BEYOND THE FIREWALL: DEFINING DATA CENTRE SECURITY BEYOND CYBER

In 2026, the traditional physical perimeter of the data centre no longer exists. Due to increasingly complex systems within these centres, numerous layers of security are now necessary.  As these facilities take on increasingly critical roles – supporting core government functions and hyperscale cloud services, and sensitive enterprise operations – traditional security approaches are being tested to their limits. 

Data centres are legally classified as Critical National Infrastructure (CNI) in the UK, placing them on the same strategic tier as water and electricity grids.However corporate decision-makers are often more focused on digital firewalls, and fail to consider the physical reality of the structures housing the data. 

Having such a siloed approach to data centre security is no longer an option. Physical vulnerabilities are becoming the biggest backdoor for cybercriminals and hostile actors to compromise data centre infrastructure. In 2026, the rise of  AI-driven threats means that these automated adversaries can exploit weak points at record speed.

Earlier this year, the stark reality of physical-cyber convergence was laid bare when targeted drone strikes on hyperscale data centres in the UAE and Bahrain caused catastrophic regional disruptions and digital disaster. It proved that physical destruction is no longer a theoretical risk; it is an active threat.

To counter this threat, the sector should model its response on tactical military principles. Commanders rarely focus on a single, vulnerable area, and instead build physical resilience by engineering several geographic and physical redundancies into their networks. 

The orange analogy: The importance of layered data centre security

Shifting from theoretical digital risk to kinetic warfare is compounded by a dangerous transparency and education deficit within the sector. 

As data centres have historically operated as secretive, invisible assets, a lack of education has allowed operators to ignore physical vulnerabilities. Put simply, people cannot protect what they do not understand. 

Overcoming this blind spot requires an overarching “secure by design” approach that encompasses both the inner and outer layers of a facility. 

This is what I refer to as the “orange analogy”. It is impossible to verify the health of a data centre purely by looking at its outer layers, operators must have a clear understanding of the internal mechanics, segments and how they connect. If you try to hide your vulnerabilities behind a fence in an increasingly transparent world, you invite disaster. 

This moves the conversation away from simply buying components. In our engineering partnerships at Apx Data Centre Solutions, we emphasise that we are not just selling “the drill”– the enclosures or cooling systems; we are selling “the hole”– a fully secured and uninterrupted operational facility.

This approach builds on the “onion shell” principle outlined in the EN 50600 standard which maintains that layered, nested security must be embedded into data centre processes from the perimeter gates down to the individual server rack. 

We cannot treat compliance as an optional extra. As the NIS2 Directive is now in full force, operators face massive fines of up to 2% of global turnover if they fail to manage “all-hazards” risks, which include physical facility management and supply chain security. Due to this strict regulatory lens, supply chain sovereignty has become a tier-one security asset. 

The cooling boom: The security hazards of cooling and power

This integrated approach applies heavily to cooling. Power and precision cooling are no longer just operational outputs, they are massive strategic constraints. 

With the explosion of high-density 100kW racks driven by unprecedented AI demand, traditional data centre infrastructure is buckling from the inside out. As hotter racks are deployed at record speed, legacy air cooling systems are failing. The industry is running before it can walk. 

Without the opportunity for racks to sufficiently cool, thermal-induced hardware failure is inevitable. This causes unpredictable downtime and blinds security monitoring tools, creating windows of vulnerability that can be easily exploited. 

This cooling boom also introduces an often overlooked physical safety hazard; the welfare of employees. Raising operating temperatures means that indoor environments can reach up to 40 degrees Celsius. One of the core components of safety is protecting the people doing the job. Expecting an employee to work standard shifts in a 40 degree room is not legal or ethical. 

Persistent exposure to these conditions only leads to physically overwhelmed maintenance staff and this increases the risk of human error. This leaves the door open for operational failure and further breaches. True security always accounts for the human beings on the floor. 

Mitigating this requires a shift in how we cool data. At Apx, we view the transition from legacy air cooling to advanced liquid and immersion cooling not merely as an efficiency or sustainability play, but as a fundamental security measure. Stabilising these high-density AI environments inherently prevents thermal-induced hardware failures, closing the physical window of vulnerability before it can be exploited.

Remote access and system hardening 

Vulnerabilities in data centre security are also compounded by how hardware is managed. To mitigate risk, data centres strictly prohibit external internet connections to their industrial cooling and power equipment. 

Cloud-based remote management systems exist but they are widely rejected in high-security markets to prevent unauthorised remote standby commands or malicious overrides. Operators rely on localised, internal laptop-based software instead. 

However, this approach introduces another risk; multiple devices increasing the margin for human error. It’s already happened in the Netherlands, which has seen two high-profile hacks where datasets were exposed because a single remote access point was vulnerable. 

There is no black-and-white answer to security solutions in a fast-evolving digital age, operators need to look at the full picture and decide if the convenience of remote access outweighs the baseline security of isolated, local control. 

The talent shortage: The true cost of breaches 

Hardware security is only part of the picture in our industry, our biggest systemic vulnerability remains the talent shortage as it means there’s a lack of trained eyes on the data centre floor. This governance gap was illustrated in recent UK Government Cyber Security data, which revealed that a mere 19% of businesses provide formal security training to staff. 

Due to this skills shortage, the corporate security gap is actively widened and human error becomes a huge vulnerability for bad actors to exploit. 

Adding to this, the UK is currently experiencing an average of four nationally significant cyber incidents a week according to the National Cyber Security Centre. This has severe operational and financial implications for businesses. 

Secure by design 

To achieve true operational maturity, we must move past a “cyber-only” mindset and embrace a combined physical and cyber strategy. The landscape is interconnected and digital networks control critical infrastructure.

Manufacturers and operators must work together to ensure that their facilities are secure from the moment they are built. Comprehensive security should be built into the initial designs and not considered an afterthought. 

Staying proactive to safeguard data centres is essential. In a modern risk landscape, physical and digital security measures must work hand in hand to withstand ever-evolving threats.