest tier) facilities add piggyback detection in every mantrap.

For maglock selection in mantrap doors, read how to choose a magnetic lock maglock.

Maglock vs electric strike for high-cycle DC doors

Data center doors cycle 50-200 times per day. This is high-cycle by commercial standards.

Maglock for mantraps and high-cycle doors:

• No moving parts to wear out (over a 10-year horizon).
• Continuous power draw (250-500mA).
• Fail-safe (releases on power loss).
• Needs delayed egress configuration if it is on an egress path under NFPA 101.

Electric strike for fire-rated doors:

• Required when the door is rated and a maglock would compromise the rating.
• Lower power draw (200-300mA holding).
• Can be fail-secure (stays locked on power loss) or fail-safe.
• Mechanical wear at 200+ cycles/day is real. Plan for 5-year replacement on critical openings.

The electric strikes category lists HES, Folger Adam, and Trine options at multiple grades. For maglock options, the relevant brand category covers Securitron and competitors.

Biometric integration and where the strike sits

Biometrics in data centers are dual-factor: card + biometric (fingerprint, face, iris, or hand geometry). The biometric matches against a template on the card or in the database, not against a global biometric.

The wiring sequence:

1. Card reader and biometric reader output to the access control panel.
2. Panel evaluates: card valid AND biometric match AND anti-passback OK AND schedule OK.
3. Panel triggers the electric strike via dry-contact relay.
4. REX (typically PIR) on the inside bypasses the DPS alarm during egress.

The strike or maglock is downstream of the biometric. The biometric does not directly trigger the strike. This matters because biometric vendors change platforms every 3-5 years, while the strike survives 15-20 years. Decouple them.

Cage and cabinet hardware

Per-tenant cage doors and per-cabinet locks are where audit granularity matters most.

Cage doors:

• Mortise lock with electric strike, or surface-mounted maglock if the cage is open-top (chain link or mesh).
• Dual-factor reader (same as white space).
• Audit trail per credential per door.

Cabinet locks:

• Smart cabinet lock (Kaba E-Plex, Schlage CO Series for cabinets, or vendor-specific like Vertiv).
• Audit trail per credential, with timestamp.
• Some integrate with the same access control system as the doors. Some are standalone.

For high-security cylinder spec on cage doors, read Medeco vs Mul-T-Lock vs ASSA high-security cylinders.

Fail-safe vs life safety: the conflict

NFPA 101 (Life Safety Code) requires that egress paths cannot be locked from the inside under any condition. This conflicts with the data center desire to lock everything on power loss.

The resolution is in the spec:

• Egress doors (any door an occupant might use to exit) must be fail-safe or have free mechanical egress (panic bar).
• Non-egress doors (cage doors to interior space, server racks) can be fail-secure.
• Mantraps must have a manual override on the inside (push button to release both doors) for life safety.

The hardware mistake that fails inspection: a mantrap with maglocks fail-secure on both sides, no manual override, no panic bar. The fire marshal red-tags it.

SOC 2 and ISO 27001 hardware implications

The audit standards do not specify hardware models, but they specify outcomes that the hardware must support:

• Audit trail per opening per credential per timestamp: requires networked access control, not standalone.
• Time-limited access: requires schedule capability on every reader.
• Termination on the same day: requires central credential management, not per-door programming.
• Visitor escort tracking: requires a visitor credential tied to a host badge.
• Annual access review: requires reporting capability across the platform.

The hardware spec must support these outcomes. A standalone keypad lock with no network does not, regardless of how robust the physical hardware is.

FAQ

Are biometric readers required in a Tier III or Tier IV data center? Tier classifications from Uptime Institute focus on resilience, not security. Biometrics are not required by tier, but are standard in operations-class data centers and required by some financial and federal customer contracts.

Can I retrofit a colocation facility with anti-tailgating? Yes. Optical turnstiles drop into most existing lobbies in 2-4 weeks. Mantraps require construction (vestibule walls, double doors). Plan 8-16 weeks for a mantrap retrofit.

What is the typical cost per opening for full data center spec? Perimeter and vestibule openings run $4,000-12,000 fully loaded (hardware + readers + cameras + DPS + commissioning). White-space and cage openings $2,500-6,000. Cabinet locks $400-1,200.

How does NFPA 80 fire door inspection apply in a data center? Annual inspection still applies on rated openings. Read NFPA 80 annual fire door inspection for the checklist. Server halls and mechanical/electrical rooms are usually rated.

Can I use the same access control platform for office and data center? Yes, and most enterprises do. Separate access groups, schedules, and dual-factor enforcement keep the office side simple while the data center side enforces the stricter controls.

Next step

If you are spec'ing a new data center buildout or retrofit, start the hardware list against the exit devices, keypad and proximity locks, and mortise locks categories for the door-side spec. For biometric and reader-side spec, coordinate with the access control vendor. Our commercial desk reviews data center hardware schedules and can quote against an existing spec book or build one from a floor plan.