By Michael Fisher*
The galloping growth of data centres in Australia – some now 20 times larger than they were a few years ago – focuses attention on the need to physically protect government and corporate data contained within them.
Australia had 306 data centres at the start of 2024, with Sydney the most intensive concentration of the facilities, according to the Cloudscene data centre ranking organisation. Sydney is also listed as a Tier One global Top 10 Data Centre Market, along with, in the Asia-Pacific, Beijing, Singapore, Tokyo, and Shanghai.
This expanding total and scale of centres places us within the top 10 countries globally by data centre numbers – way behind the 5,388 approx. in the US, but growing apace with larger countries such as Germany (522), UK (517), China (449), Canada (336), France (315), and ahead of the Netherlands (300), Russia (255), and Japan (219).
What is especially significant locally and internationally is the growth in the scale of data centres, driven by factors such as the surge in the use of artificial intelligence (AI) and the huge demands it puts on data storage.
Recently, Robin Khuda, the founder of data centre developer and operator AirTrunk, said the level of growth we are seeing right now is something we have not seen in 10 years. "It's remarkable. A 'big' five megawatt data storage centre of two to three years ago that would cost between $15 million to $20 million to build has morphed into a facility in the hundreds of megawatts in a single deal," he told a recent Australian Financial Review Property Summit in Sydney.
Scale of the Growth
Data Centre growth on this huge scale such as this is compounding globally and locally, despite long lead times in data centre construction in areas such as Australasia, off the back of shortages of certain materials such as chips and transformers, as well as shortages of suitable sites.
Let's look at the scale of the centres growing up to service this demand, before turning to the challenges of security of data centres serving markets vital to Australian communities. These include huge slices of the economy, including energy, financial services, government, healthcare and pharmaceuticals, manufacturing, media, technology, and transport, including aerospace and logistics. The major types of centres (omitting the smallest, modular, types) include:
Hyperscale data centres, also known as cloud data centres, serve 10,000-plus servers, cost up to $US1 billion to build, and have the greatest need to ensure protection of their assets from physical threats. Their customers include the world's largest web services providers.
Enterprise facilities are private facilities owned by companies on the Fortune 500 top 20, with revenues up to $US600 billion. Enterprise data centres often store and manage data such as customer information and sensitive financial records.
Co-Located centres, also known as CoLos and Multi-Tenant Data Centres, (MTDCs) used by multiple companies. These include:
- Retail CoLos, where the owner manages operations, cooling, and security. Customers are required to manage only their own cage equipment, including multiple cabinets and racks
- Wholesale CoLos, leased to a single user or customer
- Managed Services CoLos, fully managed by a third party
Edge Data Centres, also known as Micro Data Centres, are smaller decentralised facilities that provide data storage in a location closer to where data is being generated and used. They are typically situated near their intended users, allowing for real-time processing and analysis. Edge data centres include Micro Edge (smaller) or Metro Edge (larger) data centres. While smaller in footprint, such centres are also experiencing high growth with 5G, AI, and streaming.
Why do Data Centres need physical protection?
Because, as criminals and data hackers appreciate, these are priceless assets in terms of the information they hold and many people, not just the data owners, would like to get their hands on it. And it is not possible to have true security of this data through cybersecurity alone.
Data centre operators – including world leading organisations with which our company works – appreciate that the physical facilities housing data centres must themselves be protected from unauthorised access if the security envelope is to be complete.
Such centres understand that collectively and individually they focus, store, and distribute information vital to the functioning, privacy, and wellbeing of groups ranging from entire sectors of societies, through to entire groupings of companies and agencies vital to community and business functioning.
Physical security is for them a vital line of defence against disruption by unauthorised access, malicious damage, deliberate sabotage, and terrorist acts against these nerve centres of entire sectors mentioned previously.
Countering unpredictable challenges to data centres
Along with cybersecurity, physical security breaches are among the most unpredictable of all data centre challenges. Criminal activity is a constant issue and a moving target – one that can be spontaneously and randomly motivated by malice, money, or political issues.
Being prepared to prevent and shield against such ongoing threats is a continuous challenge for the data centre industry, which can only grow larger as threats multiply in tandem with expansion of data centre numbers, concentration of data, and reach of their activities.
Data Centre operators have to be up-to-date in order to maintain control and avoid costly data breaches and disruption that has the potential to paralyse economic sectors on a local or national scale. Physical protection of their data is important to enable these organisations to adhere to regulatory compliance requirements, (including payment card PCI-DSS, personal health records (HIPAA/Hitech), and the General Data Protection Regulations (GDPR), as well as protect against other data breaches that we often see in the headlines.
How does a layered approach benefit physical security?
Because there are countless ways in which data or systems can be compromised, so also are there varied responses to physical security.
The leading revolving door and security entrance organisation I represent, Boon Edam, has introduced layered responses of secured entry products globally in partnership with data centre operators, ranging from the world's very largest Hyperscale types, through to Enterprise scale, Co-Location, and Micro Edge.
Secured entry products:
- Protect sensitive areas, ensuring that one person, the authorised person, enters the secure area, utilising technologies such digital identification, and elimination of tailgating and piggybacking access practices.
- Maintain regulatory compliance, which is critical not only for facilities housing government data, but also as an important benefit of private businesses and service organisations. Important security compliance issues include Data Sovereignty Assurance which confirms that government data stays within Australian jurisdiction. Protection of health and personal data is an important focus of national security.
- Reinforce compliance of physical security requirements affecting particular industries, including, for example, those observing PCI DSS provisions for restricted access to critical areas or facilities. The PCI DSS international standard applies to all organisations globally that use payment cards to facilitate payment. All Australian organisations that accept card payments are required to comply with the PCI DSS regardless of business size.
- Reinforce physical security of CoLo centres which have emerged as a critical component of the infrastructure of modern businesses. This cloud service provide model is increasingly relevant in a digital landscape where efficiency, scalability and both cybersecurity and physical security are paramount to protect the service hubs themselves.
- Reduce guard labour cost of 24/7/365 operations, where tailored combinations of entrances technologies – security revolving doors, security portals, and security speed gates, for example – can streamline strong access permissions and enable skilled personnel to be posted only where it is most needed.
Securing an entrance is vital for an effective risk mitigation strategy that involves keeping an intruder where they belong – outside. If an intruder can infiltrate a building's entry points, then all other security measures put into place are simply reactive. The intruder gets inside – cameras record it, and guards respond to it – but the fact of the matter is that they are already inside the protected area.
The possibility of intrusion is not far-fetched. A recent survey by Security 500 indicates that the top three risks to an organisation's reputation and brand include workplace violence and active shooter, cybersecurity, and terrorism threats. All of these are impacted, to a high degree, by the ability, or inability, of a physical intruder to gain access to the interior of a building. Security entrances are the only proactive solution that address the risk of unauthorised entry (including tailgating and piggybacking) before it happens.
When it comes to physical security entrances, there are some different options available to choose from – high security portals, security revolving doors, and speed gates being three key technologies. These options vary greatly in their capabilities, so it's important to assess the individual needs and risks of each site.
In our own layered entrance security approach, we have categorised security entrances by their level of security. This layered approach uses a suite of technologies each integrated with and, where required, linked to the next level of protection. Fundamental questions that must be addressed by data centre and centre security managers is the degree of protection and where it is needed.
Is the goal: tailgating deterrence (low security level), detection (medium security level) or complete prevention (high security level)? Different entrance solutions apply to different layers within a building. We also recognise that a company may have more than one tailgating mitigation goal within the same building, as security is best when done in layers.
Risk mitigation in a digital world
Because the most successful implementation of security entrances within data centres must be executed with an intelligent and cost-effective layered approach which ensures that, if an intruder were to breach a building outer perimeter, or gain access to an internal lobby, additional barriers would be in place to protect the data stored internally.
The use of security speed gates is well suited to the lobby of data facilities. These employ sensor technology to detect objects moving through, and can prevent tailgating due to the use of an alarm – alerting security staff to a potential breach.
If the unlikely arises, and someone manages to unlawfully make their way through each of these security stages, it is important to engage in the highest levels of protection around the internal data systems themselves. This can be through the use of high security portals, which use biometric scanning and overhead sensors to ensure the credentials of each user. This is the ultimate security front line – essential for protecting data at its hub.
Physical protection of mission-critical assets is important as data centre growth races ahead, driven by expanding demand and revenues. Revenue for Hyperscale data centres alone, for example, is currently estimated to exceed $US300 billion and is expected to more than double in the years immediately ahead.
The data centre market generally is anticipated to expand considerably until 2031, primarily driven by the rise of AI, and continued growth in cloud computing and shifting market demands. This will lead to more large Enterprise and Hyperscale data centres, as well as CoLo and Edge facilities, all of which will face growing digital and physical security responsibilities.
This twin focus on digital and physical security is inevitable, because digital and physical security are different sides of the same coin – centres need both, not one or the other. In a very real sense, physical security is increasingly essential to cybersecurity.